-
pam (1.1.3-2ubuntu2.1) oneiric-security; urgency=low
* SECURITY UPDATE: possible code execution via incorrect environment file
parsing (LP: #874469)
- debian/patches-applied/CVE-2011-3148.patch: correctly count leading
whitespace when parsing environment file in modules/pam_env/pam_env.c.
- CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
expansion (LP: #874565)
- debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
with PAM_BUF_ERR in modules/pam_env/pam_env.c.
- CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
- debian/patches-applied/update-motd: updated to use clean environment
and absolute paths in modules/pam_motd/pam_motd.c.
- CVE-2011-XXXX
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2011 09:33:47 -0400
-
pam (1.1.3-2ubuntu2) oneiric-proposed; urgency=low
* No-change rebuild to regenerate compressed manpages, which for some
unknown reason were compressed differently on some architectures than
on others, breaking multiarch co-installability. LP: #871083.
-- Steve Langasek <email address hidden> Sun, 09 Oct 2011 15:41:41 -0700
-
pam (1.1.3-2ubuntu1) oneiric; urgency=low
* Merge with Debian to get bug fix for unknown kernel rlimits. Remaining
changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/libpam0g.postinst: drop kdm from the list of services to
restart.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
* Dropped changes:
- debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
no need to bump the hard limit for number of file descriptors any more
since we read kernel limits directly now.
pam (1.1.3-2) unstable; urgency=low
[ Kees Cook ]
* debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
- only report about unknown kernel rlimits when "debug" is set
(Closes: 625226, LP: #794531).
[ Steve Langasek ]
* Build for multiarch. Closes: #463420.
* debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
don't reset the process niceness for root; since it's root, they can
still renice to a lower nice level if they need to and changing the
nice level by default is unexpected behavior. Closes: #594377.
-- Kees Cook <email address hidden> Thu, 18 Aug 2011 16:41:18 -0500
-
pam (1.1.3-1ubuntu3) oneiric; urgency=low
[ Steve Langasek ]
* debian/patches/pam_motd-legal-notice: use pam_modutil_gain/drop_priv
common helper functions, instead of hand-rolled uid-setting code.
[ Martin Pitt ]
* debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
(LP: #253096, UbuntuSpec:umask-to-0002)
* debian/local/pam-auth-update: Add the new md5sum of above files.
* Add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it from
/etc/login.def's "USERGROUP_ENAB" option if umask is only defined there.
This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
-- Martin Pitt <email address hidden> Fri, 24 Jun 2011 11:07:57 +0200
-
pam (1.1.3-1ubuntu2) oneiric; urgency=low
* debian/patches-applied/update-motd-manpage-ref: refresh patch to apply
cleanly against new upstream.
-- Steve Langasek <email address hidden> Sat, 04 Jun 2011 14:20:17 -0700
-
pam (1.1.3-1ubuntu1) oneiric; urgency=low
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
bump the hard limit for number of file descriptors, to keep pace with
the changes in the kernel.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/libpam0g.postinst: drop kdm from the list of services to
restart.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- New patch, lib_security_multiarch_compat, which lets us reuse the
upstream --enable-isadir functionality to support a true path for
module lookups; this way we don't have to force a hard transition to
multiarch, but can support resolving modules in both the multiarch and
non-multiarch directories.
- build for multiarch, splitting our executables out of libpam-modules
into a new package, libpam-modules-bin, so that modules can be
co-installable between architectures.
* Dropped changes:
- bumping the service restart version in libpam0g.postinst to ensure
servers don't fail to find the pam modules in the new paths; the min
version requirement upstream is higher than this now.
pam (1.1.3-1) unstable; urgency=low
* New upstream release.
- Fixes CVE-2010-3853, executing namespace.init with an insecure
environment set by the caller. Closes: #608273.
- Fixes CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435.
Closes: #599832.
* Port hurd_no_setfsuid patch to new pam_modutil_{drop,restore}_priv
interface; now possibly upstreamable
* debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
set a better default RLIMIT_MEMLOCK value for BSD kernels. Thanks to
Petr Salinger for the fix. Closes: #602902.
* bump the minimum version check in maintainer scripts for the restart
handling.
-- Steve Langasek <email address hidden> Sat, 04 Jun 2011 14:04:19 -0700
-
pam (1.1.2-2ubuntu9) oneiric; urgency=low
* debian/patches-applied/update-motd: santize the environment before
calling run-parts, LP: #610125
-- Dustin Kirkland <email address hidden> Wed, 27 Apr 2011 13:02:15 -0500
-
pam (1.1.2-2ubuntu8) natty; urgency=low
* Check if gdm is actually running before trying to reload it. (LP: #745532)
-- Stephane Graber <email address hidden> Mon, 11 Apr 2011 21:57:36 -0400