- A stack-based buffer overflow flaw was found in the way the
pam_envmodule parsed users'
~/.pam_environmentfiles. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges.
- A denial of service flaw was found in the way the
pam_envmodule expanded certain environment variables. If an application's PAM configuration contained
user_readenv=1(this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop.
- The limit on number of processes was set in the
/etc/limits.d/90-nproc.conffile to 1024 processes even for the root account. Consequently, root processes confined with SELinux, such as the prelink utility started from the
cronddaemon, failed to start if there were more than 1024 processes running with UID 0 on the system. The limit for root processes has been set to unlimited and the confined processes are no longer blocked in the described scenario.
require_selinuxoption handling in the
pam_namespacemodule was broken. As a consequence, when SELinux was disabled, it was not possible to prevent users from logging in with the
pam_namespacemodule. This option has been fixed and PAM works as expected now.
pam_get_authtok_verify()function did not save the
PAM_AUTHTOK_TYPE PAMitem properly. Consequently, the authentication token type, as specified with the
authtok_typeoption of the
pam_cracklibmodule, was not respected in the “Retype new password” message. The
pam_get_authtok_verify()function has been fixed to properly save the
PAM_AUTHTOK_TYPEitem and PAM now works correctly in this case.
- When the
rememberoption was used, the
pam_unixmodule was matching usernames incorrectly while searching for the old password entries in the
/etc/security/opasswdfile. Due to this bug, the old password entries could be mixed; the users whose usernames were a substring of another username could have the old passwords entries of another user. With this update, the algorithm that is used to match usernames has been fixed. Now only the exact same usernames are matched and the old password entries are no longer mixed in the described scenario.
- Prior to this update, using the
pam_pwhistorymodule caused an error to occur when the root user was changing user's password. It was not possible to choose any password that was in user's password history as the new password. With this update, the root user can change the password regardless of whether it is in the user's history or not.
- Certain authentication policies require enforcement of password complexity restrictions even for root accounts. Thus, the
pam_cracklibmodule now supports the
enforce_for_rootoption, which enforces the complexity restrictions on new passwords even for the root account.
- The GECOS field is used to store additional information about the user, such as the user's full name or a phone number, which could be used by an attacker for an attempt to crack the password. The
pam_cracklibmodule now also allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number, and special characters) in a password.
- Certain authentication policies do not allow passwords which contain long continuous sequences such as “abcd” or “98765”. This update introduces the possibility to limit the maximum length of these sequences by using the new
- Certain authentication policies require support for locking of an account that is not used for a certain period of time. This enhancement introduces an additional function to the
pam_lastlogmodule, which allows users to lock accounts after a configurable number of days.
- On a system with multiple tmpfs mounts, it is necessary to limit their size to prevent them from occupying all of the system memory. This update allows to specify the maximum size and some other options of the tmpfs file system mount when using the tmpfs polyinstantiation method.