RHBA-2004:551 - Bug Fix Advisory

Topic

Updated pam packages that fix bugs in pam_limits and pam_unix modules and
enhance the functionality of the pam_cracklib module are now available for
Red Hat Enterprise Linux.

Description

PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without having
to recompile programs that handle authentication.

The pam_limits module is used to set per process resource usage limits
during login. The pam_limits module is configured by editing the
/etc/security/limits.conf configuration file. The module now recognizes
the '&' prefix character on domains to which a given rule applies. This
enables a functionality which was missing from previous versions of the pam
package and reimplemented in the pam-0.77 version. These packages also add
group-checking functionality.

The pam_cracklib module is used to test the quality of passwords which are
entered by users when they are changing them. The module now recognizes
negative values for credit parameters. This provides hard limiting of
allowed passwords for a given number of characters of a given kind.

The pam_unix module is used for traditional UNIX authentication via
/etc/passwd and /etc/shadow. The updated package resolves the following
issue: a passwd command waiting for input from a user effectively disabled
the changing of passwords for other users of a system.

All users of PAM should upgrade to these updated packages, which resolve
these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

Affected Products

• Red Hat Enterprise Linux Server 3 x86_64
• Red Hat Enterprise Linux Server 3 ia64
• Red Hat Enterprise Linux Server 3 i386
• Red Hat Enterprise Linux Workstation 3 x86_64
• Red Hat Enterprise Linux Workstation 3 ia64
• Red Hat Enterprise Linux Workstation 3 i386
• Red Hat Enterprise Linux Desktop 3 x86_64
• Red Hat Enterprise Linux Desktop 3 i386
• Red Hat Enterprise Linux for IBM z Systems 3 s390x
• Red Hat Enterprise Linux for IBM z Systems 3 s390
• Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

• BZ - 124645 - [PATCH] credit values are ignored in /etc/pam.d/passwd
• BZ - 125123 - RHEL2.1 U6: credit values are ignored in /etc/pam.d/passwd
• BZ - 128441 - RHEL3 U4: Make pam_limits behavior of '*' match between RHEL4 and RHEL3
• BZ - 131338 - /usr/bin/passwd locks while waiting for /bin/login to update an expired password

CVEs

(none)

References

(none)