- Issued:
- 2013-01-07
- Updated:
- 2013-01-07
RHBA-2013:0032 - pam bug fix and enhancement update
Synopsis
pam bug fix and enhancement update
Type/Severity
Bug Fix Advisory (none)
Topic
Updated pam packages that fix three bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
Description
Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.
This update fixes the following bugs:
-
Due to an error in the %post script, the /var/log/faillog and /var/log/tallylog files were truncated on PAM upgrade. Consequently, the user authentication failure records were lost. The %post script has been fixed, and the user authentication failure records are now preserved during the pam package upgrade. (BZ#614765)
-
When the "remember" option was used, the pam_unix and pam_cracklib modules were matching usernames incorrectly while searching for the old password entries in the /etc/security/opasswd file. Due to this bug, the old password entries could be mixed; the users whose usernames were a substring of another username could have the passwords entries of another user. With this update, the string that is used to match usernames has been fixed. Now only the exact same usernames are matched and the entries about old passwords are no longer mixed in the described scenario. (BZ#768087)
-
Prior to this update, using the pam_pwhistory module caused an error when changing user's password. It was not possible to choose any password, that was in user's password history, as a new password. With this update, root can change the password regardless of whether it is in the user's history or not. (BZ#824858)
This update also adds the following enhancements:
-
Prior to this update, the pam_listfile module was searching through all group entries using the getgrent command when looking for group matches. Due to this implementation, getgrent took too much time on systems using central identity servers such as LDAP for storing large number of groups. This feature has been replaced by more efficient implementation, which does not require to look up through all groups on the system. As a result, pam_listfile is now much faster in the described scenario. (BZ#551312)
-
Previously, the pam_access module did not include the nodefgroup option. Consequently, it was impossible to differentiate between users and groups using this module. This enhancement adds backported support for the nodefgroup option of pam_access. When using this option, the user field of the entries in the access.conf file is not matched against groups on the system. The group matches have to be explicitly marked with parentheses "(" and ")". (BZ#675835)
-
Prior to this update, when the pam_exec module ran an external command, the environment variables such as PAM_USER or PAM_HOST were not exported. This enhancement adds support for exporting environment variables, including those which contains common PAM item values from the PAM environment to the script that is executed by the pam_exec module. (BZ#554518)
-
This update improved the pam_cracklib module, which is used to check properties of a new password entered by the user and reject it if it does not meet the specified limits. The pam_cracklib module now allows to check whether a new password contains the words from the GECOS field entries in the "/etc/passwd" file. It also allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number, and special characters) in a password. (BZ#809247)
All pam users are advised to upgrade to these updated packages, which fix these bugs and adds these enhancements.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Power, big endian | 5 | ppc |
| Red Hat Enterprise Linux for IBM z Systems | 5 | s390x |
| Red Hat Enterprise Linux Workstation | 5 | x86_64 |
| Red Hat Enterprise Linux Workstation | 5 | i386 |
| Red Hat Enterprise Linux Server | 5 | x86_64 |
| Red Hat Enterprise Linux Server | 5 | ia64 |
| Red Hat Enterprise Linux Server | 5 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 5 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 5 | i386 |
| Red Hat Enterprise Linux Desktop | 5 | x86_64 |
| Red Hat Enterprise Linux Desktop | 5 | i386 |
Updated Packages
- pam-devel-0.99.6.2-12.el5.s390x.rpm
- pam-debuginfo-0.99.6.2-12.el5.ppc64.rpm
- pam-devel-0.99.6.2-12.el5.ppc.rpm
- pam-debuginfo-0.99.6.2-12.el5.x86_64.rpm
- pam-debuginfo-0.99.6.2-12.el5.s390.rpm
- pam-debuginfo-0.99.6.2-12.el5.i386.rpm
- pam-devel-0.99.6.2-12.el5.s390.rpm
- pam-devel-0.99.6.2-12.el5.i386.rpm
- pam-0.99.6.2-12.el5.i386.rpm
- pam-devel-0.99.6.2-12.el5.ia64.rpm
- pam-0.99.6.2-12.el5.ia64.rpm
- pam-0.99.6.2-12.el5.src.rpm
- pam-0.99.6.2-12.el5.ppc.rpm
- pam-0.99.6.2-12.el5.x86_64.rpm
- pam-devel-0.99.6.2-12.el5.x86_64.rpm
- pam-debuginfo-0.99.6.2-12.el5.ppc.rpm
- pam-devel-0.99.6.2-12.el5.ppc64.rpm
- pam-0.99.6.2-12.el5.s390.rpm
- pam-debuginfo-0.99.6.2-12.el5.s390x.rpm
- pam-0.99.6.2-12.el5.s390x.rpm
- pam-0.99.6.2-12.el5.ppc64.rpm
- pam-debuginfo-0.99.6.2-12.el5.ia64.rpm
Fixes
- This content is not included.BZ - 551312
- This content is not included.BZ - 554518
- This content is not included.BZ - 614765
- This content is not included.BZ - 768087
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.