-
pam (1.0.1-9ubuntu1.1) jaunty-security; urgency=low
* When no profiles are chosen in pam-auth-update, throw an error message
and prompt again instead of letting the user end up with an insecure
system. This introduces a new debconf template. LP: #410171.
-- Steve Langasek <email address hidden> Fri, 07 Aug 2009 09:32:50 +0100
-
pam (1.0.1-9ubuntu1) jaunty; urgency=low
* Merge from Debian unstable
* Remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
pam (1.0.1-9) unstable; urgency=low
* Move the pam module packages to section 'admin'.
* 027_pam_limits_better_init_allow_explicit_root: defaults need to be
declared as LIMITS_DEF_DEFAULT instead of LIMITS_DEF_ALL, otherwise
global limits will fail to be applied. LP: #314222.
pam (1.0.1-8) unstable; urgency=low
* Updated debconf translations:
- Bulgarian, thanks to Damyan Ivanov <email address hidden> (closes: #518121)
- Spanish, thanks to Javier Fernandez-Sanguino Peña <email address hidden>
(closes: #518214)
- Swedish, thanks to Martin Bagge <email address hidden> (closes: #518324)
- Vietnamese, thanks to Clytie Siddall <email address hidden>
(closes: #518329)
- Japanese, thanks to Kenshi Muto <email address hidden> (closes: #518335)
- Slovak, thanks to Ivan Masár <email address hidden> (closes: #518341)
- Czech, thanks to Miroslav Kure <email address hidden> (closes: #518992)
- Portuguese, thanks to Américo Monteiro <email address hidden>
(closes: #519204)
- Galician, thanks to Marce Villarino <email address hidden>
(closes: #519447)
- Romanian, thanks to Eddy Petrișor <email address hidden>
(closes: #520552)
* 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK
limit correctly to match the kernel default, which is not RLIM_INFINITY.
Closes: #472629.
-- Steve Langasek <email address hidden> Fri, 20 Mar 2009 19:12:10 -0700
-
pam (1.0.1-7ubuntu1) jaunty; urgency=low
* Merge from Debian unstable
* Remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
* Dropped changes, merged in Debian:
- debian/local/pam-auth-update (et al): new interface for managing
/etc/pam.d/common-*, using drop-in config snippets provided by module
packages.
- New patch dont_freeze_password_chain, cherry-picked from upstream:
don't always follow the same path through the password stack on
the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
pass; this Linux-PAM deviation from the original PAM spec causes a
number of problems, in particular causing wrong return values when
using the refactored pam-auth-update stack. LP: #303515, #305882.
- debian/patches/027_pam_limits_better_init_allow_explicit_root:
Add documentation to the patch showing how to set limits for root.
* Bump the libpam-cracklib dependency on libpam-runtime to 1.0.1-6,
reducing the delta with Debian.
* Drop upgrade handling code from libpam-runtime.postinst that's only
needed when upgrading from 1.0.1-2ubuntu1, a superseded intrepid
pre-release version of the package.
* pam-auth-update: swap out known md5sums from intrepid pre-release versions
with the md5sums from the released intrepid version
* pam-auth-update: drop some md5sums that will only be seen on upgrade from
pre-intrepid versions; skipping over the 8.10 final release is not
supported, and upgrading via 8.10 means those config files will be
replaced so the old md5sums will never be seen again.
pam (1.0.1-7) unstable; urgency=low
* 027_pam_limits_better_init_allow_explicit_root:
- fix the patch so that our limit resets are actually *applied*,
which has apparently been broken for who knows how long!
- shadow the finite kernel defaults for RLIMIT_SIGPENDING and
RLIMIT_MSGQUEUE as well, so that the preceding change doesn't
suddenly expose systems to DoS or other issues.
- include documentation in the patch, giving examples of how to set
limits for root. Thanks to Jonathan Marsden.
* pam-auth-update: swap out known md5sums from intrepid pre-release
versions with the md5sums from the released intrepid version
* pam-auth-update: set the umask, so we don't accidentally mark
/etc/pam.d/common-* unreadable. Thanks to Martin Krafft for catching.
Closes: #518042.
pam (1.0.1-6) unstable; urgency=low
* Updated debconf translations:
- Vietnamese, thanks to Clytie Siddall <email address hidden>
* New patch dont_freeze_password_chain, cherry-picked from upstream:
don't always follow the same path through the password stack on
the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
pass; this Linux-PAM deviation from the original PAM spec causes a
number of problems, in particular causing wrong return values when
using the refactored pam-auth-update stack. LP: #303515, #305882.
