Candidate: CVE-2018-9275
PublicDate: 2018-04-04 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9275
 https://bugzilla.opensuse.org/show_bug.cgi?id=1088027
 https://github.com/Yubico/yubico-pam/issues/136
 https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba
Description:
 In check_user_token in util.c in the Yubico PAM module (aka pam_yubico)
 2.18 through 2.25, successful logins can leak file descriptors to the auth
 mapping file, which can lead to information disclosure (serial number of a
 device) and/or DoS (reaching the maximum number of file descriptors).
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H [8.2 HIGH]


Patches_yubico-pam:
upstream_yubico-pam: needs-triage
precise/esm_yubico-pam: DNE
trusty_yubico-pam: ignored (reached end-of-life)
trusty/esm_yubico-pam: DNE (trusty was needs-triage)
xenial_yubico-pam: ignored (end of standard support, was needs-triage)
artful_yubico-pam: ignored (reached end-of-life)
bionic_yubico-pam: needs-triage
cosmic_yubico-pam: ignored (reached end-of-life)
disco_yubico-pam: not-affected (2.26-1)
eoan_yubico-pam: not-affected (2.26-1)
focal_yubico-pam: not-affected (2.26-1)
groovy_yubico-pam: not-affected (2.26-1)
hirsute_yubico-pam: not-affected (2.26-1)
impish_yubico-pam: not-affected (2.26-1)
jammy_yubico-pam: not-affected (2.26-1)
devel_yubico-pam: not-affected (2.26-1)