Skip to navigation

Bug Fix Advisory pam bug fix and enhancement update

Advisory: RHBA-2013:0032-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2013-01-07
Last updated on: 2013-01-07
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Details

Updated pam packages that fix three bugs and add various enhancements are now
available for Red Hat Enterprise Linux 5.

Pluggable Authentication Modules (PAM) provide a system to set up authentication
policies without the need to recompile programs to handle authentication.

This update fixes the following bugs:

* Due to an error in the %post script, the /var/log/faillog and
/var/log/tallylog files were truncated on PAM upgrade. Consequently, the user
authentication failure records were lost. The %post script has been fixed, and
the user authentication failure records are now preserved during the pam package
upgrade. (BZ#614765)

* When the "remember" option was used, the pam_unix and pam_cracklib modules
were matching usernames incorrectly while searching for the old password entries
in the /etc/security/opasswd file. Due to this bug, the old password entries
could be mixed; the users whose usernames were a substring of another username
could have the passwords entries of another user. With this update, the string
that is used to match usernames has been fixed. Now only the exact same
usernames are matched and the entries about old passwords are no longer mixed in
the described scenario. (BZ#768087)

* Prior to this update, using the pam_pwhistory module caused an error when
changing user's password. It was not possible to choose any password, that was
in user's password history, as a new password. With this update, root can change
the password regardless of whether it is in the user's history or not.
(BZ#824858)

This update also adds the following enhancements:

* Prior to this update, the pam_listfile module was searching through all group
entries using the getgrent command when looking for group matches. Due to this
implementation, getgrent took too much time on systems using central identity
servers such as LDAP for storing large number of groups. This feature has been
replaced by more efficient implementation, which does not require to look up
through all groups on the system. As a result, pam_listfile is now much faster
in the described scenario. (BZ#551312)

* Previously, the pam_access module did not include the nodefgroup option.
Consequently, it was impossible to differentiate between users and groups using
this module. This enhancement adds backported support for the nodefgroup option
of pam_access. When using this option, the user field of the entries in the
access.conf file is not matched against groups on the system. The group matches
have to be explicitly marked with parentheses "(" and ")". (BZ#675835)

* Prior to this update, when the pam_exec module ran an external command, the
environment variables such as PAM_USER or PAM_HOST were not exported. This
enhancement adds support for exporting environment variables, including those
which contains common PAM item values from the PAM environment to the script
that is executed by the pam_exec module. (BZ#554518)

* This update improved the pam_cracklib module, which is used to check
properties of a new password entered by the user and reject it if it does not
meet the specified limits. The pam_cracklib module now allows to check whether a
new password contains the words from the GECOS field entries in the
"/etc/passwd" file. It also allows to specify the maximum allowed number of
consecutive characters of the same class (lowercase, uppercase, number, and
special characters) in a password. (BZ#809247)

All pam users are advised to upgrade to these updated packages, which fix these
bugs and adds these enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
pam-0.99.6.2-12.el5.src.rpm     MD5: a3bfba98094986f6931b34343a613e04
SHA-256: 13bee9f3620fd5e22e38e8b5832adb5f9131f253e8615e6481e9e18818fad11c
 
IA-32:
pam-debuginfo-0.99.6.2-12.el5.i386.rpm     MD5: 6f2f9af2fb7753e9c502bae32fec6b0f
SHA-256: 42f87f75ad3c1009e85bb089b9fbfb6fbaeb4edcf03fa582d9335301e5096f0c
pam-devel-0.99.6.2-12.el5.i386.rpm     MD5: 177ed76ca6de75f8620f30c6eb654d43
SHA-256: da12ce76cfe0c76cc18f823cae33c0d8229790bd16f785b2d4cc827ac921308a
 
x86_64:
pam-debuginfo-0.99.6.2-12.el5.i386.rpm     MD5: 6f2f9af2fb7753e9c502bae32fec6b0f
SHA-256: 42f87f75ad3c1009e85bb089b9fbfb6fbaeb4edcf03fa582d9335301e5096f0c
pam-debuginfo-0.99.6.2-12.el5.x86_64.rpm     MD5: e9907ba7d651a277e70392947365a93d
SHA-256: f616bce153d28b991452b92c25f1a710782d7a91e0d9344f77461800ef9c33ea
pam-devel-0.99.6.2-12.el5.i386.rpm     MD5: 177ed76ca6de75f8620f30c6eb654d43
SHA-256: da12ce76cfe0c76cc18f823cae33c0d8229790bd16f785b2d4cc827ac921308a
pam-devel-0.99.6.2-12.el5.x86_64.rpm     MD5: 246c05bdbd5634013f4961c5d6dfc078
SHA-256: f9f42e75adf8431a9f64601c5ad676d56aa8d65038b4c342752702491cb64bb2
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
pam-0.99.6.2-12.el5.src.rpm     MD5: a3bfba98094986f6931b34343a613e04
SHA-256: 13bee9f3620fd5e22e38e8b5832adb5f9131f253e8615e6481e9e18818fad11c
 
