Bugzilla – Bug 1179166
VUL-0: CVE-2020-27780: pam: bypass of password base authentication if user does not exist and root password is blank
Last modified: 2020-11-27 10:10:06 UTC
This seems to allow bypass of authentication.
(Not fully clear on the circumstances that allow this.)
This only affects PAM 1.5.0, older versions are not affected.
(In reply to Marcus Meissner from comment #0)
> (Not fully clear on the circumstances that allow this.)
Only if root as no password and if you allow root to login with no password (so nullok option is used).
Nothing of this should be anywhere used or the default.
I updated the package to version 1.5.1
This is an autogenerated message for OBS integration:
This bug (1179166) was mentioned in
https://build.opensuse.org/request/show/851278 Factory / pam