pam (0.99.7.1-4ubuntu1~ppa1) gutsy; urgency=low
* Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes:
- debian/control, debian/local/common-session{,md5sums}: use
libpam-foreground for session management.
- debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
The nis package handles overriding this as necessary.
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf.
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
RLIMIT_NICE from below as well as from above. Fix off-by-one error when
converting RLIMIT_NICE to the range of values used by the kernel.
(Originally patch 101; converted to quilt.)
* Dropped:
- debian/rules: bashism fixes (merged upstream).
- debian/control: Conflict on ancient nis (expired with Breezy).
- debian/libpam-runtime.postinst: check for ancient pam (expired with
Breezy).
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
Left out of "series" for now (LP: #113586).
pam (0.99.7.1-4) unstable; urgency=low
* libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted
to fix the library skew, only reloaded; special-case this daemon in the
postinst and remove the mention of it from the debconf template, also
tightening the language of the debconf template in the process.
Closes: #440074.
* Add courier-authdaemon to the list of services that need to be
restarted; thanks to Micah Anderson for reporting.
* New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over
garbage lines in /etc/environment and log an error, instead of failing
with an obscure error; and ignore any PAM_BAD_ITEM values returned
by pam_putenv(), since this is the expected error return when trying
to delete a non-existent var. Closes: #439984.
* Yet another thinko in hurd_no_setfsuid and in
029_pam_limits_capabilities; this code should really be Hurd-safe at
last...
* getline() returns -1 on EOF, not 0; check this appropriately, to fix
an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl
<[EMAIL PROTECTED]> for the fix. Closes: #440019.
* Use ${misc:Depends} for libpam0g, so we get a proper dependency on
debconf.
* 019_pam_listfile_quiet: per discussion with upstream, don't suppress
errors about missing files or files with wrong permissions; these are
real errors that should not be buried.
* Drop the remainder of 061_pam_issue_double_free, not required for the
original bugfix.
* Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that
we define CRACKLIB_DICTS in debian/rules.
* Drop patch 063_paswd_segv, superseded by a different upstream fix
* Split 047_pam_limits_chroot_string_value up between
008_modules_pam_limits_chroot and 029_pam_limits_capabilites
* Updates to patch 007_modules_pam_unix: restore the same built-in min
password len of 6 that upstream uses; fix a typo panlindrome ->
palindrome.
* The 'max=' option was never intended to be used to limit maximum password
length for users, only to declare what the number of significant
characters /is/ for a password. But we don't need a config option to
tell us that, we know the answer based on which crypt type we're using,
so drop this as a config file option. Closes: #389197.
* Debconf translations:
- Spanish, thanks to Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
- Vietnamese, thanks to Clytie Siddall <[EMAIL PROTECTED]>
- German, thanks to Sven Joachim <[EMAIL PROTECTED]> (closes: #440355)
- Czech, thanks to Miroslav Kure <[EMAIL PROTECTED]>
(closes: #440362)
- Portuguese, thanks to Américo Monteiro <[EMAIL PROTECTED]>
(closes: #440368)
pam (0.99.7.1-3) unstable; urgency=low
* New patch limits_wrong_strncpy: fix unnecessary manipulations of string
buffers, including an illegal use of strncpy(). Thanks to Paul Hampson
for reporting. Closes: #331278.
* New patch misc_conv_allow_sigint.patch: allow SIGINT to be handled by the
application, instead of blocking it when misc_conv is in use and
preventing users from being able to ^C at any PAM prompt. Closes: #1708.
* 024_debian_cracklib_dict_path: default to NULL instead of a specific
dictionary path when none is defined for consistency with the new upstream
version of cracklib, and define our path in debian/rules.
* 055_pam_unix_nullok_secure: document the pam_unix "nullok_secure" option,
a prereq for forwarding this patch upstream. Closes: #325974.
* Create /etc/security/opasswd on new installs or on upgrades from
0.99.7.1-2 or below, so that users that enable the remember=<n> option to
pam_unix aren't left unable to change passwords. Closes: #95324.
