New util-linux packages are available that fix a problem with /bin/login's PAM implementation. This could, in some non-default setups, cause users to receive credentials of other users. It is recommended that all users update to the fixed packages. 2001-10-22: Packages are now available for Red Hat Linux 7.2. Notably, these packages also fix the problem noted in RHSA-2001:095-04 (vipw incorrectly setting permissions on some files) - this bug was accidentally reintroduced in Red Hat Linux 7.2.
A problem existed in /bin/login's PAM implementation; it stored the value of a static pwent buffer across PAM calls; when used with some PAM modules in non-default configuration (such as pam_limits), it would overwrite the buffer, causing a user to get credentials of another user. Thanks go to Tarhon-Onu Victor <email@example.com> for bringing the problem to our attention, and to Olaf Kirch <firstname.lastname@example.org> for providing the patch.