lp:ubuntu/maverick-security/pam

Created by James Westby on 2010-10-25 and last modified on 2011-10-24
Get this branch:
bzr branch lp:ubuntu/maverick-security/pam
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

71. By Marc Deslauriers on 2011-10-18

* SECURITY UPDATE: possible code execution via incorrect environment file
  parsing (LP: #874469)
  - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
    whitespace when parsing environment file in modules/pam_env/pam_env.c.
  - CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
  expansion (LP: #874565)
  - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
    with PAM_BUF_ERR in modules/pam_env/pam_env.c.
  - CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
  - debian/patches-applied/update-motd: updated to use clean environment
    and absolute paths in modules/pam_motd/pam_motd.c.
  - CVE-2011-XXXX

70. By Marc Deslauriers on 2011-05-31

* SECURITY REGRESSION:
  - debian/patches/security-dropprivs.patch: updated patch to preserve
    ABI and prevent daemons from needing to be restarted. (LP: #790538)
  - debian/patches/autoconf.patch: refreshed

69. By Marc Deslauriers on 2011-05-19

* SECURITY UPDATE: multiple issues with lack of adequate privilege
  dropping
  - debian/patches/security-dropprivs.patch: introduce new privilege
    dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,
    libpam/include/security/pam_modutil.h, libpam/libpam.map,
    modules/pam_env/pam_env.c, modules/pam_mail/pam_mail.c,
    modules/pam_xauth/pam_xauth.c.
  - CVE-2010-3316
  - CVE-2010-3430
  - CVE-2010-3431
  - CVE-2010-3435
  - CVE-2010-4706
  - CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
  - debian/patches/CVE-2010-3853.patch: use clean environment in
    modules/pam_namespace/pam_namespace.c.
  - CVE-2010-3853
* debian/patches-applied/series: disable hurd_no_setfsuid patch, as it
  isn't needed for Ubuntu, and it needs to be rewritten to work with the
  massive privilege refactoring in the security patches.

68. By Kees Cook on 2010-10-25

* SECURITY UPDATE: root privilege escalation via symlink following.
  - debian/patches-applied/pam_motd-legal-notice: drop privs for work.
  - CVE-2010-0832

67. By Steve Langasek on 2010-08-16

* Merge from Debian unstable, remaining changes:
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
    not present there or in /etc/security/pam_env.conf. (should send to
    Debian).
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running.
  - debian/patches-applied/series: Ubuntu patches are as below ...
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits.
  - Change Vcs-Bzr to point at the Ubuntu branch.
  - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
    run-parts does the right thing in /etc/update-motd.d.
  - debian/patches-applied/pam_motd-legal-notice: display the contents of
    /etc/legal once, then set a flag in the user's homedir to prevent
    showing it again.
  - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
    for update-motd, with some best practices and notes of explanation.
  - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
    to update-motd(5)

66. By Kees Cook on 2010-07-07

* SECURITY UPDATE: root privilege escalation via symlink following.
  - debian/patches-applied/pam_motd-legal-notice: drop privs for work.
  - CVE-2010-0832

65. By Dustin Kirkland  on 2010-05-13

Trigger a rebuild, applying changes from 1.1.1-2ubuntu2 which
were previously not committed to bzr

64. By Steve Langasek on 2010-05-12

* Merge from Debian, remaining changes:
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
    present there or in /etc/security/pam_env.conf. (should send to Debian).
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running.
  - debian/patches-applied/series: Ubuntu patches are as below ...
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits.
  - Change Vcs-Bzr to point at the Ubuntu branch.
  - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
    run-parts does the right thing in /etc/update-motd.d.
  - debian/patches-applied/pam_motd-legal-notice: display the contents of
    /etc/legal once, then set a flag in the user's homedir to prevent showing
    it again.
* Dropped changes:
  - debian/local/common-{auth,account,password}.md5sums: include the
    Ubuntu-specific intrepid,jaunty md5sums for use during the
    common-session-noninteractive upgrade - upgrades to maverick are
    only supported from lucid, so this delta can be dropped.
  - debian/patches-applied/ubuntu-no-error-if-missingok: 'missingok' option
    is obsoleted by 10.04 LTS and no longer needs to be supported for
    upgrades.

63. By Dustin Kirkland  on 2010-04-13

* debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
  for update-motd, with some best practices and notes of explanation,
  LP: #562566
* debian/patches/update-motd-manpage-ref: add a reference in pam_mod(8)
  to update-motd(5), LP: #552175

62. By Steve Langasek on 2010-02-18

* Merge from Debian, remaining changes:
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
    present there or in /etc/security/pam_env.conf. (should send to Debian).
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running.
  - debian/patches-applied/series: Ubuntu patches are as below ...
  - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
    module option 'missingok' which will suppress logging of errors by
    libpam if the module is not found.
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits.
  - Change Vcs-Bzr to point at the Ubuntu branch.
  - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
    run-parts does the right thing in /etc/update-motd.d.
  - debian/patches-applied/pam_motd-legal-notice: display the contents of
    /etc/legal once, then set a flag in the user's homedir to prevent showing
    it again.
  - debian/local/common-{auth,account,password}.md5sums: include the
    Ubuntu-specific intrepid,jaunty md5sums for use during the
    common-session-noninteractive upgrade.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/natty/pam
This branch contains Public information 
Everyone can see this information.

Subscribers