In March of 2008 I also notified the Bluequartz users list that the Bluequartz PAM (Pluggable Authentication Module) which is a security tool which provides authentication for applications. Otherwise known as the software that allows programs like Dovecot, Proftpd, OpenSSH, and anything else that uses a username and password for login reasons. The Bluequartz PAM software package was last updated on September 9, 2006. No other updates have followed from the Bluequartz users list

In 2007 the Bluequartz based version of PAM accuired several bugs that needed to be patched and in some cases for security reasons. The Bluequartz build of PAM was vunable to CVE-2007-1716 where pam_console does not properly restore ownership for certain console devices when there are multiple users logged into the console and one user logs out, which might allow local users to gain privileges. and CVE-2007-3102 among other buggy issues.

The Bluequartz PAM module also allowed authentication based on truncated MD5 password in the system files which would allow to authenticate with passwords different from the actual user's password. additional information can be found at the redhat site located here

The bqforge.com version for the Bluequartz CentOS 4 based systems includes fixes for these problems as well as multiple other bugs. Specifically, Redhat bug numbers 228044, 228980, and 232407