aru Posted December 19, 2003 Report Share Posted December 19, 2003 MandrakeSoft Security Advisory MDKSA-2003:118 : XFree86 December 19th, 2003 Updated XFree86 packages fix xdm vulnerability A vulnerability was discovered in the XDM display manager that ships with XFree86. XDM does not check for successful completion of the pam_setcred() call and in the case of error conditions in the installed PAM modules, XDM may grant local root access to any user with valid login credentials. It has been reported that a certain configuration of the MIT pam_krb5 module can result in a failing pam_setcred() call which leaves the session alive and would provide root access to any regular user. It is also possible that this vulnerability can likewise be exploited with other PAM modules in a similar manner. A backported patch from XFree86 4.3 that corrects this vulnerability has been applied to these updated packages. The released versions of Mandrake GNU/Linux affected are: 9.0 9.1 9.2 9.2/AMD64 Corporate Server 2.1 Full information about this advisory, including the updated packages, is available at: www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:118 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0690 Posted automatically by aru (mdksec2mub v0.0.7) Link to comment Share on other sites More sharing options...
Ixthusdan Posted December 19, 2003 Report Share Posted December 19, 2003 Be careful with this update! http://www.MandrakeUsers.org/index.php?sho...howtopic=10309# Follow-up note: this update issue has been corrected. Link to comment Share on other sites More sharing options...
Recommended Posts