SB2025112029 - Anolis OS update for pam
Published: November 20, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper authentication (CVE-ID: CVE-2024-10963)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in pam_access module where certain rules in its configuration file are mistakenly treated as hostnames. A remote attacker can bypass authentication process and gain unauthorized access to the system.
2) Resource exhaustion (CVE-ID: CVE-2024-22365)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in pam_namespace. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Improper access control (CVE-ID: CVE-2025-6020)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions within the pam_namespace module when handling user-controlled paths. A local user can use specially crafted symlinks and race conditions to execute arbitrary code as root.
Remediation
Install update from vendor's website.