IA-32:
pam-0.99.6.2-12.el5.i386.rpm     MD5: 15982feca02762a6e620da46e085644a
SHA-256: 77c1c50c5acf8fa61d8b366341a701f25452b3d6aca40efbaef5d88d6c97dd70
pam-debuginfo-0.99.6.2-12.el5.i386.rpm     MD5: 6f2f9af2fb7753e9c502bae32fec6b0f
SHA-256: 42f87f75ad3c1009e85bb089b9fbfb6fbaeb4edcf03fa582d9335301e5096f0c
pam-devel-0.99.6.2-12.el5.i386.rpm     MD5: 177ed76ca6de75f8620f30c6eb654d43
SHA-256: da12ce76cfe0c76cc18f823cae33c0d8229790bd16f785b2d4cc827ac921308a
 
IA-64:
pam-0.99.6.2-12.el5.i386.rpm     MD5: 15982feca02762a6e620da46e085644a
SHA-256: 77c1c50c5acf8fa61d8b366341a701f25452b3d6aca40efbaef5d88d6c97dd70
pam-0.99.6.2-12.el5.ia64.rpm     MD5: 7629859735ef9175138b3ce6c65411bb
SHA-256: aa72a4259c210a582f7fe1a6c5fd2302dfe331e338c9c6c120ea469d2f7ce014
pam-debuginfo-0.99.6.2-12.el5.i386.rpm     MD5: 6f2f9af2fb7753e9c502bae32fec6b0f
SHA-256: 42f87f75ad3c1009e85bb089b9fbfb6fbaeb4edcf03fa582d9335301e5096f0c
pam-debuginfo-0.99.6.2-12.el5.ia64.rpm     MD5: 3515323a318df424fcb6891a5e76d2d5
SHA-256: dd1c2199ba26883d475ef42d0aac558ef272876ee07a43b2e245fdbac1251c7c
pam-devel-0.99.6.2-12.el5.ia64.rpm     MD5: e377532f2ed4a14490f8d4d74b91a0f7
SHA-256: 46e870c64badf592fb8c211077470f8ba3ec2e7a8546541bcf0f6ff6e67ba8dc
 
PPC:
pam-0.99.6.2-12.el5.ppc.rpm     MD5: 45aa359dde8bbfc3a08eb4f076a1afc0
SHA-256: e1b8373e5c10a0038a178a8bcf4e64e52bdc3a4ae70afaf9c093021e5e51099a
pam-0.99.6.2-12.el5.ppc64.rpm     MD5: bc856e71bb35eb77b99e56b288816d96
SHA-256: 148f92ee6b9f33f295683b529e2ccd6dae79f10e14d1262c33ca149c9c3d40b7
pam-debuginfo-0.99.6.2-12.el5.ppc.rpm     MD5: 16529fd84d569516d0c1045735b02569
SHA-256: 058f99abd9ffb31286ba7c9bd59f30f2224f3639910a14da6f2e04349af2f6c7
pam-debuginfo-0.99.6.2-12.el5.ppc64.rpm     MD5: 7c8c5a7be54fe07389fac46acdea419a
SHA-256: fcbda3d4ab86bc41de0b4317f1ed5913dd8a5c4784118e6e12798620d83c1e93
pam-devel-0.99.6.2-12.el5.ppc.rpm     MD5: f9afd3efa5bcbdee55d8b12d3519e3e6
SHA-256: 425988e9239e8dcd9c3c86baa624f70317cf7ad929bcb54d2d37d6313aadfe72
pam-devel-0.99.6.2-12.el5.ppc64.rpm     MD5: 406c23ca262ff0f8e2105405c94c9c19
SHA-256: 0c6b09475f7f7b5d502c428e60363a5d7169fd5c14f7eafd6bff5883ebfd2e53
 
