- Issued:
- 2009-09-02
- Updated:
- 2009-09-02
RHBA-2009:1358 - Bug Fix Advisory
Synopsis
pam bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated pam packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 5.
Description
Pluggable Authentication Modules (PAM) provide a system whereby
administrators can set up authentication policies without having to
recompile programs that handle authentication.
These updated pam packages provide fixes for the following bugs:
- when called from a screensaver running under a non-zero UserID, the
pam_tally2 module could repeatedly prompt for the user's password and then
log the following error to syslog: "Error opening /var/log/tallylog for
update: Permission denied". With this update, pam_tally2 correctly ignores
failures to open the tallylog in this situation. (BZ#429169)
- the pam_access module unnecessarily attempted to resolve entries listed
in the access.conf file through DNS lookups, even if the service was not
called from a network. The pam_access module has been changed so that it
does not attempt to resolve the origins of entries in access.conf which do
not contain an IP address or an IP addresses and a netmask value. (BZ#459057)
- the pam_keyinit module did not save the UserID (UID) of the process
during session close, which made it unable to switch back to that original
UID. An error message was output to the system log in that case. The UID is
now correctly saved with these updated packages, which makes the spurious
log message disappear. (BZ#466411)
- the pam_filter module was not able to open a new pseudoterminal, which
prevented the module from functioning properly. With this update,
pam_filter is able to open new pseudoterminals. (BZ#473970)
- when the "open_tty" module was used in combination with the
"pam_tty_audit" module in the system-auth pam configuration file,
pam_tty_audit could segmentation fault if the "open_only" option was set
and the open_tty module was called by the "su" command or another utility.
(BZ#476833)
- the "smbpasswd" utility allows a user to change their encrypted SMB
password, which is stored in the smbpasswd file. However, it was not
possible for non-root users to change their password with "smbpasswd" due
to overly strict checking in the helper of the pam_unix module. This has
been corrected so that users can once again change their SMB passwords
using "smbpasswd". (BZ#476904)
- the coreutils package was listed incorrectly as a prerequisite
requirement for the pam packages instead of a post-install requirement.
This dependency statement has been corrected in these updated packages.
(BZ#497570)
In addition, these updated packages provide the following enhancements:
- Gnome Display Manager's (GDM's) accessibility features did not function
correctly when an audio device was not properly configured. The
configuration file for console device modes now sets audio devices as owned
by the "audio" group if there is no console user. This provides support for
accessible login with GDM. (BZ#244688)
- the pam_tally2 module now supports a new option that allows serialized
access to the /var/log/tallylog file. Enabling this option prevents
possible failed authentication when two separate processes attempt to
authenticate nearly simultaneously when the lock_time option ("always deny
for n seconds after a failed attempt") is set to a value of one or greater.
(BZ#455217)
- these updated pam packages provide a new PAM module, pam_faildelay, which
can read the "FAIL_DELAY" value from the /etc/login.defs configuration file
and set the amount of delay between login prompts following a failed login
attempt to that value. (BZ#476217)
- these updated pam packages provide a new PAM module, pam_pwhistory, which
saves the last passwords for each user in order to force password change
history and keep the user from alternating between the same password too
frequently. (BZ#451085)
Users are advised to upgrade to these updated pam packages, which resolve
these issues and add these enhancements.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 429169 - pam_tally2 in system-auth prevents gnome-screensaver from unlocking
- BZ - 455217 - pam_tally2 race when authenticating more than once at the same time.
- BZ - 459057 - Use of pam_access in WBEM causes DNS-related slowdowns
- BZ - 462647 - Fix dereferencing type-punned pointer will break strict-aliasing rules in pam build
- BZ - 473970 - pam_filter does not work in Red Hat EL5
- BZ - 476217 - pam's login fail delay needs to be adjustable
