[Bug 460950] [NEW] Old password is still valid after password change
Anuradha Ratnaweera
anuradha at taprobane.org
Mon Oct 26 09:56:06 UTC 2009
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: libpam-ccreds
This is partly related to #294977.
- User logs in, ccreds caches the "old password"
- User changes the password
- Then the user goes offline without logging in again
This scenario leaves the old password valid when offline, and the new
password invalid.
Should this be reported upstream? Or can libpam-ccreds used in common-
password to "store" the password on success?
As also pointed out in #294977, this is a security issue if the old
password has been compromised.
** Affects: libpam-ccreds (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
Old password is still valid after password change
https://bugs.launchpad.net/bugs/460950
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list