CVE-2009-0579
Published: 16 April 2009
Linux-PAM before 1.0.4 does not enforce the minimum password age (MINDAYS) as specified in /etc/shadow, which allows local users to bypass intended security policy and change their passwords sooner than specified.
Notes
Author | Note |
---|---|
mdeslaur | pam below 1.0 have a check already as per debian bug: in _unix_verify_shadow, called from pam_sm_chauthtok: if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min)) && (spwdent->sp_min != -1)) retval = PAM_AUTHTOK_ERR; |