Bug 487216 - (CVE-2009-0579) CVE-2009-0579 pam: MINDAYS not respected by pam for password changing
CVE-2009-0579 pam: MINDAYS not respected by pam for password changing
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,source=debian,reported=200...
: Security
Depends On: 487217 487218 487219
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-24 15:37 EST by Vincent Danen
Modified: 2013-04-05 11:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-05 11:42:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-02-24 15:37:09 EST
An issue dealing with password changes, with respect to the MINDAYS field in /etc/shadow was reported on the Debian BTS (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437) that affects all versions of PAM 1.x.  Because of this, if an administrative user sets the password minimum days via chage or passwd, /etc/shadow is updated correctly, but PAM allows the user to change their password with no regard for the MINDAYS setting, effectively allowing them to re-use old passwords immediately and disregard any established password policies that should be enforced.

This is due to the fact that no minimum age password checks are done by PAM in 1.x; in the old versions it was done in _unix_verify_shadow() by checking the value of of sp_min.  In newer PAM this check is no longer there.
Comment 1 Vincent Danen 2009-02-24 15:37:38 EST
Created pam tracking bugs for this issue

Affects: F10 [bug #487217]
Affects: F9 [bug #487218]
Affects: Fdevel [bug #487219]
Comment 2 Fedora Update System 2009-03-26 06:46:15 EDT
pam-1.0.4-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/pam-1.0.4-3.fc9
Comment 3 Fedora Update System 2009-03-30 12:43:57 EDT
pam-1.0.4-4.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc9
Comment 4 Fedora Update System 2009-03-30 12:45:06 EDT
pam-1.0.4-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc10
Comment 5 Fedora Update System 2009-04-14 11:52:54 EDT
pam-1.0.4-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-04-14 11:58:36 EDT
pam-1.0.4-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2013-04-05 11:42:11 EDT
Statement:

Not vulnerable. This issue did not affect the versions of pam as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6.

Note You need to log in before you can comment on or make changes to this bug.