lp:ubuntu/precise-security/nss-pam-ldapd
- Get this branch:
- bzr branch lp:ubuntu/precise-security/nss-pam-ldapd
Branch merges
Branch information
Recent revisions
- 16. By Nicola Heald
-
* SECURITY UPDATE: denial of service related to incorrect use
of the FD_SET macro.
- http://arthurdejong. org/nss- pam-ldapd/ CVE-2013- 0288
- common/tio.c added checks to make sure the file descriptor
can be stored in the file descriptor set, from upstream patch
http://arthurdejong. org/git/ nss-pam- ldapd/commit/ ?id=7867b93f9a7 c76b96f1571cddc 1de0811134bb81
- CVE-2013-0288
- LP: #1347614 - 15. By Arthur de Jong
-
* Upload to unstable
* switch to using the member attribute by default instead of
uniqueMember (backwards incompatible change)
* only return "x" as a password hash when the object has the shadowAccount
objectClass and nsswitch.conf is configured to do shadow lookups using
LDAP (this avoids some problems with pam_unix)
* fix problem with partial attribute name matches in DN (thanks Timothy
White)
* fix a problem with objectSid mappings with recent versions of OpenLDAP
(patch by Wesley Mason)
* set the socket timeout in a connection callback to avoid timeout
issues during the SSL handshake (patch by Stefan Völkel)
* check for unknown variables in pam_authz_search
* only check password expiration when authenticating, only check account
expiration when doing authorisation
* make buffer sizes consistent and grow all buffers holding string
representations of numbers to be able to hold 64-bit numbers
* update AX_PTHREAD from autoconf-archive
* support querying DNS SRV records from a different domain than the current
one (based on a patch by James M. Leddy)
* fix a problem with uninitialised memory while parsing the tls_ciphers
option (closes: #638872) (but doesn't work yet due to #640384)
* implement bounds checking of numeric values read from LDAP (patch by
Jakub Hrozek)
* correctly support large uid and gid values from LDAP (patch by Jakub
Hrozek)
* improvements to the configure script (patch by Jakub Hrozek)
* switch to dh for debian/rules and bump debhelper compatibility to 8
* build Debian packages with multiarch support
* ship shlibs (but still no symbol files) for libnss-ldapd since that was
the easiest way to support multiarch
* fix output in init script when restarting nslcd (closes: #637132)
* correctly handle leading and trailing spaces in preseeded debconf uri
option (patch by Andreas B. Mundt) (closes: #637863)
* support spaces around database names in /etc/nsswitch.conf while
configuring package (closes: #640185)
* updated Russian debconf translation by Yuri Kozlov (closes: #637751)
* updated French debconf translation by Christian Perrier (closes: #637756)
* added Slovak debconf translation by Slavko (closes: #637759)
* updated Danish debconf translation by Joe Hansen (closes :#637763)
* updated Brazilian Portuguese debconf translation by Denis Doria
* updated Portuguese debconf translation by Américo Monteiro
* updated Japanese debconf translation by Kenshi Muto (closes: #638195)
* updated Czech debconf translation by Miroslav Kure (closes: #639026)
* updated German debconf translation by Chris Leick (closes: #639107)
* updated Spanish debconf translation by Francisco Javier Cuadrado
(closes: #639236)
* updated Dutch debconf translation by Arthur de Jong with help from Paul
Gevers and Jeroen Schot - 14. By Arthur de Jong
-
* fix handling of idle_timelimit option
* fix error code for problem while doing password modification - 13. By Arthur de Jong
-
set a short socket timeout when shutting down the connection to the LDAP
server to avoid disconnect problems when using TLS
(addresses part of #596983) - 12. By Arthur de Jong
-
* updated Vietnamese debconf translation by Clytie Siddall (closes: #598500)
* grow the buffer for the PAM ruser to not reject logins for users with
a ruser including a domain part (closes: #600065) - 11. By Arthur de Jong
-
handle errors from ldap_result() better and disconnect (and reconnect)
in more cases (closes: #596983) - 10. By Arthur de Jong
-
* fix for --with-
nss-ldap- soname configure option by Julien Cristau
* fix double "be" in English template thanks to Christian Perrier
(closes: #593646)
* updated Czech debconf translation by Miroslav Kure (closes: #593510)
* updated Simplified Chinese debconf translation by zym
* updated Italian debconf translation by Vincenzo Campanella
* updated Japanese debconf translation by Kenshi Muto (closes: #593692)
* updated Danish debconf translation by Joe Hansen (closes: #594205)
* updated French debconf translation by Christian Perrier (closes: #594311)
* updated German debconf translation by Chris Leick (closes: #594456)
* updated Catalan debconf translation by Agusti Grau
* updated Swedish debconf translation by Martin Ågren (closes: #594679)
* updated Spanish debconf translation by Francisco Javier Cuadrado
(closes: #594723) - 9. By Arthur de Jong
-
* minor portability improvements and clean-ups (thanks Alexander V.
Chernikov and Ted C. Cheng)
* don't expand variables in rest of ${var:-rest} and ${var:+rest}
expressions if it is not needed (closes: #592320)
* libpam-ldapd.postinst: offer to add ldap to shadow in nsswitch.conf if
a potential broken configuration is found (closes: #592104)
(thanks to Justin B Rye for the template review)
* merge the suggests of libnss-ldapd and libpam-ldapd into those of the
nslcd package to have a single consistent list of PAM alternatives
(closes: #591773)
* add libpam-sss as an alternative to libpam-ldapd (closes: #591773)
* upgrade to standards-version 3.9.1 (no changes needed)
* updated Portuguese debconf translation by Américo Monteir
(closes: #593404)
* updated Russian debconf translation by Yuri Kozlov (closes: #593491)
* added Norwegian Bokmål debconf translation by Bjørn Steensrud
(closes: #593501) - 8. By Arthur de Jong
-
* don't use use_authtok for password modification by default
* fine-tune pam-auth-update configuration after discussion with Steve
Langasek (see: #583492)
Note that this currently requires that shadow information is also provided
by LDAP (in /etc/nsswitch.conf).
* ensure that nslcd is started after hostname lookups are available so
getting to the LDAP server via DNS will work (patch by Petter
Reinholdtsen) (closes: #585968)
* start k5start from the init script to keep the Kerberos ticket active if
nslcd is configured for SASL GSSAPI Kerberos authentication, based on a
patch by Daniel Dehennin (closes: #585639)
* upgrade to standards-version 3.9.0 (switch to Breaks/Replaces instead of
Conflicts)
* refactoring and simplification of PAM module which also improves logging
* implement a nullok PAM option and disable empty passwords by default
* portability improvements and other minor code improvements
* the mechanism to disable name lookups through LDAP from within the nslcd
process has been improved
* the undocumented use_sasl option has been removed (specifying sasl_mech
now implies use_sasl)
* the sasl_mech, sasl_realm, sasl_authcid, sasl_authzid and sasl_secprops
configuration options are now documented - 7. By Arthur de Jong
-
* include libpam-heimdal in libnss-ldapd recommends list of PAM
implementations (closes: #582407)
* fix a problem with empty attributes if expression-based attribute
mapping is used (patch by Nalin Dahyabhai)
* make debug logging for pam_authz_search option a little more informative
* documentation improvements
* update pam-auth-update configuration to always perform LDAP autorisation
for LDAP users
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/utopic/nss-pam-ldapd