Arch Linux Security Advisory ASA-202012-13
==========================================

Severity: High
Date    : 2020-12-09
CVE-ID  : CVE-2020-27780
Package : pam
Type    : authentication bypass
Remote  : No
Link    : https://security.archlinux.org/AVG-1297

Summary
=======

The package pam before version 1.5.0-2 is vulnerable to authentication
bypass.

Resolution
==========

Upgrade to 1.5.0-2.

# pacman -Syu "pam>=1.5.0-2"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

The issue can be mitigated by setting a non-empty password for the root
user.

Description
===========

An authentication bypass issue was found in pam 1.5.0. Nonexistent
users could authenticate if the root password was empty.

Impact
======

In some unusual configurations, a remote user might be able to bypass
authentication.

References
==========

https://github.com/linux-pam/linux-pam/blob/5b7ba35ebfd280c931933fedbf98cb7f4a8846f2/NEWS#L4-L5
https://github.com/linux-pam/linux-pam/pull/300
https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
https://security.archlinux.org/CVE-2020-27780