-
pam (1.1.1-2ubuntu5.6) lucid-proposed; urgency=low
* Include the pam_tally2 helper in /sbin so that the pam_tally2 module can
be used. LP: #586462.
-- Steve Langasek <email address hidden> Tue, 26 Mar 2013 13:05:44 -0700
-
pam (1.1.1-2ubuntu5.5) lucid-proposed; urgency=low
* Include the pam_tally2 helper in /sbin so that the pam_tally2 module can
be used. LP: #586462.
-- Steve Langasek <email address hidden> Tue, 13 Mar 2012 21:01:11 -0700
-
pam (1.1.1-2ubuntu5.4) lucid-security; urgency=low
* SECURITY UPDATE: possible code execution via incorrect environment file
parsing (LP: #874469)
- debian/patches-applied/CVE-2011-3148.patch: correctly count leading
whitespace when parsing environment file in modules/pam_env/pam_env.c.
- CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
expansion (LP: #874565)
- debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
with PAM_BUF_ERR in modules/pam_env/pam_env.c.
- CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
- debian/patches-applied/update-motd: updated to use clean environment
and absolute paths in modules/pam_motd/pam_motd.c.
- CVE-2011-XXXX
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2011 10:26:13 -0400
-
pam (1.1.1-2ubuntu5.3) lucid-security; urgency=low
* SECURITY REGRESSION:
- debian/patches/security-dropprivs.patch: updated patch to preserve
ABI and prevent daemons from needing to be restarted. (LP: #790538)
- debian/patches/autoconf.patch: refreshed
-- Marc Deslauriers <email address hidden> Tue, 31 May 2011 07:07:44 -0400
-
pam (1.1.1-2ubuntu5.2) lucid-security; urgency=low
* SECURITY UPDATE: multiple issues with lack of adequate privilege
dropping
- debian/patches/security-dropprivs.patch: introduce new privilege
dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,
libpam/include/security/pam_modutil.h, libpam/libpam.map,
modules/pam_env/pam_env.c, modules/pam_mail/pam_mail.c,
modules/pam_xauth/pam_xauth.c.
- CVE-2010-3316
- CVE-2010-3430
- CVE-2010-3431
- CVE-2010-3435
- CVE-2010-4706
- CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
- debian/patches/CVE-2010-3853.patch: use clean environment in
modules/pam_namespace/pam_namespace.c.
- CVE-2010-3853
* debian/patches-applied/series: disable hurd_no_setfsuid patch, as it
isn't needed for Ubuntu, and it needs to be rewritten to work with the
massive privilege refactoring in the security patches.
-- Marc Deslauriers <email address hidden> Thu, 19 May 2011 08:44:14 -0400
-
pam (1.1.1-2ubuntu5.1) lucid-proposed; urgency=low
* debian/patches-applied/update-motd: santize the environment before
calling run-parts, LP: #610125
-- Dustin Kirkland <email address hidden> Tue, 03 May 2011 08:00:16 -0500
-
pam (1.1.1-2ubuntu5) lucid-security; urgency=low
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
-- Kees Cook <email address hidden> Wed, 07 Jul 2010 10:54:10 -0700
-
pam (1.1.1-2ubuntu3) lucid-proposed; urgency=low
* pam-auth-update: fix a bug in our handling of module options when the
module name contains digits, caused by a buggy regexp. LP: #579826.
-- Steve Langasek <email address hidden> Thu, 13 May 2010 10:30:12 +0200
-
pam (1.1.1-2ubuntu2) lucid; urgency=low
* debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation,
LP: #562566
* debian/patches/update-motd-manpage-ref: add a reference in pam_mod(8)
to update-motd(5), LP: #552175
-- Dustin Kirkland <email address hidden> Tue, 13 Apr 2010 16:58:12 -0500
-
pam (1.1.1-2ubuntu1) lucid; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- Change Vcs-Bzr to point at the Ubuntu branch.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
- debian/local/common-{auth,account,password}.md5sums: include the
Ubuntu-specific intrepid,jaunty md5sums for use during the
common-session-noninteractive upgrade.
pam (1.1.1-2) unstable; urgency=low
* Document the new symbols added in 1.1.1 in debian/libpam0g.symbols, and
raise the minimum version for the service restarting code.
Closes: #568480.
-- Steve Langasek <email address hidden> Thu, 18 Feb 2010 12:04:18 +0000
-
pam (1.1.1-1ubuntu1) lucid; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- Change Vcs-Bzr to point at the Ubuntu branch.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
- debian/local/common-{auth,account,password}.md5sums: include the
Ubuntu-specific intrepid,jaunty md5sums for use during the
common-session-noninteractive upgrade.
pam (1.1.1-1) unstable; urgency=low
* New upstream version.
- restore proper netgroup handling in pam_access.
Closes: #567385, LP: #513955.
* Drop patches pam.d-manpage-section, namespace_with_awk_not_gawk, and
pam_securetty_tty_check_before_user_check, which are included upstream.
* debian/patches/026_pam_unix_passwd_unknown_user: don't return
PAM_USER_UNKNOWN on password change of a user that has no shadow entry,
upstream now implements auto-creating the shadow entry in this case.
* Updated debconf translations:
- French, thanks to Jean-Baka Domelevo Entfellner <email address hidden>
(closes: #547039)
- Bulgarian, thanks to Damyan Ivanov <email address hidden> (closes: #562835)
* debian/patches/sys-types-include.patch: fix pam_modutil.h so that it can
be included directly, without having to include sys/types.h first.
Closes: #556203.
