lp:ubuntu/oneiric-security/pam

Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/oneiric-security/pam
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

83. By Marc Deslauriers

* SECURITY UPDATE: possible code execution via incorrect environment file
  parsing (LP: #874469)
  - debian/patches-applied/CVE-2011-3148.patch: correctly count leading
    whitespace when parsing environment file in modules/pam_env/pam_env.c.
  - CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
  expansion (LP: #874565)
  - debian/patches-applied/CVE-2011-3149.patch: when overflowing, exit
    with PAM_BUF_ERR in modules/pam_env/pam_env.c.
  - CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
  - debian/patches-applied/update-motd: updated to use clean environment
    and absolute paths in modules/pam_motd/pam_motd.c.
  - CVE-2011-XXXX

82. By Kees Cook

* Merge with Debian to get bug fix for unknown kernel rlimits. Remaining
  changes:
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
    not present there or in /etc/security/pam_env.conf. (should send to
    Debian).
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running.
  - Change Vcs-Bzr to point at the Ubuntu branch.
  - debian/patches-applied/series: Ubuntu patches are as below ...
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits.
  - debian/patches-applied/pam_motd-legal-notice: display the contents of
    /etc/legal once, then set a flag in the user's homedir to prevent
    showing it again.
  - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
    for update-motd, with some best practices and notes of explanation.
  - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
    to update-motd(5)
  - debian/libpam0g.postinst: drop kdm from the list of services to
    restart.
  - debian/libpam0g.postinst: check if gdm is actually running before
    trying to reload it.
  - debian/local/common-session{,-noninteractive}: Enable pam_umask by
    default, now that the umask setting is gone from /etc/profile.
  - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
  - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
    Deprecate pam_unix' explicit "usergroups" option and instead read it
    from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
    there. This restores compatibility with the pre-PAM behaviour of login.
    (Closes: #583958)
* Dropped changes:
  - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
    no need to bump the hard limit for number of file descriptors any more
    since we read kernel limits directly now.

81. By Martin Pitt

[ Steve Langasek ]
* debian/patches/pam_motd-legal-notice: use pam_modutil_gain/drop_priv
  common helper functions, instead of hand-rolled uid-setting code.

[ Martin Pitt ]
* debian/local/common-session{,-noninteractive}: Enable pam_umask by
  default, now that the umask setting is gone from /etc/profile.
  (LP: #253096, UbuntuSpec:umask-to-0002)
* debian/local/pam-auth-update: Add the new md5sum of above files.
* Add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
  Deprecate pam_unix' explicit "usergroups" option and instead read it from
  /etc/login.def's "USERGROUP_ENAB" option if umask is only defined there.
  This restores compatibility with the pre-PAM behaviour of login.
  (Closes: #583958)

80. By Steve Langasek

debian/patches-applied/update-motd-manpage-ref: refresh patch to apply
cleanly against new upstream.

79. By Steve Langasek

* Merge from Debian unstable, remaining changes:
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
    not present there or in /etc/security/pam_env.conf. (should send to
    Debian).
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running.
  - Change Vcs-Bzr to point at the Ubuntu branch.
  - debian/patches-applied/series: Ubuntu patches are as below ...
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits.
  - debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
    bump the hard limit for number of file descriptors, to keep pace with
    the changes in the kernel.
  - debian/patches-applied/pam_motd-legal-notice: display the contents of
    /etc/legal once, then set a flag in the user's homedir to prevent
    showing it again.
  - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
    for update-motd, with some best practices and notes of explanation.
  - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
    to update-motd(5)
  - debian/libpam0g.postinst: drop kdm from the list of services to
    restart.
  - debian/libpam0g.postinst: check if gdm is actually running before
    trying to reload it.
  - New patch, lib_security_multiarch_compat, which lets us reuse the
    upstream --enable-isadir functionality to support a true path for
    module lookups; this way we don't have to force a hard transition to
    multiarch, but can support resolving modules in both the multiarch and
    non-multiarch directories.
  - build for multiarch, splitting our executables out of libpam-modules
    into a new package, libpam-modules-bin, so that modules can be
    co-installable between architectures.
* Dropped changes:
  - bumping the service restart version in libpam0g.postinst to ensure
    servers don't fail to find the pam modules in the new paths; the min
    version requirement upstream is higher than this now.

78. By Dustin Kirkland 

debian/patches-applied/update-motd: santize the environment before
calling run-parts, LP: #610125

77. By Stéphane Graber

Check if gdm is actually running before trying to reload it. (LP: #745532)

76. By Steve Langasek

debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
bump the hard limit for number of file descriptors, to keep pace with
the changes in the kernel. Fortunately this shadowing should all go
away next cycle when we can start to grab defaults directly from /proc.
LP: #663090

75. By Steve Langasek

debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
keeps libpam loaded persistently at runtime, so it's not necessary to
force a kdm restart on ABI bump. Which is good, since restarting kdm
now seems to also log users out of running sessions, which we rather
want to avoid. LP: #744944.

74. By Steve Langasek

* Force a service restart on upgrade to the new libpam0g, to ensure
  servers don't fail to find the pam modules in the new paths.
* libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
  for the same reason.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/precise/pam
This branch contains Public information 
Everyone can see this information.

Subscribers