Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <e1102843b0b747b280263742cc635391@intl.att.com>
Date: Mon, 8 Jun 2020 08:59:02 +0000
From: "Gollub, Daniel" <daniel.gollub@...l.att.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared
 secret gets logged via syslog if configured with debug parameter

References: CVE-2020-13881, pam_tacplus#149

TACACS+ shared secret gets logged (syslog) by the PAM tacplus [1], if the
PAM module is configured with the debug parameter. The secrets get logged
at DEBUG loglevel.

pam_tacplus 1.5.3 avoids the logging of the secret, via upstream commit
4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 [2].

The original README of pam_tacplus held a configuration example with the
debug parameter set, which might have resulted in some setups, which are
running in debug-mode, based on the example configuration.

This issue got reported  by Adarsh Pandey from Arista Networks [3].

[1] https://github.com/kravietz/pam_tacplus/
[2] https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0
[3] https://github.com/kravietz/pam_tacplus/issues/149


Thanks

Daniel

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.