Christian Biere wrote:
> >Synopsis:       login might not back-off as expected
> >Confidential:   no
> >Severity:       non-critical
> >Priority:       low

This would have to be changed to "login might sleep forever" and I'd
rate this rather "serious" although it wouldn't happen with the default
settings.
 
> Due to a hardcoded value in the back-off time calculation code the 
> time to back-off can become negative. As this value is (automatically)
> casted to an unsigned int, sleep() is called with a pretty uge value.
> As this exceeds 1000000000 sleep returns immediately.

This was a bug in the kernel which has been fixed meanwhile. So this
negative value will really cause login to sleep for a *very* long time
if you enter a wrong password.

-- 
Christian