* Merge from Debian unstable. Remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/libpam0g.postinst: drop kdm from the list of services to
restart.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
* Dropped changes, included in Debian:
- debian/patches-applied/CVE-2011-3148.patch
- debian/patches-applied/CVE-2011-3149.patch
- debian/patches-applied/update-motd: updated to use clean environment
and absolute paths in modules/pam_motd/pam_motd.c.
* debian/libpam0g.postinst: the init script for 'samba' is now named 'smbd'
in Ubuntu, so fix the restart handling.
* debian/patches-applied/update-motd: set a sane umask before calling
run-parts, and restore the old mask afterwards, so /run/motd gets
consistent permissions. LP: #871943.
* debian/patches-applied/update-motd: new module option for pam_motd,
'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
LP: #805423.
pam (1.1.3-5) unstable; urgency=low
[ Kees Cook ]
* debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use
setresgid() to wipe out saved-gid just in case.
* debian/patches-applied/008_modules_pam_limits_chroot:
- fix off-by-one when parsing configuration file.
- when using chroot, chdir() to root to lose links to old tree.
* debian/patches-applied/022_pam_unix_group_time_miscfixes,
debian/patches-applied/026_pam_unix_passwd_unknown_user,
debian/patches-applied/054_pam_security_abstract_securetty_handling:
improve descriptions.
* debian/patches-applied/{007_modules_pam_unix,055_pam_unix_nullok_secure}:
drop unneeded no-op change to reduce delta from upstream.
* debian/patches-applied/hurd_no_setfsuid: check all set*id() calls.
* debian/patches-applied/update-motd: correctly clear environment when
building motd.
* debian/patches-applied/pam_env-fix-overflow.patch: fix stack overflow
in environment file parsing (CVE-2011-3148).
* debian/patches-applied/pam_env-fix-dos.patch: fix DoS in environment
file parsing (CVE-2011-3149).
pam (1.1.3-4) unstable; urgency=low
* Make sure shared library links are also installed to the multiarch
directory, not just the .a files; otherwise the static libs get found
first by the linker. Thanks to Russ Allbery for catching this.
Closes: #642952.
pam (1.1.3-3) unstable; urgency=low
* Look for /etc/init.d/postgresql, not /etc/init.d/postgresql-8.{2,3},
for service restarts; the latter are obsolete since squeeze.
Closes: #631511.
* Move debian/libpam0g-dev.install to debian/libpam0g-dev.install.in
and substitute the multiarch path at build time, so our .a files go to
the multiarch dir instead of to /usr/lib. Thanks to Riku Voipio for
pointing out the bug.
* debian/control: adjust the package descriptions, as the current ones
use some awkward language that's gone unnoticed for a long time. Thanks
to Martin Eberhard Schauer <email address hidden> for pointing this
out. Closes: #633863.
* Build-depend on debhelper 8.9.4 and bump debian/compat to 9 for
dpkg-buildflags integration, and drop manual setting of -g -O options in
CFLAGS now that we can let dh do it for us
* Don't set --sbindir when calling configure; upstream takes care of this
for us
-- Steve Langasek <email address hidden> Sun, 30 Oct 2011 09:45:00 -0600
This bug was fixed in the package pam - 1.1.3-5ubuntu1
---------------
pam (1.1.3-5ubuntu1) precise; urgency=low
* Merge from Debian unstable. Remaining changes: libpam- modules. postinst: Add PATH to /etc/environment if it's pam_env. conf. (should send to libpam0g. postinst: only ask questions during update-manager when patches- applied/ series: Ubuntu patches are as below ... patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly patches- applied/ pam_motd- legal-notice: display the contents of update- motd.5, debian/ libpam- modules. manpages: add a manpage patches/ update- motd-manpage- ref: add a reference in pam_motd(8) libpam0g. postinst: drop kdm from the list of services to libpam0g. postinst: check if gdm is actually running before local/common- session{ ,-noninteractiv e}: Enable pam_umask by local/pam- auth-update: Add the new md5sums for pam_umask addition. patches- applied/ pam_umask_ usergroups_ from_login. defs.patch: patches- applied/ CVE-2011- 3148.patch patches- applied/ CVE-2011- 3149.patch patches- applied/ update- motd: updated to use clean environment pam_motd/ pam_motd. c. libpam0g. postinst: the init script for 'samba' is now named 'smbd' patches- applied/ update- motd: set a sane umask before calling patches- applied/ update- motd: new module option for pam_motd,
- debian/
not present there or in /etc/security/
Debian).
- debian/
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/
- debian/
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/
for update-motd, with some best practices and notes of explanation.
- debian/
to update-motd(5)
- debian/
restart.
- debian/
trying to reload it.
- debian/
default, now that the umask setting is gone from /etc/profile.
- debian/
- add debian/
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
* Dropped changes, included in Debian:
- debian/
- debian/
- debian/
and absolute paths in modules/
* debian/
in Ubuntu, so fix the restart handling.
* debian/
run-parts, and restore the old mask afterwards, so /run/motd gets
consistent permissions. LP: #871943.
* debian/
'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
LP: #805423.
pam (1.1.3-5) unstable; urgency=low
[ Kees Cook ] patches- applied/ pam_unix_ dont_trust_ chkpwd_ caller. patch: use patches- applied/ 008_modules_ pam_limits_ chroot: patches- applied/ 022_pam_ unix_group_ time_miscfixes, patches- applied/ 026_pam_ unix_passwd_ unknown_ user, patches- applied/ 054_pam_ security_ abstract_ securetty_ handling: patches- applied/ {007_modules_ pam_unix, 055_pam_ unix_nullok_ secure} : patches- applied/ hurd_no_ setfsuid: check all set*id() calls. patches- applied/ update- motd: correctly clear environment when patches- applied/ pam_env- fix-overflow. patch: fix stack overflow patches- applied/ pam_env- fix-dos. patch: fix DoS in environment
* debian/
setresgid() to wipe out saved-gid just in case.
* debian/
- fix off-by-one when parsing configuration file.
- when using chroot, chdir() to root to lose links to old tree.
* debian/
debian/
debian/
improve descriptions.
* debian/
drop unneeded no-op change to reduce delta from upstream.
* debian/
* debian/
building motd.
* debian/
in environment file parsing (CVE-2011-3148).
* debian/
file parsing (CVE-2011-3149).
pam (1.1.3-4) unstable; urgency=low
* Make sure shared library links are also installed to the multiarch
directory, not just the .a files; otherwise the static libs get found
first by the linker. Thanks to Russ Allbery for catching this.
Closes: #642952.
pam (1.1.3-3) unstable; urgency=low
* Look for /etc/init. d/postgresql, not /etc/init. d/postgresql- 8.{2,3} , libpam0g- dev.install to debian/ libpam0g- dev.install. in
for service restarts; the latter are obsolete since squeeze.
Closes: #631511.
* Move debian/
and substitute the multiarch path at build time, so our .a files go to
the multiarch dir instead of to /usr/lib. Thanks to Riku Voipio for
pointing out the bug.
* debian/control: adjust the package descriptions, as the current ones
use some awkward language that's gone unnoticed for a long time. Thanks
to Martin Eberhard Schauer <email address hidden> for pointing this
out. Closes: #633863.
* Build-depend on debhelper 8.9.4 and bump debian/compat to 9 for
dpkg-buildflags integration, and drop manual setting of -g -O options in
CFLAGS now that we can let dh do it for us
* Don't set --sbindir when calling configure; upstream takes care of this
for us
-- Steve Langasek <email address hidden> Sun, 30 Oct 2011 09:45:00 -0600