Impact
Any configuration on any maddy version <0.5.4 using auth.pam is affected.
No password expiry or account expiry checking is done when authenticating using PAM.
Patches
Patch is available as part of the 0.5.4 release.
Workarounds
If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.
It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).
References
For more information
If you have any questions or comments about this advisory:
Impact
Any configuration on any maddy version <0.5.4 using auth.pam is affected.
No password expiry or account expiry checking is done when authenticating using PAM.
Patches
Patch is available as part of the 0.5.4 release.
Workarounds
If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.
It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).
References
For more information
If you have any questions or comments about this advisory: