Openwall GNU/*/Linux Information for VU#911505
pam_xauth may insecurely forward "X MIT-Magic-Cookies" to new sessions
- Vendor Information Help Date Notified: 04 May 2003
- Statement Date:
- Date Updated: 07 May 2003
"While we do include pam_xauth in Openwall GNU/*/Linux, it is not used in the default configuration.
However, su(1) is fundamentally flawed and can't be safely used to access other accounts because of attacks based on access to the terminal and, except when accessing an obviously less privileged account, attacks on the invocation of su. About the only safe use left for su is by scripts running as root and without a terminal."
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.