-
pam (1.1.0-2ubuntu1.1) karmic-security; urgency=low
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
-- Kees Cook <email address hidden> Wed, 07 Jul 2010 10:55:09 -0700
-
pam (1.1.0-2ubuntu1) karmic; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- Change Vcs-Bzr to point at the Ubuntu branch.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
- debian/local/common-{auth,account,password}.md5sums: include the
Ubuntu-specific intrepid,jaunty md5sums for use during the
common-session-noninteractive upgrade.
* Changes merged in Debian:
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
pam (1.1.0-2) unstable; urgency=low
[ Steve Langasek ]
* debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patch
to call setregid() instead of always returning an error on username
mismatch in unix_chkpwd, needed in the SELinux case and in some corner
cases with the broken_shadow option. Thanks to Michael Spang for the
analysis. Closes: #543589.
* fix the PAM mini-policy to not tell app maintainers that they don't need
to depend on libpam-modules if they reference modules from there.
* make libpam-runtime depend on libpam-modules (>= 1.0.1-6) - nothing else
guarantees that we have pam_unix available for use by pam-auth-update.
* Use /bin/sh instead of /bin/bash for libpam0g.postinst, since we've
confirmed there are no longer any bashisms there. Closes: #519973.
* Clean up the libpam0g postinst a bit; invoke-rc.d has been a guaranteed
interface for two stable release cycles now
* debian/patches/namespace_with_awk_not_gawk: fix the sample
namespace.init script's dependency on non-POSIX features of gawk, since
we don't use gawk by default. Closes; #518908.
* Updated debconf translations:
- German, thanks to Sven Joachim <email address hidden> (closes: #544464)
[ Kees Cook ]
* debian/local/common-password, debian/pam-configs/unix: switch from "md5"
to "sha512" as password crypt default.
-- Steve Langasek <email address hidden> Fri, 04 Sep 2009 01:11:48 -0700
-
pam (1.1.0-1ubuntu1) karmic; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
- debian/local/common-{auth,account,password}.md5sums: include the
Ubuntu-specific intrepid,jaunty md5sums for use during the
common-session-noninteractive upgrade.
* Dropped changes, superseded upstream:
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf.
pam (1.1.0-1) unstable; urgency=low
* New upstream version.
- pam_access no longer does DNS lookups when we know we're comparing
with a tty name or a service name. Closes: #376209.
- fixes for manpage spelling. Closes: #488690.
- fix evaluation of or'ed list of users in time.conf and group.conf.
Closes: #326407, #514423.
* Drop patches pam_unix_thread-safe_save_old_password.patch,
pam_env_ignore_garbage.patch, dont_freeze_password_chain,
pam_1.0.4_mindays, pam_mail-fix-quiet, pam_unix-chkpwd-wait, and
cve-2009-0887-libpam-pam_misc.patch, which are included upstream.
* Trim pam.d-manpage-section patch, which was mostly but not completely
applied upstream.
* Update debian/libpam0g.symbols for new extension.
* Bump the shlibs version as well, for our dpkg-shlibdeps fallback.
* And bump the version checks in the libpam-modules {pre,post}inst, so that
the necessary services get restarted for any modules that need the new
symbols.
* Add /sbin/mkhomedir_helper to libpam-modules.
* Document that pam_cracklib no longer checks /etc/security/opasswd.
Closes: #263767.
* debian/patches/007_modules_pam_unix: drop divergence from upstream
that treats "0" as a special value in various fields in /etc/shadow,
and document this in debian/NEWS. Thanks to Nicolas François
<email address hidden> for the detailed analysis.
Closes: #308229.
* Updated debconf translations:
- French, thanks to Jean-Baka Domelevo Entfellner <email address hidden>
(closes: #521266)
* Build with LDFLAGS=-Wl,-z,defs to guard against the possibility of
any undefined symbols (due to typos or otherwise) at build time.
Closes: #10231.
* On upgrade from versions before 1.1.0-1, if
/etc/pam.d/common-session-noninteractive has not been created (because
the user declined use of pam-auth-update), create it by copying
/etc/pam.d/common-session. Closes: #543401.
* debian/patches/fix-man-crud: new patch, fix "undefined macro" errors in
manpages caused by oddities of toolchain used when generating them
upstream.
-- Steve Langasek <email address hidden> Wed, 26 Aug 2009 00:40:14 -0700
-
pam (1.0.1-11ubuntu1) karmic; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
* debian/local/pam-auth-update: prune some more md5sums from intrepid
pre-release versions, reducing the Ubuntu delta some
* debian/local/common-{auth,account,password}.md5sums: include the
Ubuntu-specific intrepid,jaunty md5sums for use during the
common-session-noninteractive upgrade.
pam (1.0.1-11) unstable; urgency=low
* debian/libpam-runtime.postinst: bump the --force version check to
1.0.1-11, to allow for a new common-session-noninteractive config file;
and include md5sum checking logic that will work the same with old
unmanaged and new managed /etc/pam.d/common-* files.