s390x:
pam-0.99.6.2-12.el5.s390.rpm     MD5: dbe260a8c898553e5bb851772f3fb527
SHA-256: ea8b81cc45cf1f2394ccd3abfd0bf01fa3647cc3aef2a351242d68cda128497b
pam-0.99.6.2-12.el5.s390x.rpm     MD5: 22b4875c2c171173008e14f08363639e
SHA-256: b76820b05f2093901119a7a1904b34a63abd8d4de426aaad67dbafab5ad08eec
pam-debuginfo-0.99.6.2-12.el5.s390.rpm     MD5: 0d00449d22cffb36dcdf6196f2a090e3
SHA-256: 79b43e633aae53145b6c5f62b1fdeb406c6f6f9a49fd983bc1bac5f7e5ef8e6f
pam-debuginfo-0.99.6.2-12.el5.s390x.rpm     MD5: df29f846e142a0980db9fd754e1f7c29
SHA-256: a81bd39de26a34add2c65cfe8b94717d47f0eb004fc4c72c9636d1c374a510c1
pam-devel-0.99.6.2-12.el5.s390.rpm     MD5: 8ceaa12a9133b733912aca93d8935fb7
SHA-256: cd5f4249f3affa1da64054bc87fe06d8e0a14478933cf83674f111066c7d883e
pam-devel-0.99.6.2-12.el5.s390x.rpm     MD5: db40450852f5608f636100f5f856161d
SHA-256: 0affc182f49d4424917d9883a3a576a7b2dbf7c02d3ba1695de28958af2e44aa
 
x86_64:
pam-0.99.6.2-12.el5.i386.rpm     MD5: 15982feca02762a6e620da46e085644a
SHA-256: 77c1c50c5acf8fa61d8b366341a701f25452b3d6aca40efbaef5d88d6c97dd70
pam-0.99.6.2-12.el5.x86_64.rpm     MD5: 894e7e46088d3802b62acb3cbab5d8f2
SHA-256: b233dc285fc4eac4cb46dd7da7c67d860ccf0a00aa099974a406df29b911d9e4
pam-debuginfo-0.99.6.2-12.el5.i386.rpm     MD5: 6f2f9af2fb7753e9c502bae32fec6b0f
SHA-256: 42f87f75ad3c1009e85bb089b9fbfb6fbaeb4edcf03fa582d9335301e5096f0c
pam-debuginfo-0.99.6.2-12.el5.x86_64.rpm     MD5: e9907ba7d651a277e70392947365a93d
SHA-256: f616bce153d28b991452b92c25f1a710782d7a91e0d9344f77461800ef9c33ea
pam-devel-0.99.6.2-12.el5.i386.rpm     MD5: 177ed76ca6de75f8620f30c6eb654d43
SHA-256: da12ce76cfe0c76cc18f823cae33c0d8229790bd16f785b2d4cc827ac921308a
pam-devel-0.99.6.2-12.el5.x86_64.rpm     MD5: 246c05bdbd5634013f4961c5d6dfc078
SHA-256: f9f42e75adf8431a9f64601c5ad676d56aa8d65038b4c342752702491cb64bb2
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
pam-0.99.6.2-12.el5.src.rpm     MD5: a3bfba98094986f6931b34343a613e04
SHA-256: 13bee9f3620fd5e22e38e8b5832adb5f9131f253e8615e6481e9e18818fad11c
 
IA-32:
pam-0.99.6.2-12.el5.i386.rpm     MD5: 15982feca02762a6e620da46e085644a
SHA-256: 77c1c50c5acf8fa61d8b366341a701f25452b3d6aca40efbaef5d88d6c97dd70
pam-debuginfo-0.99.6.2-12.el5.i386.rpm     MD5: 6f2f9af2fb7753e9c502bae32fec6b0f
SHA-256: 42f87f75ad3c1009e85bb089b9fbfb6fbaeb4edcf03fa582d9335301e5096f0c
 
x86_64:
pam-0.99.6.2-12.el5.i386.rpm     MD5: 15982feca02762a6e620da46e085644a
SHA-256: 77c1c50c5acf8fa61d8b366341a701f25452b3d6aca40efbaef5d88d6c97dd70
pam-0.99.6.2-12.el5.x86_64.rpm     MD5: 894e7e46088d3802b62acb3cbab5d8f2
SHA-256: b233dc285fc4eac4cb46dd7da7c67d860ccf0a00aa099974a406df29b911d9e4
pam-debuginfo-0.99.6.2-12.el5.i386.rpm     MD5: 6f2f9af2fb7753e9c502bae32fec6b0f
SHA-256: 42f87f75ad3c1009e85bb089b9fbfb6fbaeb4edcf03fa582d9335301e5096f0c
pam-debuginfo-0.99.6.2-12.el5.x86_64.rpm     MD5: e9907ba7d651a277e70392947365a93d
SHA-256: f616bce153d28b991452b92c25f1a710782d7a91e0d9344f77461800ef9c33ea
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

551312 - [RFE] pam_listfile calls getgrent(), apply patch to call pam_modutil_user_in_group_nam_nam()
554518 - pam_exec doesn't export environment variables
614765 - PAM truncates /var/log/faillog on upgrade
768087 - pam remember can check wrong username if it is a substring of another username



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/