Does this also apply to IPFire?
As far as I can see this does not apply to IPFire.
IPFire does not have udisks so that CVE is not applicable.
IPFire does have the PAM system installed and the pam_access.so library is installed but we don’t define a configuration file for it and this is needed for the CVE to be applicable.
However as there is an updated PAM package available with a fix for that CVE then we will update to it.
Also note that both CVE’s are aimed at non-root attackers on a system being able to increase their privileges to root level.
As standard the only access to the IPFire console is via root, so access to this should be very heavily limited to the IPFire admin and a backup if appropriate.
6 Likes
Correct. We don’t have udisk in IPFire.
2 Likes
Since udisk is a desktop environment module of dbus which shouldn’t be installed because IPFire is not a desktop environment, it wouldn’t apply..
I’ll close this to avoid confusion, because - as Adolf said - this doesn’t apply to IPFire.