Skip to navigation

Security Advisory Moderate: pam security, bug fix, and enhancement update

Advisory: RHSA-2007:0737-6
Type: Security Advisory
Severity: Moderate
Issued on: 2007-11-15
Last updated on: 2007-11-15
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2007-1716
CVE-2007-3102

Details

Updated pam packages that fix two security flaws, resolve two bugs, and
add an enhancement are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Pluggable Authentication Modules (PAM) provide a system whereby
administrators can set up authentication policies without having to
recompile programs that handle authentication.

A flaw was found in the way pam_console set console device permissions. It
was possible for various console devices to retain ownership of the console
user after logging out, possibly leaking information to another local user.
(CVE-2007-1716)

A flaw was found in the way the PAM library wrote account names to the
audit subsystem. An attacker could inject strings containing parts of audit
messages, which could possibly mislead or confuse audit log parsing tools.
(CVE-2007-3102)

As well, these updated packages fix the following bugs:

* the pam_xauth module, which is used for copying the X11 authentication
cookie, did not reset the "XAUTHORITY" variable in certain circumstances,
causing unnecessary delays when using su command.

* when calculating password similarity, pam_cracklib disregarded changes
to the last character in passwords when "difok=x" (where "x" is the
number of characters required to change) was configured in
"/etc/pam.d/system-auth". This resulted in password changes that should
have been successful to fail with the following error:

BAD PASSWORD: is too similar to the old one

This issue has been resolved in these updated packages.

* the pam_limits module, which provides setting up system resources limits
for user sessions, reset the nice priority of the user session to "0" if it
was not configured otherwise in the "/etc/security/limits.conf"
configuration file.

These updated packages add the following enhancement:

* a new PAM module, pam_tally2, which allows accounts to be locked after a
maximum number of failed log in attempts.

All users of PAM should upgrade to these updated packages, which resolve
these issues and add this enhancement.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 4)

SRPMS:
pam-0.77-66.23.src.rpm
File outdated by:  RHBA-2010:0512
    MD5: 280fdb2b65b60c9f4289efbf9362f246
 
IA-32:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-devel-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7568bb0d75d41951a3956e1128787e78
 
x86_64:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-0.77-66.23.x86_64.rpm
File outdated by:  RHBA-2010:0512
    MD5: 03ec1abab5c5ab9395d59b70c7f4ec36
pam-devel-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7568bb0d75d41951a3956e1128787e78
pam-devel-0.77-66.23.x86_64.rpm
File outdated by:  RHBA-2010:0512
    MD5: 1e5df76e71f24d346b4bd55e00cdaf0c
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
pam-0.77-66.23.src.rpm
File outdated by:  RHBA-2010:0512
    MD5: 280fdb2b65b60c9f4289efbf9362f246
 
IA-32:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-devel-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7568bb0d75d41951a3956e1128787e78
 
IA-64:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-0.77-66.23.ia64.rpm
File outdated by:  RHBA-2010:0512
    MD5: c23638544883ca4eccc5ac7a34af78bc
pam-devel-0.77-66.23.ia64.rpm
File outdated by:  RHBA-2010:0512
    MD5: e707127a2b6748373f521654333018e7
 
PPC:
pam-0.77-66.23.ppc.rpm
File outdated by:  RHBA-2010:0512
    MD5: edb7fe8063315a76ef42285ec758fc49
pam-0.77-66.23.ppc64.rpm
File outdated by:  RHBA-2010:0512
    MD5: a20e6dd507568b4e4d78734772d48013
pam-devel-0.77-66.23.ppc.rpm
File outdated by:  RHBA-2010:0512
    MD5: dff686e760e6db61bcd5e526dbc37415
pam-devel-0.77-66.23.ppc64.rpm
File outdated by:  RHBA-2010:0512
    MD5: d60805d695d5f00b15dd61a2f4547fb4
 
s390:
pam-0.77-66.23.s390.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7e14ae2d5fae071fdc976b59d0bd7503
pam-devel-0.77-66.23.s390.rpm
File outdated by:  RHBA-2010:0512
    MD5: 1e69ba88bb46d7b087c65330b26140fa
 
s390x:
pam-0.77-66.23.s390.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7e14ae2d5fae071fdc976b59d0bd7503
pam-0.77-66.23.s390x.rpm
File outdated by:  RHBA-2010:0512
    MD5: 37d92cc5118f527d7257be350edc8934
pam-devel-0.77-66.23.s390.rpm
File outdated by:  RHBA-2010:0512
    MD5: 1e69ba88bb46d7b087c65330b26140fa
pam-devel-0.77-66.23.s390x.rpm
File outdated by:  RHBA-2010:0512
    MD5: 5e7853af7d8905b4375f68bca57da149
 
x86_64:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-0.77-66.23.x86_64.rpm
File outdated by:  RHBA-2010:0512
    MD5: 03ec1abab5c5ab9395d59b70c7f4ec36
pam-devel-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7568bb0d75d41951a3956e1128787e78
pam-devel-0.77-66.23.x86_64.rpm
File outdated by:  RHBA-2010:0512
    MD5: 1e5df76e71f24d346b4bd55e00cdaf0c
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
pam-0.77-66.23.src.rpm
File outdated by:  RHBA-2010:0512
    MD5: 280fdb2b65b60c9f4289efbf9362f246
 
IA-32:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-devel-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7568bb0d75d41951a3956e1128787e78
 
IA-64:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-0.77-66.23.ia64.rpm
File outdated by:  RHBA-2010:0512
    MD5: c23638544883ca4eccc5ac7a34af78bc
pam-devel-0.77-66.23.ia64.rpm
File outdated by:  RHBA-2010:0512
    MD5: e707127a2b6748373f521654333018e7
 
x86_64:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-0.77-66.23.x86_64.rpm
File outdated by:  RHBA-2010:0512
    MD5: 03ec1abab5c5ab9395d59b70c7f4ec36
pam-devel-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7568bb0d75d41951a3956e1128787e78
pam-devel-0.77-66.23.x86_64.rpm
File outdated by:  RHBA-2010:0512
    MD5: 1e5df76e71f24d346b4bd55e00cdaf0c
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
pam-0.77-66.23.src.rpm
File outdated by:  RHBA-2010:0512
    MD5: 280fdb2b65b60c9f4289efbf9362f246
 
IA-32:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-devel-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7568bb0d75d41951a3956e1128787e78
 
IA-64:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-0.77-66.23.ia64.rpm
File outdated by:  RHBA-2010:0512
    MD5: c23638544883ca4eccc5ac7a34af78bc
pam-devel-0.77-66.23.ia64.rpm
File outdated by:  RHBA-2010:0512
    MD5: e707127a2b6748373f521654333018e7
 
x86_64:
pam-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: f83fa911b83700f7767907e20d7c4d45
pam-0.77-66.23.x86_64.rpm
File outdated by:  RHBA-2010:0512
    MD5: 03ec1abab5c5ab9395d59b70c7f4ec36
pam-devel-0.77-66.23.i386.rpm
File outdated by:  RHBA-2010:0512
    MD5: 7568bb0d75d41951a3956e1128787e78
pam-devel-0.77-66.23.x86_64.rpm
File outdated by:  RHBA-2010:0512
    MD5: 1e5df76e71f24d346b4bd55e00cdaf0c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

228980 - XAUTHORITY env var not reset on 'su -'
230823 - CVE-2007-1716 Ownership of devices not returned to root after logout from console
247797 - CVE-2007-3102 audit logging of failed logins
267201 - pam_cracklib.so disregards changes to last char when calculating similarity


References


Keywords

audit, device, limits, ownership, priority, tally, xauthority


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/