Branches for Lenny

Author: Russ Allbery
Revision Date: 2009-01-29 15:42:10 UTC

* SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore user
  environment variables that specify the local keytab and Kerberos
  configuration. Protects against a privilege escalation vulnerability.
* SECURITY (CVE-2009-0361): Protect against applications calling
  pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid context.
  This API call is designed to reinitialize an existing Kerberos ticket
  cache and therefore trusts the KRB5CCNAME environment variable, but in
  a setuid context, this may allow overwriting arbitrary files.