-
pam (0.99.7.1-5ubuntu6.5) hardy-security; urgency=low
* SECURITY UPDATE: possible code execution via incorrect environment file
parsing (LP: #874469)
- debian/patches-applied/CVE-2011-3148.patch: correctly count leading
whitespace when parsing environment file in
Linux-PAM/modules/pam_env/pam_env.c.
- CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
expansion (LP: #874565)
- debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
with PAM_BUF_ERR in Linux-PAM/modules/pam_env/pam_env.c.
- CVE-2011-3149
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2011 10:31:55 -0400
-
pam (0.99.7.1-5ubuntu6.4) hardy-security; urgency=low
* SECURITY REGRESSION:
- debian/patches/security-dropprivs.patch: updated patch to preserve
ABI and prevent daemons from needing to be restarted. (LP: #790538)
- debian/patches/autoconf.patch: refreshed
-- Marc Deslauriers <email address hidden> Tue, 31 May 2011 07:32:03 -0400
-
pam (0.99.7.1-5ubuntu6.3) hardy-security; urgency=low
* SECURITY UPDATE: denial of service or privilege escalation via
non-ASCII usernames
- debian/patches/CVE-2009-0887.patch: fix signedness error in
Linux-PAM/libpam/pam_misc.c.
- CVE-2009-0887
* SECURITY UPDATE: multiple issues with lack of adequate privilege
dropping
- debian/patches/security-dropprivs.patch: introduce new privilege
dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,
libpam/include/security/pam_modutil.h, libpam/libpam.map,
modules/pam_env/pam_env.c, modules/pam_mail/pam_mail.c,
modules/pam_xauth/pam_xauth.c.
- CVE-2010-3316
- CVE-2010-3430
- CVE-2010-3431
- CVE-2010-3435
- CVE-2010-4706
- CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
- debian/patches/CVE-2010-3853.patch: use clean environment in
modules/pam_namespace/pam_namespace.c.
- CVE-2010-3853
* debian/patches-applied/series: disable hurd_no_setfsuid patch, as it
isn't needed for Ubuntu, and it needs to be rewritten to work with the
massive privilege refactoring in the security patches.
* debian/control: added Pre-Depends to libpam-modules so it won't get
updated without pulling in the updated libpam0g.
-- Marc Deslauriers <email address hidden> Wed, 25 May 2011 10:16:14 -0400
-
pam (0.99.7.1-5ubuntu6.1) hardy-proposed; urgency=low
* debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
* debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
Use the new 'missingok' option by default for pam_smbpass, to
correct the problem of very loud logging introduced in the previous
upload when libpam-smbpass is not installed. LP: #216990.
-- Steve Langasek <email address hidden> Tue, 22 Apr 2008 18:53:37 +0000
-
pam (0.99.7.1-5ubuntu6) hardy; urgency=low
* debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
Add pam_smbpass as an optional module in the stack, to keep NTLM
passwords (for filesharing) in sync with the main system passwords on a
best-effort basis. LP: #208419.
-- Steve Langasek <email address hidden> Tue, 08 Apr 2008 18:21:40 +0000
-
pam (0.99.7.1-5ubuntu5) hardy; urgency=low
* debian/local/common-session: Drop libpam-foreground. It's gone for good,
and we do not want this in the PAM config for new installations, since it
just spams syslog with error messages. (LP: #198714)
-- Martin Pitt <email address hidden> Tue, 11 Mar 2008 11:22:11 +0100
-
pam (0.99.7.1-5ubuntu4) hardy; urgency=low
* ubuntu-pam_selinux_seusers: patch pam_selinux to correctly support
seusers (backported from changes in PAM 0.99.8). Without this patch
login will not get correct security context when using libselinux
>= 1.27.2 (LP: #187822).
-- Caleb Case <email address hidden> Wed, 30 Jan 2008 06:39:48 -0500
-
pam (0.99.7.1-5ubuntu3) hardy; urgency=low
* Temporarily reenable libpam-foreground in common-session again, until
dbus' at_console policy works with ConsoleKit.
-- Martin Pitt <email address hidden> Thu, 29 Nov 2007 15:17:54 +0100
-
pam (0.99.7.1-5ubuntu2) hardy; urgency=low
* debian/local/common-session{,.md5sums}, debian/control: Drop
libpam-foreground, superseded by ConsoleKit integration into hal.
* debian/control: Build against libdb4.6 again. This drops this Debian delta
and 4.6 is our target version in Hardy.
-- Martin Pitt <email address hidden> Thu, 22 Nov 2007 18:56:47 +0100
-
pam (0.99.7.1-5ubuntu1) gutsy; urgency=low
* Resynchronise with Debian. Remaining changes:
- debian/control, debian/local/common-session{,md5sums}: use
libpam-foreground for session management.
- debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
The nis package handles overriding this as necessary.
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf.
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
RLIMIT_NICE from below as well as from above. Fix off-by-one error when
converting RLIMIT_NICE to the range of values used by the kernel.
(Originally patch 101; converted to quilt.)
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
- debian/patches-applied/ubuntu-regression_fix_securetty: securetty's
earlier behavior would correctly prompt for password on bad usernames
(LP: #139075).
- Build using db4.5 instead of db4.6.
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running (LP: #141309).
* debian/libpam0g.postinst: don't display a debconf warning about display
managers that need restarting when update-manager is running, instead
signal to update-notifier if a reboot is required.
-- Steve Langasek <email address hidden> Fri, 28 Sep 2007 23:45:24 -0700