CVE-2016-4422

NameCVE-2016-4422
DescriptionThe pam_sm_authenticate function in pam_sshauth.c in libpam-sshauth might allow context-dependent attackers to bypass authentication or gain privileges via a system user account.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3567-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpam-sshauth (PTS)jessie (security), jessie0.3.1-1+deb8u1fixed
buster, sid, stretch0.4.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpam-sshauthsource(unstable)0.4.1-2high
libpam-sshauthsourcejessie0.3.1-1+deb8u1highDSA-3567-1

Notes

Introduced in: https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/revision/93/src/pam_sshauth.c
Fixed in: https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/revision/114
http://www.openwall.com/lists/oss-security/2016/05/01/2

Search for package or bug name: Reporting problems