ubuntu/+source/pam:ubuntu/precise-security

Last commit made on 2016-03-17
Get this branch:
git clone -b ubuntu/precise-security https://git.launchpad.net/ubuntu/+source/pam
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/precise-security
Repository:
lp:ubuntu/+source/pam

Recent commits

0bd21f6... by Tyler Hicks on 2016-03-17

Import patches-unapplied version 1.1.3-7ubuntu2.3 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 838acbf54a0ab0b1a207ffd99af0b50b21f600c7

New changelog entries:
  * SECURITY REGRESSION: multiarch update issue (LP: #1558597)
    - debian/patches-applied/cve-2015-3238.patch: Readd the manpage XML
      changes and also add the regenerated man pages to the patch. It is
      required to add the regenerated man pages to the patch because the build
      dependencies to regenerate the man pages are only installed during i386
      builds.
    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch: Add
      the changes after regenerating pam_umask.8 to the patch for the reasons
      mentioned above.

838acbf... by Marc Deslauriers on 2016-03-16

Import patches-unapplied version 1.1.3-7ubuntu2.2 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 78944936efc6dbdb3a7c775c03f519158681318b

New changelog entries:
  * SECURITY REGRESSION: multiarch update issue (LP: #1558114)
    - debian/patches-applied/cve-2015-3238.patch: removed manpage changes
      so they don't get regenerated during build.
    - CVE-2015-3238

7894493... by Marc Deslauriers on 2016-03-15

Import patches-unapplied version 1.1.3-7ubuntu2.1 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 0a190c3ada7cb6530be4af6d60faf2948261b54f

New changelog entries:
  * SECURITY UPDATE: pam_userdb case-insensitive search issue
    - debian/patches-applied/cve-2013-7041.patch: fix password hash
      comparison in modules/pam_userdb/pam_userdb.c.
    - CVE-2013-7041
  * SECURITY UPDATE: directory traversal issue in pam_timestamp
    - debian/patches-applied/cve-2014-2583.patch: fix potential directory
      traversal issue in modules/pam_timestamp/pam_timestamp.c.
    - CVE-2014-2583
  * SECURITY UPDATE: username enumeration via large passwords
    - debian/patches-applied/cve-2015-3238.patch: limit password size to
      prevent a helper function hang in modules/pam_exec/pam_exec.8.xml,
      modules/pam_exec/pam_exec.c, modules/pam_unix/pam_unix.8.xml,
      modules/pam_unix/pam_unix_passwd.c, modules/pam_unix/passverify.c,
      modules/pam_unix/passverify.h, modules/pam_unix/support.c.
    - CVE-2015-3238

0a190c3... by Steve Langasek on 2012-02-09

Import patches-unapplied version 1.1.3-7ubuntu2 to ubuntu/precise

Imported using git-ubuntu import.

Changelog parent: 99278f5ab189b9b6acdf857592536185901965f0

New changelog entries:
  * No-change rebuild with gzip 1.4-1ubuntu2 to get multiarch-clean
    compression of manpages. LP: #871083.

99278f5... by Steve Langasek on 2012-01-28

Import patches-unapplied version 1.1.3-7ubuntu1 to ubuntu/precise

Imported using git-ubuntu import.

Changelog parent: 0260ad338b33a4b9d95e026676b96ecc0cc9b6d4

New changelog entries:
  * Merge from Debian unstable, remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
      Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/libpam0g.postinst: check if gdm is actually running before
      trying to reload it.
    - debian/libpam0g.postinst: the init script for 'samba' is now named
      'smbd' in Ubuntu, so fix the restart handling.
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
      Deprecate pam_unix' explicit "usergroups" option and instead read it
      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
      there. This restores compatibility with the pre-PAM behaviour of login.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)
    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
      default, now that the umask setting is gone from /etc/profile.
    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
    - Build-depend on libfl-dev in addition to flex, for cross-building
      support.

0260ad3... by Steve Langasek on 2012-01-28

Import patches-unapplied version 1.1.3-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4b419b7bfa39c3d6e1294e8f20520993bd81658e

New changelog entries:
  * Updated debconf translations:
    - Danish, thanks to Joe Dalton <email address hidden> (closes: #648382)
    - French, thanks to Jean-Baka Domelevo Entfellner <email address hidden>
      (closes: #649850)
    - Dutch, thanks to Jeroen Schot <email address hidden>
      (closes: #650755)
    - Russian, thanks to Yuri Kozlov <email address hidden> (closes: #650867)
    - Portuguese, thanks to Pedro Ribeiro <email address hidden>
      (closes: #652493)
    - German, thanks to Sven Joachim <email address hidden> (closes: #653407)
    - Spanish, thanks to Javier Fernandez-Sanguino Peña <email address hidden>
      (closes: #654043)
    - Bulgarian, thanks to Damyan Ivanov <email address hidden> (closes: #656518)
    - Slovak, thanks to Ivan Masár <email address hidden> (closes: #656521)
    - Japanese, thanks to Kenshi Muto <email address hidden> (closes: #656834)
    - Polish, thanks to Michał Kułach <email address hidden>
      (closes: #657476)
    - Catalan, thanks to Innocent De Marchi <email address hidden>
      (closes: #657489)
    - Czech, thanks to Miroslav Kure <email address hidden>
      (closes: #657578)
    - Swedish, thanks to Martin Bagge <email address hidden> (closes: #651349)

