shadow-4.0.5 has fixed securirty bug in libmisc/pwdcheck.c which allow unauthorized account properties modification. Affected tools: chfn and chsh. As I see patch can be easily backported.
I don't have access to RHEL but probably RHEL could use afected version.
Note that the scope of this issue is for a user, who is logged in but has an expired password to alter his account information with chfn or chsh without having to change the password. RHEL uses chfn/chsh from util-linux and not from shadow-utils and is unaffected by this issue