* debian/local/common-{auth,account,session,password}.md5sums: document
the known md5sums for the new managed files.
* debian/local/common-session-noninteractive{,.md5sums},
debian/local/pam-auth-update: split out a session-noninteractive include
file, so that we can at last distinguish between interactive and
non-interactive PAM sessions at a policy level. Closes: #169930,
LP: #287715.
* debian/local/pam-auth-update: prune md5sums for unsupported upgrade
paths (intrepid pre-release -> karmic/squeeze)
* Clean up the PAM mini-policy, which hasn't been touched in a number of
years and was looking a bit crufty
* debian/libpam-runtime.templates: correctly tag the URL as a
non-translatable string.
* Updated debconf translations:
- Swedish, thanks to Martin Bagge <email address hidden> (closes: #541399)
- Portuguese, thanks to Américo Monteiro <email address hidden>
(closes: #541108)
- Russian, thanks to Yuri Kozlov <email address hidden> (closes: #541094)
-- Steve Langasek <email address hidden> Sun, 23 Aug 2009 20:14:58 -0700
-
pam (1.0.1-10ubuntu1) karmic; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
pam (1.0.1-10) unstable; urgency=high
[ Steve Langasek ]
* Updated debconf translations:
- Finnish, thanks to Esko Arajärvi <email address hidden> (closes: #520785)
- Russian, thanks to Yuri Kozlov <email address hidden> (closes: #521874)
- German, thanks to Sven Joachim <email address hidden> (closes: #521530)
- Basque, thanks to Piarres Beobide <email address hidden>
(closes: #524285)
* When no profiles are chosen in pam-auth-update, throw an error message
and prompt again instead of letting the user end up with an insecure
system. This introduces a new debconf template. Closes: #519927,
LP: #410171.
[ Kees Cook ]
* Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes
for MINDAYS-Field regression (closes: #514437).
* debian/control: add missing misc:Depends for packages that need it.
[ Sam Hartman ]
* Remove conflicts information for transitions prior to woody release
* Fix lintian overrides for libpam-runtime
* Overrides for lintian finding quilt patches
* pam_mail-fix-quiet: patch from Andreas Henriksson
applied upstream to fix quiet option of pam_mail, Closes: #439268
[ Dustin Kirkland ]
* debian/patches/update-motd: run the update-motd scripts in pam_motd;
render update-motd obsolete, LP: #399071
[ Sam Hartman ]
* cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem
(CVE-2009-0887) (Closes: #520115)
-- Steve Langasek <email address hidden> Fri, 07 Aug 2009 09:50:02 +0100
-
pam (1.0.1-9ubuntu3) karmic; urgency=low
* Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
-- Steve Langasek <email address hidden> Wed, 15 Jul 2009 23:55:50 -0700
-
pam (1.0.1-9ubuntu2) karmic; urgency=low
[ Dustin Kirkland ]
* debian/patches/update-motd: run the update-motd scripts in pam_motd;
render update-motd obsolete, LP: #399071
* debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
-- Steve Langasek <email address hidden> Wed, 15 Jul 2009 20:41:52 -0700
-
pam (1.0.1-9ubuntu1) jaunty; urgency=low
* Merge from Debian unstable
* Remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
pam (1.0.1-9) unstable; urgency=low
* Move the pam module packages to section 'admin'.
* 027_pam_limits_better_init_allow_explicit_root: defaults need to be
declared as LIMITS_DEF_DEFAULT instead of LIMITS_DEF_ALL, otherwise
global limits will fail to be applied. LP: #314222.
pam (1.0.1-8) unstable; urgency=low
* Updated debconf translations:
- Bulgarian, thanks to Damyan Ivanov <email address hidden> (closes: #518121)
- Spanish, thanks to Javier Fernandez-Sanguino Peña <email address hidden>
(closes: #518214)
- Swedish, thanks to Martin Bagge <email address hidden> (closes: #518324)
- Vietnamese, thanks to Clytie Siddall <email address hidden>
(closes: #518329)
- Japanese, thanks to Kenshi Muto <email address hidden> (closes: #518335)
- Slovak, thanks to Ivan Masár <email address hidden> (closes: #518341)
- Czech, thanks to Miroslav Kure <email address hidden> (closes: #518992)
- Portuguese, thanks to Américo Monteiro <email address hidden>
(closes: #519204)
- Galician, thanks to Marce Villarino <email address hidden>
(closes: #519447)
- Romanian, thanks to Eddy Petrișor <email address hidden>
(closes: #520552)
* 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK
limit correctly to match the kernel default, which is not RLIM_INFINITY.
Closes: #472629.
-- Steve Langasek <email address hidden> Fri, 20 Mar 2009 19:12:10 -0700
