An issue dealing with password changes, with respect to the MINDAYS field in /etc/shadow was reported on the Debian BTS (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437) that affects all versions of PAM 1.x. Because of this, if an administrative user sets the password minimum days via chage or passwd, /etc/shadow is updated correctly, but PAM allows the user to change their password with no regard for the MINDAYS setting, effectively allowing them to re-use old passwords immediately and disregard any established password policies that should be enforced. This is due to the fact that no minimum age password checks are done by PAM in 1.x; in the old versions it was done in _unix_verify_shadow() by checking the value of of sp_min. In newer PAM this check is no longer there.
Created pam tracking bugs for this issue Affects: F10 [bug #487217] Affects: F9 [bug #487218] Affects: Fdevel [bug #487219]
pam-1.0.4-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/pam-1.0.4-3.fc9
pam-1.0.4-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc9
pam-1.0.4-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc10
pam-1.0.4-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
pam-1.0.4-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Statement: Not vulnerable. This issue did not affect the versions of pam as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6.