Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/hardy-security/pam
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

30. By Marc Deslauriers

* SECURITY UPDATE: possible code execution via incorrect environment file
  parsing (LP: #874469)
  - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
    whitespace when parsing environment file in
  - CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
  expansion (LP: #874565)
  - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
    with PAM_BUF_ERR in Linux-PAM/modules/pam_env/pam_env.c.
  - CVE-2011-3149

29. By Marc Deslauriers

  - debian/patches/security-dropprivs.patch: updated patch to preserve
    ABI and prevent daemons from needing to be restarted. (LP: #790538)
  - debian/patches/autoconf.patch: refreshed

28. By Marc Deslauriers

* SECURITY UPDATE: denial of service or privilege escalation via
  non-ASCII usernames
  - debian/patches/CVE-2009-0887.patch: fix signedness error in
  - CVE-2009-0887
* SECURITY UPDATE: multiple issues with lack of adequate privilege
  - debian/patches/security-dropprivs.patch: introduce new privilege
    dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,
    libpam/include/security/pam_modutil.h, libpam/libpam.map,
    modules/pam_env/pam_env.c, modules/pam_mail/pam_mail.c,
  - CVE-2010-3316
  - CVE-2010-3430
  - CVE-2010-3431
  - CVE-2010-3435
  - CVE-2010-4706
  - CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
  - debian/patches/CVE-2010-3853.patch: use clean environment in
  - CVE-2010-3853
* debian/patches-applied/series: disable hurd_no_setfsuid patch, as it
  isn't needed for Ubuntu, and it needs to be rewritten to work with the
  massive privilege refactoring in the security patches.
* debian/control: added Pre-Depends to libpam-modules so it won't get
  updated without pulling in the updated libpam0g.

27. By Steve Langasek

debian/local/common-{auth,password}, debian/libpam-runtime.postinst:
Add pam_smbpass as an optional module in the stack, to keep NTLM
passwords (for filesharing) in sync with the main system passwords on a
best-effort basis. LP: #208419.

26. By Martin Pitt

debian/local/common-session: Drop libpam-foreground. It's gone for good,
and we do not want this in the PAM config for new installations, since it
just spams syslog with error messages. (LP: #198714)

25. By Caleb Case <email address hidden>

ubuntu-pam_selinux_seusers: patch pam_selinux to correctly support
seusers (backported from changes in PAM 0.99.8). Without this patch
login will not get correct security context when using libselinux
>= 1.27.2 (LP: #187822).

24. By Martin Pitt

Temporarily reenable libpam-foreground in common-session again, until
dbus' at_console policy works with ConsoleKit.

23. By Martin Pitt

* debian/local/common-session{,.md5sums}, debian/control: Drop
  libpam-foreground, superseded by ConsoleKit integration into hal.
* debian/control: Build against libdb4.6 again. This drops this Debian delta
  and 4.6 is our target version in Hardy.

22. By Steve Langasek

* Resynchronise with Debian. Remaining changes:
  - debian/control, debian/local/common-session{,md5sums}: use
    libpam-foreground for session management.
  - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
    The nis package handles overriding this as necessary.
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
    present there or in /etc/security/pam_env.conf.
  - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
    type rather than __u8.
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
    RLIMIT_NICE from below as well as from above. Fix off-by-one error when
    converting RLIMIT_NICE to the range of values used by the kernel.
    (Originally patch 101; converted to quilt.)
  - debian/patches-applied/ubuntu-user_defined_environment: Look at
    ~/.pam_environment too, with the same format as
    /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
  - debian/patches-applied/ubuntu-regression_fix_securetty: securetty's
    earlier behavior would correctly prompt for password on bad usernames
    (LP: #139075).
  - Build using db4.5 instead of db4.6.
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running (LP: #141309).
* debian/libpam0g.postinst: don't display a debconf warning about display
  managers that need restarting when update-manager is running, instead
  signal to update-notifier if a reboot is required.

21. By Kees Cook

* debian/libpam0g.postinst: call "reload" for all display managers
  (LP: #139065).
* debian/libpam0g.postinst: only ask questions during update-manager when
  there are non-default services running (LP: #141309).

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.