pam 0.99.7.1-4ubuntu1 source package in Ubuntu

Changelog

pam (0.99.7.1-4ubuntu1) gutsy; urgency=low

  * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes:
    - debian/control, debian/local/common-session{,md5sums}: use
      libpam-foreground for session management.
    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
      The nis package handles overriding this as necessary.
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf.
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
      RLIMIT_NICE from below as well as from above. Fix off-by-one error when
      converting RLIMIT_NICE to the range of values used by the kernel.
      (Originally patch 101; converted to quilt.)
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
  * Dropped:
    - debian/rules: bashism fixes (merged upstream).
    - debian/control: Conflict on ancient nis (expired with Breezy).
    - debian/libpam-runtime.postinst: check for ancient pam (expired with
      Breezy).

pam (0.99.7.1-4) unstable; urgency=low

  * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted
    to fix the library skew, only reloaded; special-case this daemon in the
    postinst and remove the mention of it from the debconf template, also
    tightening the language of the debconf template in the process.
    Closes: #440074.
  * Add courier-authdaemon to the list of services that need to be
    restarted; thanks to Micah Anderson for reporting.
  * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over
    garbage lines in /etc/environment and log an error, instead of failing
    with an obscure error; and ignore any PAM_BAD_ITEM values returned
    by pam_putenv(), since this is the expected error return when trying
    to delete a non-existent var.  Closes: #439984.
  * Yet another thinko in hurd_no_setfsuid and in
    029_pam_limits_capabilities; this code should really be Hurd-safe at
    last...
  * getline() returns -1 on EOF, not 0; check this appropriately, to fix
    an infinite loop in pam_rhosts_auth.  Thanks to Stephan Springl
    <email address hidden> for the fix.  Closes: #440019.
  * Use ${misc:Depends} for libpam0g, so we get a proper dependency on
    debconf.
  * 019_pam_listfile_quiet: per discussion with upstream, don't suppress
    errors about missing files or files with wrong permissions; these are
    real errors that should not be buried.
  * Drop the remainder of 061_pam_issue_double_free, not required for the
    original bugfix.
  * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that
    we define CRACKLIB_DICTS in debian/rules.
  * Drop patch 063_paswd_segv, superseded by a different upstream fix
  * Split 047_pam_limits_chroot_string_value up between
    008_modules_pam_limits_chroot and 029_pam_limits_capabilites
  * Updates to patch 007_modules_pam_unix: restore the same built-in min
    password len of 6 that upstream uses; fix a typo panlindrome ->
    palindrome.
  * The 'max=' option was never intended to be used to limit maximum password
    length for users, only to declare what the number of significant
    characters /is/ for a password.  But we don't need a config option to
    tell us that, we know the answer based on which crypt type we're using,
    so drop this as a config file option.  Closes: #389197.
  * Debconf translations:
    - Spanish, thanks to Javier Fernández-Sanguino Peña <email address hidden>
    - Vietnamese, thanks to Clytie Siddall <email address hidden>
    - German, thanks to Sven Joachim <email address hidden> (closes: #440355)
    - Czech, thanks to Miroslav Kure <email address hidden>
      (closes: #440362)
    - Portuguese, thanks to Américo Monteiro <email address hidden>
      (closes: #440368)

