lp://staging/ubuntu/natty-security/pam
- Get this branch:
- bzr branch lp://staging/ubuntu/natty-security/pam
Branch merges
Branch information
Recent revisions
- 80. By Marc Deslauriers
-
* SECURITY UPDATE: possible code execution via incorrect environment file
parsing (LP: #874469)
- debian/patches- applied/ CVE-2011- 3148.patch: correctly count leading
whitespace when parsing environment file in modules/pam_env/ pam_env. c.
- CVE-2011-3148
* SECURITY UPDATE: denial of service via overflowed environment variable
expansion (LP: #874565)
- debian/patches- applied/ CVE-2011- 3149.patch: when overflowing, exit
with PAM_BUF_ERR in modules/pam_env/ pam_env. c.
- CVE-2011-3149
* SECURITY UPDATE: code execution via incorrect environment cleaning
- debian/patches- applied/ update- motd: updated to use clean environment
and absolute paths in modules/pam_motd/ pam_motd. c.
- CVE-2011-XXXX - 79. By Marc Deslauriers
-
* SECURITY REGRESSION:
- debian/patches/ security- dropprivs. patch: updated patch to preserve
ABI and prevent daemons from needing to be restarted. (LP: #790538)
- debian/patches/ autoconf. patch: refreshed - 78. By Marc Deslauriers
-
* SECURITY UPDATE: multiple issues with lack of adequate privilege
dropping
- debian/patches/ security- dropprivs. patch: introduce new privilege
dropping code in libpam/pam_modutil_ priv.c, libpam/Makefile.*,
libpam/include/ security/ pam_modutil. h, libpam/libpam.map,
modules/pam_env/ pam_env. c, modules/ pam_mail/ pam_mail. c,
modules/pam_xauth/ pam_xauth. c.
- CVE-2010-3430
- CVE-2010-3431
- CVE-2010-3435
- CVE-2010-4706
- CVE-2010-4707
* SECURITY UPDATE: privilege escalation via incorrect environment
- debian/patches/ CVE-2010- 3853.patch: use clean environment in
modules/pam_namespace/ pam_namespace. c.
- CVE-2010-3853
* debian/patches- applied/ series: disable hurd_no_setfsuid patch, as it
isn't needed for Ubuntu, and it needs to be rewritten to work with the
massive privilege refactoring in the security patches. - 76. By Steve Langasek
-
debian/
patches- applied/ 027_pam_ limits_ better_ init_allow_ explicit_ root:
bump the hard limit for number of file descriptors, to keep pace with
the changes in the kernel. Fortunately this shadowing should all go
away next cycle when we can start to grab defaults directly from /proc.
LP: #663090 - 75. By Steve Langasek
-
debian/
libpam0g. postinst: according to Kubuntu developers, kdm no longer
keeps libpam loaded persistently at runtime, so it's not necessary to
force a kdm restart on ABI bump. Which is good, since restarting kdm
now seems to also log users out of running sessions, which we rather
want to avoid. LP: #744944. - 74. By Steve Langasek
-
* Force a service restart on upgrade to the new libpam0g, to ensure
servers don't fail to find the pam modules in the new paths.
* libpam-modules should also Pre-Depend: on the multiarch-aware libpam0g,
for the same reason. - 73. By Steve Langasek
-
* Build for multiarch; FFe LP: #733501.
* Split our executables out of libpam-modules into a new package,
libpam-modules- bin, so that modules can be co-installable between
architectures.
* New patch, lib_security_multiarch_ compat, which lets us reuse the
upstream --enable-isadir functionality to support a true path for module
lookups; this way we don't have to force a hard transition to multiarch,
but can support resolving modules in both the multiarch and
non-multiarch directories.
* Build-Depend on the multiarchified debhelper.
* Add Pre-Depends: ${misc:Pre-Depends} for multiarch-support. - 71. By Steve Langasek
-
debian/
patches/ update- motd-manpage- ref: patch the manpage too, not just
the xml source.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/oneiric/pam