lp:~abone/ubuntu/quantal/pam/abone
- Get this branch:
- bzr branch lp:~abone/ubuntu/quantal/pam/abone
Branch merges
Related source package recipes
Related bugs
| Bug #610125: pam_motd runs commands as root with unsanitised environment | Low | Fix Released |
|
| Bug #790538: pam update causes cron to stop working with "Module is unknown" error | Critical | Fix Released |
|
Related blueprints
Branch information
- Owner:
- Andrey Bondarenko
- Status:
- Development
Recent revisions
- 90. By Andrey Bondarenko
-
* debian/
patches- applied/ parse_userenv_ as_envfile: user_envfile is parsed as an env
file instead of parsing it as a conffile which has different syntax.
see: https://fedorahosted. org/pipermail/ pam-developers/ 2011-June/ thread. html#75
* Pull changes from 1.1.3-2ubuntu2.1. Remaining changes:
- debian/patches- applied/ parse_userenv_ as_envfile: user_envfile is parsed
as an env file instead of parsing it as a conffile which has different
syntax.
* Merge changes from 1.1.2-2ubuntu8.3 and 1.1.2-2ubuntu8.2+abone1.
* SECURITY REGRESSION:
- debian/patches/ security- dropprivs. patch: updated patch to preserve
ABI and prevent daemons from needing to be restarted. (LP: #790538)
- debian/patches/ autoconf. patch: refreshed
* debian/patches- applied/ parse_userenv_ as_envfile: user_envfile is parsed
as an env file instead of parsing it as a conffile which has different
syntax.
* SECURITY UPDATE: multiple issues with lack of adequate privilege
dropping
- debian/patches/ security- dropprivs. patch: introduce new privilege
dropping code in libpam/pam_modutil_ priv.c, libpam/Makefile.*,
libpam/include/ security/ pam_modutil. h, libpam/libpam.map,
modules/pam_env/ pam_env. c, modules/ pam_mail/ pam_mail. c,
modules/pam_xauth/ pam_xauth. c.
- CVE-2010-3430
- CVE-2010-3431
- CVE-2010-3435
- CVE-2010-4706
- CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
- debian/patches/ CVE-2010- 3853.patch: use clean environment in
modules/pam_namespace/ pam_namespace. c.
- CVE-2010-3853
* debian/patches- applied/ series: disable hurd_no_setfsuid patch, as it
isn't needed for Ubuntu, and it needs to be rewritten to work with the
massive privilege refactoring in the security patches.
* debian/patches- applied/ update- motd: santize the environment before
calling run-parts, LP: #610125 - 88. By Steve Langasek
-
No-change rebuild with gzip 1.4-1ubuntu2 to get multiarch-clean
compression of manpages. LP: #871083. - 87. By Steve Langasek
-
* Merge from Debian unstable, remaining changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env. conf. (should send to
Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g. postinst: check if gdm is actually running before
trying to reload it.
- debian/libpam0g. postinst: the init script for 'samba' is now named
'smbd' in Ubuntu, so fix the restart handling.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ pam_umask_ usergroups_ from_login. defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches- applied/ pam_motd- legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update- motd.5, debian/ libpam- modules. manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/ update- motd-manpage- ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common- session{ ,-noninteractiv e}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam- auth-update: Add the new md5sums for pam_umask addition.
- Build-depend on libfl-dev in addition to flex, for cross-building
support. - 86. By Steve Langasek
-
* Merge from Debian unstable. Remaining changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env. conf. (should send to
Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g. postinst: check if gdm is actually running before
trying to reload it.
- debian/libpam0g. postinst: the init script for 'samba' is now named
'smbd' in Ubuntu, so fix the restart handling.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ pam_umask_ usergroups_ from_login. defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches- applied/ pam_motd- legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update- motd.5, debian/ libpam- modules. manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/ update- motd-manpage- ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common- session{ ,-noninteractiv e}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam- auth-update: Add the new md5sums for pam_umask addition.
* Dropped changes, included in Debian:
- debian/patches- applied/ update- motd: set a sane umask before calling
run-parts, and restore the old mask afterwards, so /run/motd gets
consistent permissions.
- debian/patches- applied/ update- motd: new module option for pam_motd,
'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
- debian/libpam0g. postinst: drop kdm from the list of services to
restart.
* Build-depend on libfl-dev in addition to flex, for cross-building
support. - 84. By Steve Langasek
-
* Merge from Debian unstable. Remaining changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env. conf. (should send to
Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ pam_motd- legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update- motd.5, debian/ libpam- modules. manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/ update- motd-manpage- ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/libpam0g. postinst: drop kdm from the list of services to
restart.
- debian/libpam0g. postinst: check if gdm is actually running before
trying to reload it.
- debian/local/common- session{ ,-noninteractiv e}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam- auth-update: Add the new md5sums for pam_umask addition.
- add debian/patches- applied/ pam_umask_ usergroups_ from_login. defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
* Dropped changes, included in Debian:
- debian/patches- applied/ CVE-2011- 3148.patch
- debian/patches- applied/ CVE-2011- 3149.patch
- debian/patches- applied/ update- motd: updated to use clean environment
and absolute paths in modules/pam_motd/ pam_motd. c.
* debian/libpam0g. postinst: the init script for 'samba' is now named 'smbd'
in Ubuntu, so fix the restart handling.
* debian/patches- applied/ update- motd: set a sane umask before calling
run-parts, and restore the old mask afterwards, so /run/motd gets
consistent permissions. LP: #871943.
* debian/patches- applied/ update- motd: new module option for pam_motd,
'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
LP: #805423. - 83. By Marc Deslauriers
-
* SECURITY UPDATE: possible code execution via incorrect environment file
parsing (LP: #874469)
- debian/patches- applied/ CVE-2011- 3148.patch: correctly count leading
whitespace when parsing environment file in modules/pam_env/ pam_env. c.
- CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
expansion (LP: #874565)
- debian/patches- applied/ CVE-2011- 3149.patch: when overflowing, exit
with PAM_BUF_ERR in modules/pam_env/ pam_env. c.
- CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
- debian/patches- applied/ update- motd: updated to use clean environment
and absolute paths in modules/pam_motd/ pam_motd. c.
- CVE-2011-XXXX - 82. By Kees Cook
-
* Merge with Debian to get bug fix for unknown kernel rlimits. Remaining
changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env. conf. (should send to
Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ pam_motd- legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update- motd.5, debian/ libpam- modules. manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/ update- motd-manpage- ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/libpam0g. postinst: drop kdm from the list of services to
restart.
- debian/libpam0g. postinst: check if gdm is actually running before
trying to reload it.
- debian/local/common- session{ ,-noninteractiv e}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam- auth-update: Add the new md5sums for pam_umask addition.
- add debian/patches- applied/ pam_umask_ usergroups_ from_login. defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
* Dropped changes:
- debian/patches- applied/ 027_pam_ limits_ better_ init_allow_ explicit_ root:
no need to bump the hard limit for number of file descriptors any more
since we read kernel limits directly now. - 81. By Martin Pitt
-
[ Steve Langasek ]
* debian/patches/ pam_motd- legal-notice: use pam_modutil_ gain/drop_ priv
common helper functions, instead of hand-rolled uid-setting code.[ Martin Pitt ]
* debian/local/common- session{ ,-noninteractiv e}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
(LP: #253096, UbuntuSpec:umask-to- 0002)
* debian/local/pam- auth-update: Add the new md5sum of above files.
* Add debian/patches- applied/ pam_umask_ usergroups_ from_login. defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it from
/etc/login.def's "USERGROUP_ENAB" option if umask is only defined there.
This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/raring/pam
