Bug 487216 (CVE-2009-0579) - CVE-2009-0579 pam: MINDAYS not respected by pam for password changing
Summary: CVE-2009-0579 pam: MINDAYS not respected by pam for password changing
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-0579
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,source=debian,reported=200...
Depends On: 487217 487218 487219
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-24 20:37 UTC by Vincent Danen
Modified: 2019-06-08 12:41 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-05 15:42:11 UTC


Attachments (Terms of Use)

Description Vincent Danen 2009-02-24 20:37:09 UTC
An issue dealing with password changes, with respect to the MINDAYS field in /etc/shadow was reported on the Debian BTS (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437) that affects all versions of PAM 1.x.  Because of this, if an administrative user sets the password minimum days via chage or passwd, /etc/shadow is updated correctly, but PAM allows the user to change their password with no regard for the MINDAYS setting, effectively allowing them to re-use old passwords immediately and disregard any established password policies that should be enforced.

This is due to the fact that no minimum age password checks are done by PAM in 1.x; in the old versions it was done in _unix_verify_shadow() by checking the value of of sp_min.  In newer PAM this check is no longer there.

Comment 1 Vincent Danen 2009-02-24 20:37:38 UTC
Created pam tracking bugs for this issue

Affects: F10 [bug #487217]
Affects: F9 [bug #487218]
Affects: Fdevel [bug #487219]

Comment 2 Fedora Update System 2009-03-26 10:46:15 UTC
pam-1.0.4-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/pam-1.0.4-3.fc9

Comment 3 Fedora Update System 2009-03-30 16:43:57 UTC
pam-1.0.4-4.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc9

Comment 4 Fedora Update System 2009-03-30 16:45:06 UTC
pam-1.0.4-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc10

Comment 5 Fedora Update System 2009-04-14 15:52:54 UTC
pam-1.0.4-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2009-04-14 15:58:36 UTC
pam-1.0.4-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Vincent Danen 2013-04-05 15:42:11 UTC
Statement:

Not vulnerable. This issue did not affect the versions of pam as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6.


Note You need to log in before you can comment on or make changes to this bug.