An updated pam package that fixes a security weakness is now available for
CentOS Linux 4.
This update has been rated as having low security impact by the CentOS
Security Response Team.
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set an authentication policy without
having to recompile programs that handle authentication.
A bug was found in the way PAM's unix_chkpwd helper program validates user
passwords when SELinux is enabled. Under normal circumstances, it is not
possible for a local non-root user to verify the password of another local
user with the unix_chkpwd command. A patch applied that adds SELinux
functionality makes it possible for a local user to use brute force
password guessing techniques against other local user accounts. The Common
Vulnerabilities and Exposures project has assigned the name CVE-2005-2977 to
All users of pam should upgrade to this updated package, which contains
backported patches to correct these issues.