- BZ - 476833 - "su" segfaults when "open_only" is used with "pam_tty_audit" in system-auth
- BZ - 476904 - selinux prevents smbpasswd from changing non-root's password when unix passwd sync is on
- BZ - 497570 - %post dependencies sometimes not resolved correctly
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
SRPM | |
---|---|
pam-0.99.6.2-6.el5.src.rpm | SHA-256: 1a7db045ed2d5e83982ad859b0f947331c688f1c1b8fee503a415c2c6a911c8a |
x86_64 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
pam-0.99.6.2-6.el5.x86_64.rpm | SHA-256: f2445facb23babab98cdcb338aa895dcb03b25aa7476a81c0a30e6633f4e2395 |
pam-devel-0.99.6.2-6.el5.i386.rpm | SHA-256: 89f0903be1f47bd7c2dd4ddb53e7668213f34b62f72e23a2761ecf2b6510f438 |
pam-devel-0.99.6.2-6.el5.x86_64.rpm | SHA-256: df62105bd01e3d0fb8f6f3db3533248e56c8b4de5e33df014facd398770af634 |
ia64 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
pam-0.99.6.2-6.el5.ia64.rpm | SHA-256: 81ac8463415b3d6a8104ab339f3cc688f20f57a7858e012a90989ad21fb7ced7 |
pam-devel-0.99.6.2-6.el5.ia64.rpm | SHA-256: d1fde7174beec57e500eb9553e4680d6b735af6b1ea3597e7c5c2ccfb85ebf3a |
i386 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
pam-devel-0.99.6.2-6.el5.i386.rpm | SHA-256: 89f0903be1f47bd7c2dd4ddb53e7668213f34b62f72e23a2761ecf2b6510f438 |
Red Hat Enterprise Linux Workstation 5
SRPM | |
---|---|
pam-0.99.6.2-6.el5.src.rpm | SHA-256: 1a7db045ed2d5e83982ad859b0f947331c688f1c1b8fee503a415c2c6a911c8a |
x86_64 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
pam-0.99.6.2-6.el5.x86_64.rpm | SHA-256: f2445facb23babab98cdcb338aa895dcb03b25aa7476a81c0a30e6633f4e2395 |
pam-devel-0.99.6.2-6.el5.i386.rpm | SHA-256: 89f0903be1f47bd7c2dd4ddb53e7668213f34b62f72e23a2761ecf2b6510f438 |
pam-devel-0.99.6.2-6.el5.x86_64.rpm | SHA-256: df62105bd01e3d0fb8f6f3db3533248e56c8b4de5e33df014facd398770af634 |
i386 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
pam-devel-0.99.6.2-6.el5.i386.rpm | SHA-256: 89f0903be1f47bd7c2dd4ddb53e7668213f34b62f72e23a2761ecf2b6510f438 |
Red Hat Enterprise Linux Desktop 5
SRPM | |
---|---|
pam-0.99.6.2-6.el5.src.rpm | SHA-256: 1a7db045ed2d5e83982ad859b0f947331c688f1c1b8fee503a415c2c6a911c8a |
x86_64 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
pam-0.99.6.2-6.el5.x86_64.rpm | SHA-256: f2445facb23babab98cdcb338aa895dcb03b25aa7476a81c0a30e6633f4e2395 |
i386 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
Red Hat Enterprise Linux for IBM z Systems 5
SRPM | |
---|---|
pam-0.99.6.2-6.el5.src.rpm | SHA-256: 1a7db045ed2d5e83982ad859b0f947331c688f1c1b8fee503a415c2c6a911c8a |
s390x | |
pam-0.99.6.2-6.el5.s390.rpm | SHA-256: 54f87a1831e8a5e866e869b7d68e7e8dad1e80435c07fccb0b1dc83f4ccc9156 |
pam-0.99.6.2-6.el5.s390x.rpm | SHA-256: 087a17d27c8aa4006bcb85aaf4dd9928a2e3e798f5cfbe45e7f15185a26b4488 |
pam-devel-0.99.6.2-6.el5.s390.rpm | SHA-256: d09fc5f4dbea03bc89797be2a95c35f79707befe406cd023b91f0b995343848f |
pam-devel-0.99.6.2-6.el5.s390x.rpm | SHA-256: 73623f8406d4f28372bdab6421e2a38e68c87c609f6b47461381345f85053795 |
Red Hat Enterprise Linux for Power, big endian 5
SRPM | |
---|---|
pam-0.99.6.2-6.el5.src.rpm | SHA-256: 1a7db045ed2d5e83982ad859b0f947331c688f1c1b8fee503a415c2c6a911c8a |
ppc | |
pam-0.99.6.2-6.el5.ppc.rpm | SHA-256: ed3f3fb931dd87b592ebcfcbe74059949455c34b9bad7a6555ad8fc4dcacd8ba |
pam-0.99.6.2-6.el5.ppc64.rpm | SHA-256: da60c284ab5568eb969fde31b020afdcf7aa08901531af01ca0556ce89804455 |
pam-devel-0.99.6.2-6.el5.ppc.rpm | SHA-256: 251a17ba2335cdf0c91c233b3a2a161e4d62cfb89e564a159afcf7db48a63195 |
pam-devel-0.99.6.2-6.el5.ppc64.rpm | SHA-256: 001f7536e44b36f779bff02ab4d25d421298bf5d4751b4ad5f95a758655dd116 |
Red Hat Enterprise Linux Server from RHUI 5
SRPM | |
---|---|
pam-0.99.6.2-6.el5.src.rpm | SHA-256: 1a7db045ed2d5e83982ad859b0f947331c688f1c1b8fee503a415c2c6a911c8a |
x86_64 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
pam-0.99.6.2-6.el5.x86_64.rpm | SHA-256: f2445facb23babab98cdcb338aa895dcb03b25aa7476a81c0a30e6633f4e2395 |
pam-devel-0.99.6.2-6.el5.i386.rpm | SHA-256: 89f0903be1f47bd7c2dd4ddb53e7668213f34b62f72e23a2761ecf2b6510f438 |
pam-devel-0.99.6.2-6.el5.x86_64.rpm | SHA-256: df62105bd01e3d0fb8f6f3db3533248e56c8b4de5e33df014facd398770af634 |
i386 | |
pam-0.99.6.2-6.el5.i386.rpm | SHA-256: c326e0d242c37c848912b352ebdce8c77ffefdf58d6717a7c2b4741911e4c1a7 |
pam-devel-0.99.6.2-6.el5.i386.rpm | SHA-256: 89f0903be1f47bd7c2dd4ddb53e7668213f34b62f72e23a2761ecf2b6510f438 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.