CVE-2009-0579
Publication date 16 April 2009
Last updated 24 July 2024
Ubuntu priority
Linux-PAM before 1.0.4 does not enforce the minimum password age (MINDAYS) as specified in /etc/shadow, which allows local users to bypass intended security policy and change their passwords sooner than specified.
Status
Package | Ubuntu Release | Status |
---|---|---|
pam | 10.10 maverick |
Not affected
|
10.04 LTS lucid |
Not affected
|
|
9.10 karmic |
Not affected
|
|
9.04 jaunty | Ignored end of life | |
8.10 intrepid | Ignored end of life, was needed | |
8.04 LTS hardy |
Not affected
|
|
6.06 LTS dapper |
Not affected
|
Notes
mdeslaur
pam below 1.0 have a check already as per debian bug: in _unix_verify_shadow, called from pam_sm_chauthtok: if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min)) && (spwdent->sp_min != -1)) retval = PAM_AUTHTOK_ERR;