pam (0.99.7.1-3) unstable; urgency=low

  * New patch limits_wrong_strncpy: fix unnecessary manipulations of string
    buffers, including an illegal use of strncpy().  Thanks to Paul Hampson
    for reporting.  Closes: #331278.
  * New patch misc_conv_allow_sigint.patch: allow SIGINT to be handled by the
    application, instead of blocking it when misc_conv is in use and
    preventing users from being able to ^C at any PAM prompt.  Closes: #1708.
  * 024_debian_cracklib_dict_path: default to NULL instead of a specific
    dictionary path when none is defined for consistency with the new upstream
    version of cracklib, and define our path in debian/rules.
  * 055_pam_unix_nullok_secure: document the pam_unix "nullok_secure" option,
    a prereq for forwarding this patch upstream.  Closes: #325974.
  * Create /etc/security/opasswd on new installs or on upgrades from
    0.99.7.1-2 or below, so that users that enable the remember=<n> option to
    pam_unix aren't left unable to change passwords.  Closes: #95324.
  * Fix a couple of thinkos in hurd_no_setfsuid, that were preventing the code
    from compiling on the Hurd still.  Thanks to Michael Banck for the catch.
  * Fix a memory leak in the pam_limits capabilities patch: always
    cap_free() the cap_t before returning from pam_sm_open_session().
    Closes: #153157.
  * libpam0g.postinst, libpam0g.templates: on upgrades from versions
    prior to 0.99.7.1-3, restart known PAM-using services so that they
    get the new libpam symbols, since otherwise the newer PAM modules
    will fail to load.  Postinst taken from libssl0.9.8; thanks to
    Christoph Martin for the fine example!  Closes: #439835.
  * Build-depend on po-debconf to support l10n of the debconf questions
    from the above.

