RHBA-2006:0093 - Bug Fix Advisory

Topic

Updated pam packages that resolve bugs and enhance the functionality of PAM
library modules are now available.

Description

PAM (Pluggable Authentication Modules) is a system security library that
allows system administrators to set authentication policies without having
to recompile programs that handle authentication.

The pam_succeed_if module provides blocking/allowing of access to a service
using PAM configurable through module options. The updated package adds
support for matching user and remote host against a netgroup.

The pam_access module provides configurable blocking/allowing of access to
a service using PAM. The module required a TTY or remote hostname to be
set before the application called the PAM library. However, some
applications such as system daemons do not run from a terminal environment
and are not accessed remotely. These applications failed when pam_access
was used in PAM configuration.

The pam_tally module provides locking of access to a service after a
specified number of attempts. The updated package adds support for auditing
when the lock becomes effective or when it is unlocked through an
administrator's actions. The updated package also adds support for locking
in the authentication phase which is necessary for correct auditing.

The pam_selinux module provides various functionality necessary for correct
SELinux operation when users are logged in and out. The module reported
errors about relabelling terminal devices as a system log entry that
contained incorrect data.

The pam_limits module enables setting of user limits when a user is logged
in. The updated package supports sigpending and msgqueue limits, which were
introduced in kernel 2.6.

All users of PAM should upgrade to these updated packages, which resolve
these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 170315 - Add netgroup support in pam
• BZ - 170467 - [RHEL3] [RFE] [ORACLE ESCALATION] pam_access requires a tty name
• BZ - 170562 - add audit message to pam_tally
• BZ - 170587 - pam_selinux.so will misreport errors on relabelling terminal devices

CVEs

(none)

References

(none)