lp:ubuntu/natty-security/pam

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

80. By Marc Deslauriers on 2011-10-18

* SECURITY UPDATE: possible code execution via incorrect environment file
  parsing (LP: #874469)
  - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
    whitespace when parsing environment file in modules/pam_env/pam_env.c.
  - CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
  expansion (LP: #874565)
  - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
    with PAM_BUF_ERR in modules/pam_env/pam_env.c.
  - CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
  - debian/patches-applied/update-motd: updated to use clean environment
    and absolute paths in modules/pam_motd/pam_motd.c.
  - CVE-2011-XXXX

79. By Marc Deslauriers on 2011-05-31

* SECURITY REGRESSION:
  - debian/patches/security-dropprivs.patch: updated patch to preserve
    ABI and prevent daemons from needing to be restarted. (LP: #790538)
  - debian/patches/autoconf.patch: refreshed

78. By Marc Deslauriers on 2011-05-19

* SECURITY UPDATE: multiple issues with lack of adequate privilege
  dropping
  - debian/patches/security-dropprivs.patch: introduce new privilege
    dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,
    libpam/include/security/pam_modutil.h, libpam/libpam.map,
    modules/pam_env/pam_env.c, modules/pam_mail/pam_mail.c,
    modules/pam_xauth/pam_xauth.c.
  - CVE-2010-3430
  - CVE-2010-3431
  - CVE-2010-3435
  - CVE-2010-4706
  - CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
  - debian/patches/CVE-2010-3853.patch: use clean environment in
    modules/pam_namespace/pam_namespace.c.
  - CVE-2010-3853
* debian/patches-applied/series: disable hurd_no_setfsuid patch, as it
  isn't needed for Ubuntu, and it needs to be rewritten to work with the
  massive privilege refactoring in the security patches.

77. By Stéphane Graber on 2011-04-11

Check if gdm is actually running before trying to reload it. (LP: #745532)

76. By Steve Langasek on 2011-04-05

debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
bump the hard limit for number of file descriptors, to keep pace with
the changes in the kernel. Fortunately this shadowing should all go
away next cycle when we can start to grab defaults directly from /proc.
LP: #663090

75. By Steve Langasek on 2011-03-29

debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
keeps libpam loaded persistently at runtime, so it's not necessary to
force a kdm restart on ABI bump. Which is good, since restarting kdm
now seems to also log users out of running sessions, which we rather
want to avoid. LP: #744944.

74. By Steve Langasek on 2011-03-22

* Force a service restart on upgrade to the new libpam0g, to ensure
  servers don't fail to find the pam modules in the new paths.
* libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
  for the same reason.

73. By Steve Langasek on 2011-03-18

* Build for multiarch; FFe LP: #733501.
* Split our executables out of libpam-modules into a new package,
  libpam-modules-bin, so that modules can be co-installable between
  architectures.
* New patch, lib_security_multiarch_compat, which lets us reuse the
  upstream --enable-isadir functionality to support a true path for module
  lookups; this way we don't have to force a hard transition to multiarch,
  but can support resolving modules in both the multiarch and
  non-multiarch directories.
* Build-Depend on the multiarchified debhelper.
* Add Pre-Depends: ${misc:Pre-Depends} for multiarch-support.

72. By Steve Langasek on 2011-02-21

Er, but let's get this patch applying cleanly.

71. By Steve Langasek on 2011-02-21

debian/patches/update-motd-manpage-ref: patch the manpage too, not just
the xml source.