Subject: [ASA-202012-13] pam: authentication bypass Arch Linux Security Advisory ASA-202012-13 ========================================== Severity: High Date : 2020-12-09 CVE-ID : CVE-2020-27780 Package : pam Type : authentication bypass Remote : No Link : https://security.archlinux.org/AVG-1297 Summary ======= The package pam before version 1.5.0-2 is vulnerable to authentication bypass. Resolution ========== Upgrade to 1.5.0-2. # pacman -Syu "pam>=1.5.0-2" The problem has been fixed upstream but no release is available yet. Workaround ========== The issue can be mitigated by setting a non-empty password for the root user. Description =========== An authentication bypass issue was found in pam 1.5.0. Nonexistent users could authenticate if the root password was empty. Impact ====== In some unusual configurations, a remote user might be able to bypass authentication. References ========== https://github.com/linux-pam/linux-pam/blob/5b7ba35ebfd280c931933fedbf98cb7f4a8846f2/NEWS#L4-L5 https://github.com/linux-pam/linux-pam/pull/300 https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb https://security.archlinux.org/CVE-2020-27780