1 Errata 2014 06 02
Dag-Erling Smørgrav edited this page 2021-10-20 23:28:58 +02:00

Errata: Policy loading

Date:: 2014-06-02

Affects:: Nummularia and Micrampelis

References:: http://www.freebsd.org/security/advisories/FreeBSD-SA-14:13.pam.asc, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3879

Description:: When loading a module or processing an include directive, an {{{ENOENT}}} (file not found) error would incorrectly be propagated up the call stack and be interpreted as a missing policy, which is a soft error, rather than an invalid policy, which is a hard error. Depending on the circumstances, this could result in a fail-open scenario.

Workaround:: Verify the spelling of all policies. When updating third-party modules (which will result in a brief window during which the module is missing), shut down affected services.

Fix:: Apply r795.