Your submission was sent successfully! Close

CVE-2009-0579

Published: 16 April 2009

Linux-PAM before 1.0.4 does not enforce the minimum password age (MINDAYS) as specified in /etc/shadow, which allows local users to bypass intended security policy and change their passwords sooner than specified.

Priority

Low

Notes

AuthorNote
mdeslaur
pam below 1.0 have a check already as per debian bug:
in _unix_verify_shadow, called from pam_sm_chauthtok:
	if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
		    && (spwdent->sp_min != -1))
		retval = PAM_AUTHTOK_ERR;

References

Bugs