* Fix a couple of thinkos in hurd_no_setfsuid, that were preventing the code
from compiling on the Hurd still. Thanks to Michael Banck for the catch.
* Fix a memory leak in the pam_limits capabilities patch: always
cap_free() the cap_t before returning from pam_sm_open_session().
Closes: #153157.
* libpam0g.postinst, libpam0g.templates: on upgrades from versions
prior to 0.99.7.1-3, restart known PAM-using services so that they
get the new libpam symbols, since otherwise the newer PAM modules
will fail to load. Postinst taken from libssl0.9.8; thanks to
Christoph Martin for the fine example! Closes: #439835.
* Build-depend on po-debconf to support l10n of the debconf questions
from the above.
pam (0.99.7.1-2) unstable; urgency=low
* New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz
for their extensive work in helping to prepare for this update in Debian.
Closes: #360460.
- now uses autoconf for library detection, so SELinux should not be
unconditionally enabled on non-Linux archs. Closes: #333141.
- pam_mail notice handling has been completely reworked, so there should
no longer be missing spaces in the messages. Closes: #119689.
- with libtool and autoconf, now behaves "sensibly" on unknown
platforms. Closes: #165067.
- the source now builds without warnings. Closes: #212165.
- uses automake instead of hand-rolled makefiles with indentation
bugs. Closes: #241661, #328084.
- pam_mkhomedir now creates directories recursively as needed.
Closes: #178225.
- pam_listfile now supports being used as a session module too.
Closes: #416665.
- misspelled pam_userdb log message has been corrected. Closes: #305058.
- the current pam_strerror manpage no longer mentions "Unknown
Linux-PAM error". Closes: #220157.
- the text documentation no longer uses ANSI bold sequences.
Closes: #181451.
- pam_localuser now supports being used as a session module.
Closes: #412484.
- package no longer fails to build with dash as /bin/sh.
Closes: #331208.
- All modules should now be documented in the system administrator
guide. Closes: #350620.
- pam_userdb now logs an error instead of segfaulting when no db=
option is provided. Closes: #436005.
- pam_time now warns on a missing tty instead of erroring out,
making it possible to use the module with non-console services.
Closes: #127931.
- upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install
accordingly
- bump the shlibs
- the 'test.c' example no longer exists
- add /usr/share/locale to libpam-runtime.
- CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an
arbitrary username, and then only when SELinux is active.
Closes: #336344.
* Mark myself as primary maintainer as previously discussed with Sam, and
add Roger as an uploader.
* Refactor to use quilt.
* Update to Standards-Version 3.7.2.
* Drop unnecessary build-dependency on patch, which is
build-essential (and no longer invoked directly).
* Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus,
018_man_fixes, 030_makefile_link_against_libpam,
037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd,
050_configure_in_gnu and 052_pam_unix_no_openlog, which have been
superseded upstream.
* Drop patches 005_pam_limits_099_6,
012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes,
048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv,
060_pam_tally_segv and 062_c++_safe_headers, which have been integrated
upstream.
* Patch 057: SELinux support is merged upstream, leaving only an
unrelated OOM check for pam_unix_passwd. Rename as
057_pam_unix_passwd_OOM_check.
* Patches 006, 008, 036: update for the switch from SGML to XML.
* Patch 007: update for the switch from SGML to XML; drop some log
messages that were already added upstream; update for the pam_modutil
changes; tighten the flag handling of the 'obscure' option; drop bogus
check in unix_chkpwd for null passwords. Also fix a grammar error
along the way. Closes: #362855.
* Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch
pam_cracklib.c instead to use the default dictpath already available
from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead
of AC_CHECK_HEADER, so crack.h is actually included. Also remove
unnecessary string copies, which break on the Hurd due to PATH_MAX.
* Patch 038: partially merged/superseded upstream; also add new Hurd
fix for pam_xauth.
