Changelog
pam (1.1.3-1ubuntu1) oneiric; urgency=low
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
bump the hard limit for number of file descriptors, to keep pace with
the changes in the kernel.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/libpam0g.postinst: drop kdm from the list of services to
restart.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- New patch, lib_security_multiarch_compat, which lets us reuse the
upstream --enable-isadir functionality to support a true path for
module lookups; this way we don't have to force a hard transition to
multiarch, but can support resolving modules in both the multiarch and
non-multiarch directories.
- build for multiarch, splitting our executables out of libpam-modules
into a new package, libpam-modules-bin, so that modules can be
co-installable between architectures.
* Dropped changes:
- bumping the service restart version in libpam0g.postinst to ensure
servers don't fail to find the pam modules in the new paths; the min
version requirement upstream is higher than this now.
pam (1.1.3-1) unstable; urgency=low
* New upstream release.
- Fixes CVE-2010-3853, executing namespace.init with an insecure
environment set by the caller. Closes: #608273.
- Fixes CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435.
Closes: #599832.
* Port hurd_no_setfsuid patch to new pam_modutil_{drop,restore}_priv
interface; now possibly upstreamable
* debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
set a better default RLIMIT_MEMLOCK value for BSD kernels. Thanks to
Petr Salinger for the fix. Closes: #602902.
* bump the minimum version check in maintainer scripts for the restart
handling.
-- Steve Langasek <email address hidden> Sat, 04 Jun 2011 14:04:19 -0700