Amazon Linux 1 Security Advisory: ALAS-2013-160
Advisory Release Date: 2013-03-02 16:48 Pacific
Advisory Updated Date: 2014-09-15 22:33 Pacific
Severity:
Medium
References:
CVE-2011-3148
CVE-2011-3149
RHSA-2013-0521
FAQs regarding Amazon Linux ALAS/CVE Severity
FAQs regarding Amazon Linux ALAS/CVE Severity
Issue Overview:
A stack-based buffer overflow flaw was found in the way the pam_env module parsed users' "~/.pam_environment" files. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges. (CVE-2011-3148)
A denial of service flaw was found in the way the pam_env module expanded certain environment variables. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop. (CVE-2011-3149)
Affected Packages:
pam
Issue Correction:
Run yum update pam to update your system.
New Packages:
i686:
pam-debuginfo-1.1.1-13.20.amzn1.i686
pam-1.1.1-13.20.amzn1.i686
pam-devel-1.1.1-13.20.amzn1.i686
src:
pam-1.1.1-13.20.amzn1.src
x86_64:
pam-1.1.1-13.20.amzn1.x86_64
pam-debuginfo-1.1.1-13.20.amzn1.x86_64
pam-devel-1.1.1-13.20.amzn1.x86_64