* Patch 061: partially merged upstream
* Use ${binary:Version} instead of ${Source-Version} in
debian/control.
* Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm},
debian/libpam0g.{postinst,prerm}, and
debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these
just fine without our help.
* Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl
and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra,
groff, and opensp.
* Also build-depend on flex for libfl.a.
* Updates for documentation handling:
- move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide,
and invoke dh_installdocs instead of installing these by hand.
- drop libpam-doc.{postinst,prerm}, which are no longer needed.
- add an install target to debian/rules, and have binary-indep depend on
it instead of trying to install doc files individually from the source
tree
- consequently, drop libpam-doc.dirs as well which is no longer needed
and no longer accurate
- add debian/libpam-doc.install for moving the docs to the right place,
and also replace libpam-runtime.files with libpam-runtime.install;
for the moment this means we're using both dh_movefiles and
dh_install...
- libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further
cleaning up debian/rules
* Drop debian/libpam0g.links, no longer needed because upstream now has a
working install target which creates the library symlinks
* Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so
symlinks by hand, no longer provided upstream.
* debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage
belongs in section 7, not in section 8.
* Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime.
* debian/patches-applied/autoconf.patch: move all changes to autotools
generated files into a single patch at the end of the stack.
- don't touch configure in debian/rules, the quilt patch takes care
of this for us.
* New patch 064_pam_unix_cracklib_dictpath: correctly define
CRACKLIB_DICTS, since this is not defined by configure. Thanks to Jan
Christoph Nordholz.
* New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable
cracklib support in pam_unix. Thanks to Christoph Nordholz.
* debian/rules:
- Rename OS_CFLAGS to CFLAGS.
- kill off references to unused variables
- make binary-arch also depend on the install target, and streamline the
rules
- fix up the clean target to not ignore errors; thanks to Roger Leigh
- drop the local module_check target in favor of using -Wl,-z,defs
in LDFLAGS to enforce correct linkage of all objects at build time
* Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage.
* libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally
for consistency.
* Update to debhelper V5.
* Don't ship Makefiles as part of the libpam0g-dev examples.
* libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages:
put all the manpages in the correct packages. Closes: #411812,
#62193, #313486, #300773, #330545, #184270.
* Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything
because we aren't trying to ship empty directories in the packages
* Build-Conflict with fop, to avoid unreproducible builds of pdf
documentation from a tool in contrib.
* libpam-cracklib should depend on a real wordlist package, per policy;
use wamerican as the default.
* Drop local/pam-undocumented.7 from the package, since we no longer have
a reason to ship it
* Add lintian overrides for known false-positives
* Conflicts/Replaces/Provides libpam-umask, now included upstream.
Closes: #436222.
* Upstream no longer marks unix_chkpwd suid-root for us, so set the perms
by hand in debian/rules. In the process, unix_chkpwd is now writable
by the owner, as expected by policy. Closes: #368100.
* Migrate from db4.3 to db4.6; once again, no administrator action should
be needed for upgrading on-disk database formats. Closes: #354309.
* Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to
Laurent Bigonville for the hint. Closes: #439038.
* Add a watch file for use with uscan; thanks to Laurent Bigonville for
this patch as well. Closes: #439040.
* Rewrite of 031_pam_include, fixing a memory leak and letting us drop
patch 056_no_label_at_end; thanks to Jan Christoph Nordholz
<[EMAIL PROTECTED]> for this much-improved version!
* New patch no_pthread_mutexes: don't use pthread mutexes in
pam_modutil functions, they're not needed because pam handles
themselves should not be used concurrently by multiple threads and
using pthreads causes problems for portable linking.
* New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around
using setreuid instead.
-- Kees Cook <[EMAIL PROTECTED]> Wed, 05 Sep 2007 15:18:36 -0700
** Changed in: pam (Ubuntu)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2005-2977
--
Consider setting more restrictive default resource limits
https://bugs.launchpad.net/bugs/14505
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
