lp:ubuntu/precise-security/nss-pam-ldapd

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

16. By Nicola Heald on 2014-07-29

* SECURITY UPDATE: denial of service related to incorrect use
  of the FD_SET macro.
  - http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288
  - common/tio.c added checks to make sure the file descriptor
    can be stored in the file descriptor set, from upstream patch
    http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=7867b93f9a7c76b96f1571cddc1de0811134bb81
  - CVE-2013-0288
  - LP: #1347614

15. By Arthur de Jong on 2011-09-04

* Upload to unstable
* switch to using the member attribute by default instead of
  uniqueMember (backwards incompatible change)
* only return "x" as a password hash when the object has the shadowAccount
  objectClass and nsswitch.conf is configured to do shadow lookups using
  LDAP (this avoids some problems with pam_unix)
* fix problem with partial attribute name matches in DN (thanks Timothy
  White)
* fix a problem with objectSid mappings with recent versions of OpenLDAP
  (patch by Wesley Mason)
* set the socket timeout in a connection callback to avoid timeout
  issues during the SSL handshake (patch by Stefan Völkel)
* check for unknown variables in pam_authz_search
* only check password expiration when authenticating, only check account
  expiration when doing authorisation
* make buffer sizes consistent and grow all buffers holding string
  representations of numbers to be able to hold 64-bit numbers
* update AX_PTHREAD from autoconf-archive
* support querying DNS SRV records from a different domain than the current
  one (based on a patch by James M. Leddy)
* fix a problem with uninitialised memory while parsing the tls_ciphers
  option (closes: #638872) (but doesn't work yet due to #640384)
* implement bounds checking of numeric values read from LDAP (patch by
  Jakub Hrozek)
* correctly support large uid and gid values from LDAP (patch by Jakub
  Hrozek)
* improvements to the configure script (patch by Jakub Hrozek)
* switch to dh for debian/rules and bump debhelper compatibility to 8
* build Debian packages with multiarch support
* ship shlibs (but still no symbol files) for libnss-ldapd since that was
  the easiest way to support multiarch
* fix output in init script when restarting nslcd (closes: #637132)
* correctly handle leading and trailing spaces in preseeded debconf uri
  option (patch by Andreas B. Mundt) (closes: #637863)
* support spaces around database names in /etc/nsswitch.conf while
  configuring package (closes: #640185)
* updated Russian debconf translation by Yuri Kozlov (closes: #637751)
* updated French debconf translation by Christian Perrier (closes: #637756)
* added Slovak debconf translation by Slavko (closes: #637759)
* updated Danish debconf translation by Joe Hansen (closes :#637763)
* updated Brazilian Portuguese debconf translation by Denis Doria
* updated Portuguese debconf translation by Américo Monteiro
* updated Japanese debconf translation by Kenshi Muto (closes: #638195)
* updated Czech debconf translation by Miroslav Kure (closes: #639026)
* updated German debconf translation by Chris Leick (closes: #639107)
* updated Spanish debconf translation by Francisco Javier Cuadrado
  (closes: #639236)
* updated Dutch debconf translation by Arthur de Jong with help from Paul
  Gevers and Jeroen Schot

14. By Arthur de Jong on 2010-12-11

* fix handling of idle_timelimit option
* fix error code for problem while doing password modification

13. By Arthur de Jong on 2010-10-29

set a short socket timeout when shutting down the connection to the LDAP
server to avoid disconnect problems when using TLS
(addresses part of #596983)

12. By Arthur de Jong on 2010-10-15

* updated Vietnamese debconf translation by Clytie Siddall (closes: #598500)
* grow the buffer for the PAM ruser to not reject logins for users with
  a ruser including a domain part (closes: #600065)

11. By Arthur de Jong on 2010-09-24

handle errors from ldap_result() better and disconnect (and reconnect)
in more cases (closes: #596983)

10. By Arthur de Jong on 2010-08-28

* fix for --with-nss-ldap-soname configure option by Julien Cristau
* fix double "be" in English template thanks to Christian Perrier
  (closes: #593646)
* updated Czech debconf translation by Miroslav Kure (closes: #593510)
* updated Simplified Chinese debconf translation by zym
* updated Italian debconf translation by Vincenzo Campanella
* updated Japanese debconf translation by Kenshi Muto (closes: #593692)
* updated Danish debconf translation by Joe Hansen (closes: #594205)
* updated French debconf translation by Christian Perrier (closes: #594311)
* updated German debconf translation by Chris Leick (closes: #594456)
* updated Catalan debconf translation by Agusti Grau
* updated Swedish debconf translation by Martin Ågren (closes: #594679)
* updated Spanish debconf translation by Francisco Javier Cuadrado
  (closes: #594723)

9. By Arthur de Jong on 2010-08-18

* minor portability improvements and clean-ups (thanks Alexander V.
  Chernikov and Ted C. Cheng)
* don't expand variables in rest of ${var:-rest} and ${var:+rest}
  expressions if it is not needed (closes: #592320)
* libpam-ldapd.postinst: offer to add ldap to shadow in nsswitch.conf if
  a potential broken configuration is found (closes: #592104)
  (thanks to Justin B Rye for the template review)
* merge the suggests of libnss-ldapd and libpam-ldapd into those of the
  nslcd package to have a single consistent list of PAM alternatives
  (closes: #591773)
* add libpam-sss as an alternative to libpam-ldapd (closes: #591773)
* upgrade to standards-version 3.9.1 (no changes needed)
* updated Portuguese debconf translation by Américo Monteir
  (closes: #593404)
* updated Russian debconf translation by Yuri Kozlov (closes: #593491)
* added Norwegian Bokmål debconf translation by Bjørn Steensrud
  (closes: #593501)

8. By Arthur de Jong on 2010-07-03

* don't use use_authtok for password modification by default
* fine-tune pam-auth-update configuration after discussion with Steve
  Langasek (see: #583492)
  Note that this currently requires that shadow information is also provided
  by LDAP (in /etc/nsswitch.conf).
* ensure that nslcd is started after hostname lookups are available so
  getting to the LDAP server via DNS will work (patch by Petter
  Reinholdtsen) (closes: #585968)
* start k5start from the init script to keep the Kerberos ticket active if
  nslcd is configured for SASL GSSAPI Kerberos authentication, based on a
  patch by Daniel Dehennin (closes: #585639)
* upgrade to standards-version 3.9.0 (switch to Breaks/Replaces instead of
  Conflicts)
* refactoring and simplification of PAM module which also improves logging
* implement a nullok PAM option and disable empty passwords by default
* portability improvements and other minor code improvements
* the mechanism to disable name lookups through LDAP from within the nslcd
  process has been improved
* the undocumented use_sasl option has been removed (specifying sasl_mech
  now implies use_sasl)
* the sasl_mech, sasl_realm, sasl_authcid, sasl_authzid and sasl_secprops
  configuration options are now documented

7. By Arthur de Jong on 2010-05-27

* include libpam-heimdal in libnss-ldapd recommends list of PAM
  implementations (closes: #582407)
* fix a problem with empty attributes if expression-based attribute
  mapping is used (patch by Nalin Dahyabhai)
* make debug logging for pam_authz_search option a little more informative
* documentation improvements
* update pam-auth-update configuration to always perform LDAP autorisation
  for LDAP users