* Add postgresql-8.3 to the list of services in need of restart on upgrade.
Closes: #563674.
* And drop postgresql-{7.4,8.1} from the list, neither of which is present
in stable.
* debian/patches/007_modules_pam_unix: recognize that *all* of the password
hashes other than traditional crypt handle passwords >8 chars in length.
LP: #356766.
-- Steve Langasek <email address hidden> Mon, 01 Feb 2010 09:55:02 -0800
-
pam (1.1.0-4ubuntu3) lucid; urgency=low
* Brown paper bag: remove the right patch from the series file.
-- Steve Langasek <email address hidden> Thu, 10 Dec 2009 23:09:03 -0800
-
pam (1.1.0-4ubuntu2) lucid; urgency=low
* "Rebase" Ubuntu patches to apply them last in the series.
* Drop patch ubuntu-regression_fix_securetty, superseded by the more
precise fix in pam_securetty_tty_check_before_user_check.
-- Steve Langasek <email address hidden> Thu, 10 Dec 2009 22:52:20 -0800
-
pam (1.1.0-4ubuntu1) lucid; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- Change Vcs-Bzr to point at the Ubuntu branch.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
- debian/local/common-{auth,account,password}.md5sums: include the
Ubuntu-specific intrepid,jaunty md5sums for use during the
common-session-noninteractive upgrade.
pam (1.1.0-4) unstable; urgency=low
* debian/patches/pam_securetty_tty_check_before_user_check: new patch,
to make pam_securetty always return success on a secure tty regardless
of what username was passed. Thanks to Nicolas François
<email address hidden> for the patch. Closes: #537848
* debian/local/pam-auth-update: only reset the seen flag on the template
when there's new information; this avoids reprompting users for the same
information on upgrade, regardless of the debconf priority used.
Closes: #544805.
* libpam0g no longer depends on libpam-runtime; packages that use
/etc/pam.d/common-* must depend directly on libpam-runtime, and most do
(including the Essential: yes ones), so let's break this circular
dependency. Closes: #545086, LP: #424566.
pam (1.1.0-3) unstable; urgency=low
* Bump debian/compat to 7, so we can use sane contents in debian/*.install
* Switch all packages over to dh_install
* Rename debian/*.lintian to debian/*.lintian-overrides and use dh_lintian
* Move installation logic out of debian/rules into individual .install
files
* Drop superfluous options to dh_installchangelogs, dh_shlibdeps
* Use debian/clean instead of rm -f'ing files in debian/rules clean target
* Drop ./configure options that are no-ops
* Drop the /lib/security/pam_unix_*.so symlinks, which have been deprecated
now for 10 years and are not used at all if pam-auth-update is in play.
* Drop the pam_rhosts_auth.so symlink as well, and document in NEWS.Debian
that this is now obsolete.
* Drop stale content from README.debian: some of this should have been in
NEWS.Debian instead (but is so old it's not worth putting it there now),
some of it is obsolete by the change in package VCS.
* Convert debian/rules to debhelper 7 and add versioned build-dependencies
on debhelper and quilt to suit.
* Drop CFLAGS that we don't need anymore (-fPIC, -D_REENTRANT,
-D_GNU_SOURCE).
* Explicitly add -O0 to CFLAGS when noopt is set.
* debian/patches/autoconf.patch: pull ltmain.sh in, to fix some spurious
library linkage in the modules.
* Move pam_cracklib manpage to the libpam-cracklib package, and add the
requisite Replaces
* Drop dh_makeshlibs -V; everything from lenny on should use the .symbols
file instead, making the shlibs redundant so we don't need to care what
version gets listed there.
-- Steve Langasek <email address hidden> Thu, 05 Nov 2009 21:33:15 -0800
-
pam (1.1.0-2ubuntu1) karmic; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
password on bad username.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- Change Vcs-Bzr to point at the Ubuntu branch.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
- debian/local/common-{auth,account,password}.md5sums: include the
Ubuntu-specific intrepid,jaunty md5sums for use during the
common-session-noninteractive upgrade.
* Changes merged in Debian:
- debian/local/common-password, debian/pam-configs/unix: switch from
"md5" to "sha512" as password crypt default.
pam (1.1.0-2) unstable; urgency=low
[ Steve Langasek ]
* debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patch
to call setregid() instead of always returning an error on username
mismatch in unix_chkpwd, needed in the SELinux case and in some corner
cases with the broken_shadow option. Thanks to Michael Spang for the
analysis. Closes: #543589.
* fix the PAM mini-policy to not tell app maintainers that they don't need
to depend on libpam-modules if they reference modules from there.
* make libpam-runtime depend on libpam-modules (>= 1.0.1-6) - nothing else
guarantees that we have pam_unix available for use by pam-auth-update.
* Use /bin/sh instead of /bin/bash for libpam0g.postinst, since we've
confirmed there are no longer any bashisms there. Closes: #519973.
* Clean up the libpam0g postinst a bit; invoke-rc.d has been a guaranteed
interface for two stable release cycles now
* debian/patches/namespace_with_awk_not_gawk: fix the sample
namespace.init script's dependency on non-POSIX features of gawk, since
we don't use gawk by default. Closes; #518908.
* Updated debconf translations:
- German, thanks to Sven Joachim <email address hidden> (closes: #544464)
[ Kees Cook ]
* debian/local/common-password, debian/pam-configs/unix: switch from "md5"
to "sha512" as password crypt default.
-- Steve Langasek <email address hidden> Fri, 04 Sep 2009 01:11:48 -0700