pam (0.99.7.1-2) unstable; urgency=low

  * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz
    for their extensive work in helping to prepare for this update in Debian.
    Closes: #360460.
    - now uses autoconf for library detection, so SELinux should not be
      unconditionally enabled on non-Linux archs.  Closes: #333141.
    - pam_mail notice handling has been completely reworked, so there should
      no longer be missing spaces in the messages.  Closes: #119689.
    - with libtool and autoconf, now behaves "sensibly" on unknown
      platforms.  Closes: #165067.
    - the source now builds without warnings.  Closes: #212165.
    - uses automake instead of hand-rolled makefiles with indentation
      bugs.  Closes: #241661, #328084.
    - pam_mkhomedir now creates directories recursively as needed.
      Closes: #178225.
    - pam_listfile now supports being used as a session module too.
      Closes: #416665.
    - misspelled pam_userdb log message has been corrected.  Closes: #305058.
    - the current pam_strerror manpage no longer mentions "Unknown
      Linux-PAM error".  Closes: #220157.
    - the text documentation no longer uses ANSI bold sequences.
      Closes: #181451.
    - pam_localuser now supports being used as a session module.
      Closes: #412484.
    - package no longer fails to build with dash as /bin/sh.
      Closes: #331208.
    - All modules should now be documented in the system administrator
      guide.  Closes: #350620.
    - pam_userdb now logs an error instead of segfaulting when no db=
      option is provided.  Closes: #436005.
    - pam_time now warns on a missing tty instead of erroring out,
      making it possible to use the module with non-console services.
      Closes: #127931.
    - upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install
      accordingly
    - bump the shlibs
    - the 'test.c' example no longer exists
    - add /usr/share/locale to libpam-runtime.
    - CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an
      arbitrary username, and then only when SELinux is active.
      Closes: #336344.
  * Mark myself as primary maintainer as previously discussed with Sam, and
    add Roger as an uploader.
  * Refactor to use quilt.
  * Update to Standards-Version 3.7.2.
  * Drop unnecessary build-dependency on patch, which is
    build-essential (and no longer invoked directly).
  * Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus,
    018_man_fixes, 030_makefile_link_against_libpam,
    037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd,
    050_configure_in_gnu and 052_pam_unix_no_openlog, which have been
    superseded upstream.
  * Drop patches 005_pam_limits_099_6,
    012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes,
    048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv,
    060_pam_tally_segv and 062_c++_safe_headers, which have been integrated
    upstream.
  * Patch 057: SELinux support is merged upstream, leaving only an
    unrelated OOM check for pam_unix_passwd.  Rename as
    057_pam_unix_passwd_OOM_check.
  * Patches 006, 008, 036: update for the switch from SGML to XML.
  * Patch 007: update for the switch from SGML to XML; drop some log
    messages that were already added upstream; update for the pam_modutil
    changes; tighten the flag handling of the 'obscure' option; drop bogus
    check in unix_chkpwd for null passwords.  Also fix a grammar error
    along the way.  Closes: #362855.
  * Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch
    pam_cracklib.c instead to use the default dictpath already available
    from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead
    of AC_CHECK_HEADER, so crack.h is actually included.  Also remove
    unnecessary string copies, which break on the Hurd due to PATH_MAX.
  * Patch 038: partially merged/superseded upstream; also add new Hurd
    fix for pam_xauth.
  * Patch 061: partially merged upstream
  * Use ${binary:Version} instead of ${Source-Version} in
    debian/control.
  * Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm},
    debian/libpam0g.{postinst,prerm}, and
    debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these
    just fine without our help.
  * Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl
    and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra,
    groff, and opensp.
  * Also build-depend on flex for libfl.a.
  * Updates for documentation handling:
    - move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide,
      and invoke dh_installdocs instead of installing these by hand.
    - drop libpam-doc.{postinst,prerm}, which are no longer needed.
    - add an install target to debian/rules, and have binary-indep depend on
      it instead of trying to install doc files individually from the source
      tree
    - consequently, drop libpam-doc.dirs as well which is no longer needed
      and no longer accurate
    - add debian/libpam-doc.install for moving the docs to the right place,
      and also replace libpam-runtime.files with libpam-runtime.install;
      for the moment this means we're using both dh_movefiles and
      dh_install...
    - libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further
      cleaning up debian/rules
  * Drop debian/libpam0g.links, no longer needed because upstream now has a
    working install target which creates the library symlinks
  * Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so
    symlinks by hand, no longer provided upstream.
  * debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage
    belongs in section 7, not in section 8.
  * Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime.
  * debian/patches-applied/autoconf.patch: move all changes to autotools
    generated files into a single patch at the end of the stack.
    - don't touch configure in debian/rules, the quilt patch takes care
      of this for us.
  * New patch 064_pam_unix_cracklib_dictpath: correctly define
    CRACKLIB_DICTS, since this is not defined by configure.  Thanks to Jan
    Christoph Nordholz.
  * New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable
    cracklib support in pam_unix.  Thanks to Christoph Nordholz.
  * debian/rules:
    - Rename OS_CFLAGS to CFLAGS.
    - kill off references to unused variables
    - make binary-arch also depend on the install target, and streamline the
      rules
    - fix up the clean target to not ignore errors; thanks to Roger Leigh
    - drop the local module_check target in favor of using -Wl,-z,defs
      in LDFLAGS to enforce correct linkage of all objects at build time
  * Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage.
  * libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally
    for consistency.
  * Update to debhelper V5.
  * Don't ship Makefiles as part of the libpam0g-dev examples.
  * libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages:
    put all the manpages in the correct packages.  Closes: #411812,
    #62193, #313486, #300773, #330545, #184270.
  * Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything
    because we aren't trying to ship empty directories in the packages
  * Build-Conflict with fop, to avoid unreproducible builds of pdf
    documentation from a tool in contrib.
  * libpam-cracklib should depend on a real wordlist package, per policy;
    use wamerican as the default.
  * Drop local/pam-undocumented.7 from the package, since we no longer have
    a reason to ship it
  * Add lintian overrides for known false-positives
  * Conflicts/Replaces/Provides libpam-umask, now included upstream.
    Closes: #436222.
  * Upstream no longer marks unix_chkpwd suid-root for us, so set the perms
    by hand in debian/rules.  In the process, unix_chkpwd is now writable
    by the owner, as expected by policy.  Closes: #368100.
  * Migrate from db4.3 to db4.6; once again, no administrator action should
    be needed for upgrading on-disk database formats.  Closes: #354309.
  * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to
    Laurent Bigonville for the hint.  Closes: #439038.
  * Add a watch file for use with uscan; thanks to Laurent Bigonville for
    this patch as well.  Closes: #439040.
  * Rewrite of 031_pam_include, fixing a memory leak and letting us drop
    patch 056_no_label_at_end; thanks to Jan Christoph Nordholz
    <email address hidden> for this much-improved version!
  * New patch no_pthread_mutexes: don't use pthread mutexes in
    pam_modutil functions, they're not needed because pam handles
    themselves should not be used concurrently by multiple threads and
    using pthreads causes problems for portable linking.
  * New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around
    using setreuid instead.

 -- Kees Cook <email address hidden>   Wed, 05 Sep 2007 15:18:36 -0700