4b419b7... by Steve Langasek on 2011-11-07

Import patches-unapplied version 1.1.3-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 314b7ab7fe38a8a266c9cec772e905ac77ca2060

New changelog entries:
  * debian/patches-applied/hurd_no_setfsuid: we don't want to check all
    setre*id() calls; we know that there are situations where some of these
    may fail but we don't care. As long as the last setre*id() call in each
    set succeeds, that's the state we mean to be in.
  * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
    keeps libpam loaded persistently at runtime, so it's not necessary to
    force a kdm restart on ABI bump. Which is good, since restarting kdm
    now seems to also log users out of running sessions, which we rather
    want to avoid. Closes: #632673, LP: #744944.
  * debian/patches-applied/update-motd: set a sane umask before calling
    run-parts, and restore the old mask afterwards, so /run/motd gets
    consistent permissions. LP: #871943.
  * debian/patches-applied/update-motd: new module option for pam_motd,
    'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
    LP: #805423.
  * debian/libpam0g.templates, debian/libpam0g.postinst: add a new question,
    libraries/restart-without-asking, that allows admins to accept the
    service restarts once for all so that they don't have to repeatedly
    say "ok". LP: #745004.
  * debian/libpam-runtime.templates, debian/local/pam-auth-update: add a
    new 'title' template, so pam-auth-update doesn't give a blank title
    when called outside of a maintainer script. LP: #882794.

314b7ab... by Steve Langasek on 2011-10-28

Import patches-unapplied version 1.1.3-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4e03ac33d290da60ad627a30fc8a808b10c1a92a

New changelog entries:
  [ Kees Cook ]
  * debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use
    setresgid() to wipe out saved-gid just in case.
  * debian/patches-applied/008_modules_pam_limits_chroot:
    - fix off-by-one when parsing configuration file.
    - when using chroot, chdir() to root to lose links to old tree.
  * debian/patches-applied/022_pam_unix_group_time_miscfixes,
    debian/patches-applied/026_pam_unix_passwd_unknown_user,
    debian/patches-applied/054_pam_security_abstract_securetty_handling:
    improve descriptions.
  * debian/patches-applied/{007_modules_pam_unix,055_pam_unix_nullok_secure}:
    drop unneeded no-op change to reduce delta from upstream.
  * debian/patches-applied/hurd_no_setfsuid: check all set*id() calls.
  * debian/patches-applied/update-motd: correctly clear environment when
    building motd.
  * debian/patches-applied/pam_env-fix-overflow.patch: fix stack overflow
    in environment file parsing (CVE-2011-3148).
  * debian/patches-applied/pam_env-fix-dos.patch: fix DoS in environment
    file parsing (CVE-2011-3149).

4e03ac3... by Steve Langasek on 2011-09-25

Import patches-unapplied version 1.1.3-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 093f9de3abc56ba383dd4cb9fc147d3d103c6038

New changelog entries:
  * Make sure shared library links are also installed to the multiarch
    directory, not just the .a files; otherwise the static libs get found
    first by the linker. Thanks to Russ Allbery for catching this.
    Closes: #642952.

093f9de... by Steve Langasek on 2011-09-24

Import patches-unapplied version 1.1.3-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c3e0f77ae0c5c72d77b1bd4cf2939400d0c33469

New changelog entries:
  * Look for /etc/init.d/postgresql, not /etc/init.d/postgresql-8.{2,3},
    for service restarts; the latter are obsolete since squeeze.
    Closes: #631511.
  * Move debian/libpam0g-dev.install to debian/libpam0g-dev.install.in
    and substitute the multiarch path at build time, so our .a files go to
    the multiarch dir instead of to /usr/lib. Thanks to Riku Voipio for
    pointing out the bug.
  * debian/control: adjust the package descriptions, as the current ones
    use some awkward language that's gone unnoticed for a long time. Thanks
    to Martin Eberhard Schauer <email address hidden> for pointing this
    out. Closes: #633863.
  * Build-depend on debhelper 8.9.4 and bump debian/compat to 9 for
    dpkg-buildflags integration, and drop manual setting of -g -O options in
    CFLAGS now that we can let dh do it for us
  * Don't set --sbindir when calling configure; upstream takes care of this
    for us