medium
4.6
CWE
264
Advisory Published
CVE Published
Updated

CVE-2009-0579

First published: Tue Feb 24 2009(Updated: )

An issue dealing with password changes, with respect to the MINDAYS field in /etc/shadow was reported on the Debian BTS (<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437</a>) that affects all versions of PAM 1.x. Because of this, if an administrative user sets the password minimum days via chage or passwd, /etc/shadow is updated correctly, but PAM allows the user to change their password with no regard for the MINDAYS setting, effectively allowing them to re-use old passwords immediately and disregard any established password policies that should be enforced. This is due to the fact that no minimum age password checks are done by PAM in 1.x; in the old versions it was done in _unix_verify_shadow() by checking the value of of sp_min. In newer PAM this check is no longer there.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
SUSE PAM=0.99.1.0
SUSE PAM=0.99.2.0
SUSE PAM=0.99.2.1
SUSE PAM=0.99.3.0
SUSE PAM=0.99.4.0
SUSE PAM=0.99.5.0
SUSE PAM=0.99.6.0
SUSE PAM=0.99.6.1
SUSE PAM=0.99.6.2
SUSE PAM=0.99.6.3
SUSE PAM=0.99.7.0
SUSE PAM=0.99.7.1
SUSE PAM=0.99.8.0
SUSE PAM=0.99.8.1
SUSE PAM=0.99.9.0
SUSE PAM=0.99.10.0
SUSE PAM=1.0.0
SUSE PAM=1.0.1
SUSE PAM=1.0.2
SUSE PAM=1.0.3
SUSE PAM<=1.0.4

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=487216

Remedy

https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00420.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2009-0579?

    CVE-2009-0579 is considered a moderate severity vulnerability due to its impact on password management in affected PAM versions.

  • How do I fix CVE-2009-0579?

    To fix CVE-2009-0579, it's recommended to update to the latest version of the Linux-PAM library that has addressed the vulnerability.

  • Which versions of Linux-PAM are affected by CVE-2009-0579?

    CVE-2009-0579 affects all versions of Linux-PAM 1.x and earlier, including 0.99.x versions.

  • What are the potential risks of CVE-2009-0579?

    The risks associated with CVE-2009-0579 include potential unauthorized access due to improper password handling.

  • Is CVE-2009-0579 specific to any operating system?

    CVE-2009-0579 was reported in the context of Debian, but it affects any system using the vulnerable versions of the Linux-PAM library.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203