Ubuntu

Change logs for “pam” source package in Natty

  • pam (1.1.2-2ubuntu8.4) natty-security; urgency=low
    
      * SECURITY UPDATE: possible code execution via incorrect environment file
        parsing (LP: #874469)
        - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
          whitespace when parsing environment file in modules/pam_env/pam_env.c.
        - CVE-2011-3148
      * SECURITY UPDATE: denial of service via overflowed environment variable
        expansion (LP: #874565)
        - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
          with PAM_BUF_ERR in modules/pam_env/pam_env.c.
        - CVE-2011-3149
      * SECURITY UPDATE: code execution via incorrect environment cleaning
        - debian/patches-applied/update-motd: updated to use clean environment
          and absolute paths in modules/pam_motd/pam_motd.c.
        - CVE-2011-XXXX
     -- Marc Deslauriers <email address hidden>   Tue, 18 Oct 2011 10:03:44 -0400
  • pam (1.1.2-2ubuntu8.3) natty-security; urgency=low
    
      * SECURITY REGRESSION:
        - debian/patches/security-dropprivs.patch: updated patch to preserve
          ABI and prevent daemons from needing to be restarted. (LP: #790538)
        - debian/patches/autoconf.patch: refreshed
     -- Marc Deslauriers <email address hidden>   Tue, 31 May 2011 05:48:25 -0400
  • pam (1.1.2-2ubuntu8.2) natty-security; urgency=low
    
      * SECURITY UPDATE: multiple issues with lack of adequate privilege
        dropping
        - debian/patches/security-dropprivs.patch: introduce new privilege
          dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,
          libpam/include/security/pam_modutil.h, libpam/libpam.map,
          modules/pam_env/pam_env.c, modules/pam_mail/pam_mail.c,
          modules/pam_xauth/pam_xauth.c.
        - CVE-2010-3430
        - CVE-2010-3431
        - CVE-2010-3435
        - CVE-2010-4706
        - CVE-2010-4707
      * SECURITY UPDATE: privilege escalation via incorrect environment
        - debian/patches/CVE-2010-3853.patch: use clean environment in
          modules/pam_namespace/pam_namespace.c.
        - CVE-2010-3853
      * debian/patches-applied/series: disable hurd_no_setfsuid patch, as it
        isn't needed for Ubuntu, and it needs to be rewritten to work with the
        massive privilege refactoring in the security patches.
     -- Marc Deslauriers <email address hidden>   Thu, 19 May 2011 08:40:22 -0400
  • pam (1.1.2-2ubuntu8.1) natty-proposed; urgency=low
    
      * debian/patches-applied/update-motd: santize the environment before
        calling run-parts, LP: #610125
     -- Dustin Kirkland <email address hidden>   Wed, 27 Apr 2011 13:02:15 -0500
  • pam (1.1.2-2ubuntu8) natty; urgency=low
    
      * Check if gdm is actually running before trying to reload it. (LP: #745532)
     -- Stephane Graber <email address hidden>   Mon, 11 Apr 2011 21:57:36 -0400
  • pam (1.1.2-2ubuntu7) natty; urgency=low
    
      * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
        bump the hard limit for number of file descriptors, to keep pace with
        the changes in the kernel.  Fortunately this shadowing should all go
        away next cycle when we can start to grab defaults directly from /proc.
        LP: #663090
     -- Steve Langasek <email address hidden>   Tue, 05 Apr 2011 13:02:02 -0700
  • pam (1.1.2-2ubuntu6) natty; urgency=low
    
      * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
        keeps libpam loaded persistently at runtime, so it's not necessary to
        force a kdm restart on ABI bump.  Which is good, since restarting kdm
        now seems to also log users out of running sessions, which we rather
        want to avoid.  LP: #744944.
     -- Steve Langasek <email address hidden>   Tue, 29 Mar 2011 13:16:26 -0700
  • pam (1.1.2-2ubuntu5) natty; urgency=low
    
      * Force a service restart on upgrade to the new libpam0g, to ensure
        servers don't fail to find the pam modules in the new paths.
      * libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
        for the same reason.
     -- Steve Langasek <email address hidden>   Tue, 22 Mar 2011 02:19:51 -0700
  • pam (1.1.2-2ubuntu4) natty; urgency=low
    
      * Build for multiarch; FFe LP: #733501.
      * Split our executables out of libpam-modules into a new package,
        libpam-modules-bin, so that modules can be co-installable between
        architectures.
      * New patch, lib_security_multiarch_compat, which lets us reuse the
        upstream --enable-isadir functionality to support a true path for module
        lookups; this way we don't have to force a hard transition to multiarch,
        but can support resolving modules in both the multiarch and
        non-multiarch directories.
      * Build-Depend on the multiarchified debhelper.
      * Add Pre-Depends: ${misc:Pre-Depends} for multiarch-support.
     -- Steve Langasek <email address hidden>   Fri, 18 Mar 2011 00:12:26 -0700
  • pam (1.1.2-2ubuntu3) natty; urgency=low
    
      * Er, but let's get this patch applying cleanly.
     -- Steve Langasek <email address hidden>   Mon, 21 Feb 2011 16:10:11 -0800
  • pam (1.1.2-2ubuntu2) natty; urgency=low
    
      * debian/patches/update-motd-manpage-ref: patch the manpage too, not just
        the xml source.
     -- Steve Langasek <email address hidden>   Mon, 21 Feb 2011 15:47:27 -0800
  • pam (1.1.2-2ubuntu1) natty; urgency=low
    
