|Summary:||CVE-2009-0579 pam: MINDAYS not respected by pam for password changing|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-04-05 15:42:11 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||487217, 487218, 487219|
Description Vincent Danen 2009-02-24 20:37:09 UTC
An issue dealing with password changes, with respect to the MINDAYS field in /etc/shadow was reported on the Debian BTS (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437) that affects all versions of PAM 1.x. Because of this, if an administrative user sets the password minimum days via chage or passwd, /etc/shadow is updated correctly, but PAM allows the user to change their password with no regard for the MINDAYS setting, effectively allowing them to re-use old passwords immediately and disregard any established password policies that should be enforced. This is due to the fact that no minimum age password checks are done by PAM in 1.x; in the old versions it was done in _unix_verify_shadow() by checking the value of of sp_min. In newer PAM this check is no longer there.
Comment 1 Vincent Danen 2009-02-24 20:37:38 UTC
Created pam tracking bugs for this issue Affects: F10 [bug #487217] Affects: F9 [bug #487218] Affects: Fdevel [bug #487219]
Comment 2 Fedora Update System 2009-03-26 10:46:15 UTC
pam-1.0.4-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/pam-1.0.4-3.fc9
Comment 3 Fedora Update System 2009-03-30 16:43:57 UTC
pam-1.0.4-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc9
Comment 4 Fedora Update System 2009-03-30 16:45:06 UTC
pam-1.0.4-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc10
Comment 5 Fedora Update System 2009-04-14 15:52:54 UTC
pam-1.0.4-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-04-14 15:58:36 UTC
pam-1.0.4-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2013-04-05 15:42:11 UTC
Statement: Not vulnerable. This issue did not affect the versions of pam as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6.