* debian/local/pam-auth-update (et al): new interface for managing
/etc/pam.d/common-*, using drop-in config snippets provided by module
packages.
-- Steve Langasek <email address hidden> Tue, 03 Mar 2009 17:34:19 -0800
-
pam (1.0.1-5ubuntu2) jaunty; urgency=low
* New patch dont_freeze_password_chain, cherry-picked from upstream:
don't always follow the same path through the password stack on
the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
pass; this Linux-PAM deviation from the original PAM spec causes a
number of problems, in particular causing wrong return values when
using the refactored pam-auth-update stack. LP: #303515, #305882.
-- Steve Langasek <email address hidden> Fri, 27 Feb 2009 16:20:24 -0800
-
pam (1.0.1-5ubuntu1) jaunty; urgency=low
* Merge from Debian unstable
* Remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
type rather than __u8.
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/ubuntu-user_defined_environment: Look at
~/.pam_environment too, with the same format as
/etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/pam-auth-update (et al): new interface for managing
/etc/pam.d/common-*, using drop-in config snippets provided by module
packages.
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
* Bump the version numbers referenced in the config files, again, as pam
has revved in Debian and moved the bar.
* pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
as a present but empty file; thanks to Greg Price for the patch.
LP: #294513.
* pam-auth-update: Ignore removed profiles when detecting an empty set
of currently-enabled modules. Thanks to Greg Price for this as well.
* debian/control: libpam-runtime needs a versioned dependency on
debconf, because it uses the x_loadtemplatefile extension that's
not supported by debconf versions before hardy. LP: #295135.
* pam-auth-update: trim leading whitespace from multiline fields when
parsing PAM profiles. LP: #295441.
* pam-auth-update: factor out the duplicate code used for returning
the lines for a given module
[ Jonathan Marsden ]
* debian/patches/027_pam_limits_better_init_allow_explicit_root:
Add to patch, documenting how to set limits for root user.
Include an example. Alters limits.conf, limits.conf.5.xml,
and limits.conf.5 . (LP: #65244)
-- Steve Langasek <email address hidden> Thu, 08 Jan 2009 20:26:25 +0000
-
pam (1.0.1-4ubuntu5.4) jaunty; urgency=low
* No-change upload to jaunty to fix publication on armel.
-- Colin Watson <email address hidden> Tue, 18 Nov 2008 14:09:00 +0000
-
pam (1.0.1-4ubuntu5.3) intrepid-updates; urgency=low
* No-change upload of 1.0.1-4ubuntu5.1 to -updates. -proposed package was
copied while some ports were not built yet.
-- Martin Pitt <email address hidden> Tue, 11 Nov 2008 14:50:12 +0100
-
pam (1.0.1-4ubuntu5.2) intrepid-proposed; urgency=low
* No-change rebuild because the archive admin (me) copied the package
to jaunty too soon.
pam (1.0.1-4ubuntu5.1) intrepid-proposed; urgency=low
* Allow passwords to change on expired accounts, by passing
new_authtok_reqd return codes immediately (LP: #291091).
-- Steve Langasek <email address hidden> Wed, 05 Nov 2008 20:28:11 +0000
-
pam (1.0.1-4ubuntu5.1) intrepid-proposed; urgency=low
* Allow passwords to change on expired accounts, by passing
new_authtok_reqd return codes immediately (LP: #291091).
-- Kees Cook <email address hidden> Wed, 05 Nov 2008 09:31:45 -0800
-
pam (1.0.1-4ubuntu5) intrepid; urgency=low
* debian/libpam0g.postinst: change 'cupsys' to 'cups' in the list of
default desktop services that are ignored in deciding whether to prompt
for service restarts on upgrade. Partially addresses LP #278117.
* debian/libpam0g.postinst: also filter out samba, which may be installed
on the desktop to enable filesharing.
* debian/libpam-cracklib.prerm, debian/libpam-runtime.prerm: add the
ubiquitous debhelper tokens (currently a no-op)
* pam-auth-update: Use -Initial only for the first profile, even when
there's no explicit -Initial config for that first profile
* fix common-session/common-password to use the same overall stack
structure as auth/account, so that we get the correct behavior when
all password modules fail. LP: #272232.
-- Steve Langasek <email address hidden> Wed, 15 Oct 2008 18:11:13 -0700
