Patch-ID# 104818-02 Keywords: security y2000 tm_year libauth keylogin expire pam_pwmgt.so.1 sprintf Synopsis: SunOS 5.5.1: /usr/bin/passwd and pam patch Date: Nov/02/2001 Solaris Release: 2.5.1 SunOS Release: 5.5.1 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 104819 Topic: SunOS 5.5.1: /usr/bin/passwd and pam patch Relevant Architectures: sparc BugId's fixed with this patch: 1198961 1235379 1236638 1253949 1264840 4010565 4018347 4024446 4030217 4112707 4157655 4159986 4188723 Changes incorporated in this version: 4112707 Patches accumulated and obsoleted by this patch: 104433-09 106563-04 Patches which conflict with this patch: iss_sparc-01 (or newer) Patches required with this patch: 103640-37 or greater 103640-37 or greater Obsoleted by: Files included with this patch: /etc/lib/pam_authen.so.1 /etc/lib/pam_entry.so.1 /etc/lib/pam_pwmgt.so.1 /usr/bin/nispasswd /usr/bin/passwd /usr/bin/yppasswd /usr/lib/libauth.a /usr/lib/libauth.so.1 /usr/lib/security/pam_authen.so.1 /usr/lib/security/pam_entry.so.1 /usr/lib/security/pam_pwmgt.so.1 Problem Description: 4112707 `passwd -f ` : A user can bypass being forced to change their passwd (from 104818-01) 1264840 passwd command does not handle the year 2000 (from 106563-04) Repackage 106563-03 to remove rev-02 patch which has been backed out (from 106563-03) 4188723 after installing 104433-09 the customer is unable to change local passwords (from 106563-02) Removed 1199044 Password does not decrypt secret key message after chosing new password (from 106563-01) 4157655 Two buffer overflows exist in libauth (from 104433-09) 4159986 [5.5.1 pam/NIS+] passwd can't read pw field when pw tbl perms are tight (CERT) (from 104433-08) 1253949 In Solaris NIS, root must know user's old passwd (from 104433-07) 1236638 *passwd* shadow file occasionally gets deleted in large user environment (from 104433-06) 1235379 nispasswd -D domain user fails. (from 104433-05) 4010565 su can be interrupted by and not logged in /var/adm/log (from 104433-04) 4030217 sa_get_authtokattr() error message prints /100 for /00 in year 2000 1198961 password expected by keylogin incorrect after password change forced by expire The complete fix for bug 1198961 requires bugfix 1206421 (found in patch 103612-27 or higher). (from 104433-03) 4024446 RFE to have login and ypasswd deal with NIS passwd aging as impl by other vendor (from 104433-02) 4018347 pam security problem (from 104433-01) 1198961 password expected by keylogin incorrect after password change forced by expire Once the password has expired, the user has to enter a new passwd. After the new passwd has been entered, the keylogin process fails. This patch will perform the sa_establish_key() automatically. Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: NOTE: To get the complete fix for bug 1253949 (In Solaris NIS, root must know user's old passwd), one must have the NSKit 1.2 patch 103053-05 (or newer). README -- Last modified date: Friday, November 2, 2001