Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Patches » RHBA-2013:0032-01


Id RHBA-2013:0032-01
Name Red Hat 2013:0032-01 RHBA pam bug fix and enhancement update for RHEL 5 x86
Vendor Name red_hat
Product None
Content Type Recommended Recommended
Operating System(s) Linux 
Released On 07 Jan 2013 12:00:00


Red Hat 2013:0032-01 RHBA pam bug fix and enhancement update for RHEL 5 x86

Vendor Name




Released On

07 Jan 2013 12:00:00



Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication. This update fixes the following bugs: * Due to an error in the %post script, the /var/log/faillog and /var/log/tallylog files were truncated on PAM upgrade. Consequently, the user authentication failure records were lost. The %post script has been fixed, and the user authentication failure records are now preserved during the pam package upgrade. (BZ#614765) * When the "remember" option was used, the pam_unix and pam_cracklib modules were matching usernames incorrectly while searching for the old password entries in the /etc/security/opasswd file. Due to this bug, the old password entries could be mixed; the users whose usernames were a substring of another username could have the passwords entries of another user. With this update, the string that is used to match usernames has been fixed. Now only the exact same usernames are matched and the entries about old passwords are no longer mixed in the described scenario. (BZ#768087) * Prior to this update, using the pam_pwhistory module caused an error when changing user's password. It was not possible to choose any password, that was in user's password history, as a new password. With this update, root can change the password regardless of whether it is in the user's history or not. (BZ#824858) This update also adds the following enhancements: * Prior to this update, the pam_listfile module was searching through all group entries using the getgrent command when looking for group matches. Due to this implementation, getgrent took too much time on systems using central identity servers such as LDAP for storing large number of groups. This feature has been replaced by more efficient implementation, which does not require to look up through all groups on the system. As a result, pam_listfile is now much faster in the described scenario. (BZ#551312) * Previously, the pam_access module did not include the nodefgroup option. Consequently, it was impossible to differentiate between users and groups using this module. This enhancement adds backported support for the nodefgroup option of pam_access. When using this option, the user field of the entries in the access.conf file is not matched against groups on the system. The group matches have to be explicitly marked with parentheses "(" and ")". (BZ#675835) * Prior to this update, when the pam_exec module ran an external command, the environment variables such as PAM_USER or PAM_HOST were not exported. This enhancement adds support for exporting environment variables, including those which contains common PAM item values from the PAM environment to the script that is executed by the pam_exec module. (BZ#554518) * This update improved the pam_cracklib module, which is used to check properties of a new password entered by the user and reject it if it does not meet the specified limits. The pam_cracklib module now allows to check whether a new password contains the words from the GECOS field entries in the "/etc/passwd" file. It also allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number, and special characters) in a password. (BZ#809247) All pam users are advised to upgrade to these updated packages, which fix these bugs and adds these enhancements.

Related Resources

Related Vulnerabilities


Related Patches


Superseded Patches


Last Updated: 27 May 2016 11:16:10