lp:ubuntu/oneiric-security/pam
- Get this branch:
- bzr branch lp:ubuntu/oneiric-security/pam
Branch merges
Branch information
Recent revisions
- 83. By Marc Deslauriers
-
* SECURITY UPDATE: possible code execution via incorrect environment file
parsing (LP: #874469)
- debian/patches- applied/ CVE-2011- 3148.patch: correctly count leading
whitespace when parsing environment file in modules/pam_env/ pam_env. c.
- CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
expansion (LP: #874565)
- debian/patches- applied/ CVE-2011- 3149.patch: when overflowing, exit
with PAM_BUF_ERR in modules/pam_env/ pam_env. c.
- CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
- debian/patches- applied/ update- motd: updated to use clean environment
and absolute paths in modules/pam_motd/ pam_motd. c.
- CVE-2011-XXXX - 82. By Kees Cook
-
* Merge with Debian to get bug fix for unknown kernel rlimits. Remaining
changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env. conf. (should send to
Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ pam_motd- legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update- motd.5, debian/ libpam- modules. manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/ update- motd-manpage- ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/libpam0g. postinst: drop kdm from the list of services to
restart.
- debian/libpam0g. postinst: check if gdm is actually running before
trying to reload it.
- debian/local/common- session{ ,-noninteractiv e}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam- auth-update: Add the new md5sums for pam_umask addition.
- add debian/patches- applied/ pam_umask_ usergroups_ from_login. defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
* Dropped changes:
- debian/patches- applied/ 027_pam_ limits_ better_ init_allow_ explicit_ root:
no need to bump the hard limit for number of file descriptors any more
since we read kernel limits directly now. - 81. By Martin Pitt
-
[ Steve Langasek ]
* debian/patches/ pam_motd- legal-notice: use pam_modutil_ gain/drop_ priv
common helper functions, instead of hand-rolled uid-setting code.[ Martin Pitt ]
* debian/local/common- session{ ,-noninteractiv e}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
(LP: #253096, UbuntuSpec:umask-to- 0002)
* debian/local/pam- auth-update: Add the new md5sum of above files.
* Add debian/patches- applied/ pam_umask_ usergroups_ from_login. defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it from
/etc/login.def's "USERGROUP_ENAB" option if umask is only defined there.
This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958) - 80. By Steve Langasek
-
debian/
patches- applied/ update- motd-manpage- ref: refresh patch to apply
cleanly against new upstream. - 79. By Steve Langasek
-
* Merge from Debian unstable, remaining changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env. conf. (should send to
Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ 027_pam_ limits_ better_ init_allow_ explicit_ root:
bump the hard limit for number of file descriptors, to keep pace with
the changes in the kernel.
- debian/patches- applied/ pam_motd- legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update- motd.5, debian/ libpam- modules. manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/ update- motd-manpage- ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/libpam0g. postinst: drop kdm from the list of services to
restart.
- debian/libpam0g. postinst: check if gdm is actually running before
trying to reload it.
- New patch, lib_security_multiarch_ compat, which lets us reuse the
upstream --enable-isadir functionality to support a true path for
module lookups; this way we don't have to force a hard transition to
multiarch, but can support resolving modules in both the multiarch and
non-multiarch directories.
- build for multiarch, splitting our executables out of libpam-modules
into a new package, libpam-modules-bin, so that modules can be
co-installable between architectures.
* Dropped changes:
- bumping the service restart version in libpam0g.postinst to ensure
servers don't fail to find the pam modules in the new paths; the min
version requirement upstream is higher than this now. - 78. By Dustin Kirkland
-
debian/
patches- applied/ update- motd: santize the environment before
calling run-parts, LP: #610125 - 76. By Steve Langasek
-
debian/
patches- applied/ 027_pam_ limits_ better_ init_allow_ explicit_ root:
bump the hard limit for number of file descriptors, to keep pace with
the changes in the kernel. Fortunately this shadowing should all go
away next cycle when we can start to grab defaults directly from /proc.
LP: #663090 - 75. By Steve Langasek
-
debian/
libpam0g. postinst: according to Kubuntu developers, kdm no longer
keeps libpam loaded persistently at runtime, so it's not necessary to
force a kdm restart on ABI bump. Which is good, since restarting kdm
now seems to also log users out of running sessions, which we rather
want to avoid. LP: #744944. - 74. By Steve Langasek
-
* Force a service restart on upgrade to the new libpam0g, to ensure
servers don't fail to find the pam modules in the new paths.
* libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
for the same reason.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/precise/pam