      * Merge from Debian unstable, remaining changes:
        - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
          not present there or in /etc/security/pam_env.conf. (should send to
          Debian).
        - debian/libpam0g.postinst: only ask questions during update-manager when
          there are non-default services running.
        - debian/patches-applied/series: Ubuntu patches are as below ...
        - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
          initialise RLIMIT_NICE rather than relying on the kernel limits.
        - Change Vcs-Bzr to point at the Ubuntu branch.
        - debian/patches-applied/pam_motd-legal-notice: display the contents of
          /etc/legal once, then set a flag in the user's homedir to prevent
          showing it again.
        - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
          for update-motd, with some best practices and notes of explanation.
        - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
          to update-motd(5)
    
    pam (1.1.2-2) unstable; urgency=low
    
      * debian/patches-applied/hurd_no_setfsuid: handle some new calls to
        setfsuid in pam_xauth that I overlooked, so that the build works again
        on non-Linux.  Closes: #613630.
    
    pam (1.1.2-1) unstable; urgency=low
    
      * New upstream release.
        - Add support for NSS groups to pam_group.  Closes: #589019,
          LP: #297408.
        - Support cross-building the package.  Thanks to Neil Williams
          <email address hidden> for the patch.  Closes: #284854.
      * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit
        interface.  Closes: #579402.
      * Drop patches conditional_module,_conditional_man and
        mkhomedir_linking.patch, which are included upstream.
      * debian/patches/hurd_no_setfsuid: pam_env and pam_mail now also use
        setfsuid, so patch them to be likewise Hurd-safe.
      * Update debian/source.lintian-overrides to clean up some spurious
        warnings.
      * debian/libpam-modules.postinst: if any 'min=n' options are found in
        /etc/pam.d/common-password, convert them on upgrade to 'minlen=n' for
        compatibility with upstream.
      * debian/NEWS: document the disappearance of 'min=n', in case users have
        encoded this option elsewhere outside of /etc/pam.d/common-password.
      * debian/patches/007_modules_pam_unix: drop compatibility handling of
        'max=' no-op; use of this option will now log an error, as warned three
        years ago.
      * Bump Standards-Version to 3.9.1.
      * Add lintian overrides for a few more spurious warnings.
      * debian/patches-applied/no_PATH_MAX_on_hurd: define PATH_MAX for
        compatibility when it's not already set.  Closes: #552043.
      * debian/local/pam-auth-update: Don't try to pass embedded newlines to
        debconf; backslash-escape them instead and use CAPB escape.
      * debian/local/pam-auth-update: sort additional module options before
        writing them out, so that we don't wind up with a different config file
        on every invocation.  Thanks to Jim Paris <email address hidden> for the patch.
        Closes: #594123.
      * debian/libpam-runtime.{postinst,templates}: since 1.1.2-1 is targeted
        for post-squeeze, we don't need to support upgrades from 1.0.1-6 to
        1.0.1-10 anymore.  Drop the debconf error note about having configured
        your system with a lack of authentication, so that translators don't
        spend any more time on it.
      * Updated debconf translations:
        - Swedish, thanks to Martin Bagge <email address hidden> (closes: #575875)
    
    pam (1.1.1-7) UNRELEASED; urgency=low
    
      * Updated debconf translations:
        - Italian, thanks to Nicole B. <email address hidden> (closes: #602112)
     -- Steve Langasek <email address hidden>   Thu, 17 Feb 2011 16:15:47 -0800
  • pam (1.1.1-6.1ubuntu1) natty; urgency=low
    
      * Merge from Debian unstable, remaining changes:
        - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
          not present there or in /etc/security/pam_env.conf. (should send to
          Debian).
        - debian/libpam0g.postinst: only ask questions during update-manager when
          there are non-default services running.
        - debian/patches-applied/series: Ubuntu patches are as below ...
        - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
          initialise RLIMIT_NICE rather than relying on the kernel limits.
        - Change Vcs-Bzr to point at the Ubuntu branch.
        - debian/patches-applied/pam_motd-legal-notice: display the contents of
          /etc/legal once, then set a flag in the user's homedir to prevent
          showing it again.
        - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
          for update-motd, with some best practices and notes of explanation.
        - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
          to update-motd(5)
      * Dropped changes:
        - libpam-modules depend on base-files (>= 5.0.0ubuntu6): 5.0.0ubuntu20
          is in 10.04 LTS and this is an essential package, so no more need for
          the versioned dependency.
     -- Steve Langasek <email address hidden>   Tue, 15 Feb 2011 23:36:47 -0800
  • pam (1.1.1-4ubuntu2) maverick-security; urgency=low
    
      * SECURITY UPDATE: root privilege escalation via symlink following.
        - debian/patches-applied/pam_motd-legal-notice: drop privs for work.
        - CVE-2010-0832
     -- Kees Cook <email address hidden>   Mon, 25 Oct 2010 06:40:32 -0700
  • pam (1.1.1-4ubuntu1) maverick; urgency=low
    
      * Merge from Debian unstable, remaining changes:
        - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
          not present there or in /etc/security/pam_env.conf. (should send to
          Debian).
        - debian/libpam0g.postinst: only ask questions during update-manager when
          there are non-default services running.
        - debian/patches-applied/series: Ubuntu patches are as below ...
        - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
          initialise RLIMIT_NICE rather than relying on the kernel limits.
        - Change Vcs-Bzr to point at the Ubuntu branch.
        - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
          run-parts does the right thing in /etc/update-motd.d.
        - debian/patches-applied/pam_motd-legal-notice: display the contents of
          /etc/legal once, then set a flag in the user's homedir to prevent
          showing it again.
        - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
          for update-motd, with some best practices and notes of explanation.
        - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
          to update-motd(5)
     -- Steve Langasek <email address hidden>   Mon, 16 Aug 2010 19:12:35 -0700