Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/natty-updates/pam
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

80. By Marc Deslauriers

* SECURITY UPDATE: possible code execution via incorrect environment file
  parsing (LP: #874469)
  - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
    whitespace when parsing environment file in modules/pam_env/pam_env.c.
  - CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
  expansion (LP: #874565)
  - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
    with PAM_BUF_ERR in modules/pam_env/pam_env.c.
  - CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
  - debian/patches-applied/update-motd: updated to use clean environment
    and absolute paths in modules/pam_motd/pam_motd.c.
  - CVE-2011-XXXX

79. By Marc Deslauriers

  - debian/patches/security-dropprivs.patch: updated patch to preserve
    ABI and prevent daemons from needing to be restarted. (LP: #790538)
  - debian/patches/autoconf.patch: refreshed

78. By Marc Deslauriers

* SECURITY UPDATE: multiple issues with lack of adequate privilege
  - debian/patches/security-dropprivs.patch: introduce new privilege
    dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,
    libpam/include/security/pam_modutil.h, libpam/libpam.map,
    modules/pam_env/pam_env.c, modules/pam_mail/pam_mail.c,
  - CVE-2010-3430
  - CVE-2010-3431
  - CVE-2010-3435
  - CVE-2010-4706
  - CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
  - debian/patches/CVE-2010-3853.patch: use clean environment in
  - CVE-2010-3853
* debian/patches-applied/series: disable hurd_no_setfsuid patch, as it
  isn't needed for Ubuntu, and it needs to be rewritten to work with the
  massive privilege refactoring in the security patches.

77. By St├ęphane Graber

Check if gdm is actually running before trying to reload it. (LP: #745532)

76. By Steve Langasek

bump the hard limit for number of file descriptors, to keep pace with
the changes in the kernel. Fortunately this shadowing should all go
away next cycle when we can start to grab defaults directly from /proc.
LP: #663090

75. By Steve Langasek

debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
keeps libpam loaded persistently at runtime, so it's not necessary to
force a kdm restart on ABI bump. Which is good, since restarting kdm
now seems to also log users out of running sessions, which we rather
want to avoid. LP: #744944.

74. By Steve Langasek

* Force a service restart on upgrade to the new libpam0g, to ensure
  servers don't fail to find the pam modules in the new paths.
* libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
  for the same reason.

73. By Steve Langasek

* Build for multiarch; FFe LP: #733501.
* Split our executables out of libpam-modules into a new package,
  libpam-modules-bin, so that modules can be co-installable between
* New patch, lib_security_multiarch_compat, which lets us reuse the
  upstream --enable-isadir functionality to support a true path for module
  lookups; this way we don't have to force a hard transition to multiarch,
  but can support resolving modules in both the multiarch and
  non-multiarch directories.
* Build-Depend on the multiarchified debhelper.
* Add Pre-Depends: ${misc:Pre-Depends} for multiarch-support.

72. By Steve Langasek

Er, but let's get this patch applying cleanly.

71. By Steve Langasek

debian/patches/update-motd-manpage-ref: patch the manpage too, not just
the xml source.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.