-
pam (1.1.1-4ubuntu2.4) maverick-security; urgency=low
* SECURITY UPDATE: possible code execution via incorrect environment file
parsing (LP: #874469)
- debian/patches-applied/CVE-2011-3148.patch: correctly count leading
whitespace when parsing environment file in modules/pam_env/pam_env.c.
- CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
expansion (LP: #874565)
- debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
with PAM_BUF_ERR in modules/pam_env/pam_env.c.
- CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
- debian/patches-applied/update-motd: updated to use clean environment
and absolute paths in modules/pam_motd/pam_motd.c.
- CVE-2011-XXXX
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2011 10:05:50 -0400
-
pam (1.1.1-4ubuntu2.3) maverick-security; urgency=low
* SECURITY REGRESSION:
- debian/patches/security-dropprivs.patch: updated patch to preserve
ABI and prevent daemons from needing to be restarted. (LP: #790538)
- debian/patches/autoconf.patch: refreshed
-- Marc Deslauriers <email address hidden> Tue, 31 May 2011 06:48:32 -0400
-
pam (1.1.1-4ubuntu2.2) maverick-security; urgency=low
* SECURITY UPDATE: multiple issues with lack of adequate privilege
dropping
- debian/patches/security-dropprivs.patch: introduce new privilege
dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,
libpam/include/security/pam_modutil.h, libpam/libpam.map,
modules/pam_env/pam_env.c, modules/pam_mail/pam_mail.c,
modules/pam_xauth/pam_xauth.c.
- CVE-2010-3316
- CVE-2010-3430
- CVE-2010-3431
- CVE-2010-3435
- CVE-2010-4706
- CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
- debian/patches/CVE-2010-3853.patch: use clean environment in
modules/pam_namespace/pam_namespace.c.
- CVE-2010-3853
* debian/patches-applied/series: disable hurd_no_setfsuid patch, as it
isn't needed for Ubuntu, and it needs to be rewritten to work with the
massive privilege refactoring in the security patches.
-- Marc Deslauriers <email address hidden> Thu, 19 May 2011 08:42:33 -0400
-
pam (1.1.1-4ubuntu2.1) maverick-proposed; urgency=low
* debian/patches-applied/update-motd: santize the environment before
calling run-parts, LP: #610125
-- Dustin Kirkland <email address hidden> Tue, 03 May 2011 07:58:52 -0500
-
pam (1.1.1-4ubuntu2) maverick-security; urgency=low
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
-- Kees Cook <email address hidden> Mon, 25 Oct 2010 06:40:32 -0700
-
pam (1.1.1-4ubuntu1) maverick; urgency=low
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- Change Vcs-Bzr to point at the Ubuntu branch.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
-- Steve Langasek <email address hidden> Mon, 16 Aug 2010 19:12:35 -0700
-
pam (1.1.1-3ubuntu3) maverick; urgency=low
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
-- Kees Cook <email address hidden> Wed, 07 Jul 2010 10:44:11 -0700
-
pam (1.1.1-3ubuntu2) maverick; urgency=low
* Trigger a rebuild, applying changes from 1.1.1-2ubuntu2 which
were previously not committed to bzr
-- Dustin Kirkland <email address hidden> Thu, 13 May 2010 10:04:23 +0200
-
pam (1.1.1-3ubuntu1) maverick; urgency=low
* Merge from Debian, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env.conf. (should send to Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- Change Vcs-Bzr to point at the Ubuntu branch.
- Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
run-parts does the right thing in /etc/update-motd.d.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent showing
it again.
* Dropped changes:
- debian/local/common-{auth,account,password}.md5sums: include the
Ubuntu-specific intrepid,jaunty md5sums for use during the
common-session-noninteractive upgrade - upgrades to maverick are
only supported from lucid, so this delta can be dropped.
- debian/patches-applied/ubuntu-no-error-if-missingok: 'missingok' option
is obsoleted by 10.04 LTS and no longer needs to be supported for
upgrades.
pam (1.1.1-3) unstable; urgency=low
* pam-auth-update: fix a bug in our handling of module options when the
module name contains digits, caused by a buggy regexp. :/ Partially
addresses LP #369575.
* Install /sbin/pam_tally2 in the libpam-modules package; thanks to
Olivier BONHOMME <email address hidden> for reporting. Closes: #554010.
-- Steve Langasek <email address hidden> Thu, 13 May 2010 00:39:44 +0200
-
pam (1.1.1-2ubuntu2) lucid; urgency=low
* debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation,
LP: #562566
* debian/patches/update-motd-manpage-ref: add a reference in pam_mod(8)
to update-motd(5), LP: #552175
-- Dustin Kirkland <email address hidden> Tue, 13 Apr 2010 16:58:12 -0500
