pam (1.4.0-11ubuntu2.4) jammy-security; urgency=medium
* SECURITY UPDATE: pam_namespace local denial of service
- debian/patches-applied/CVE-2024-22365.patch: use O_DIRECTORY to
prevent local DoS situations in modules/pam_namespace/pam_namespace.c.
- CVE-2024-22365
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Jan 2024 08:54:07 -0500
pam (1.4.0-11ubuntu2.3) jammy-security; urgency=medium
* SECURITY REGRESSION: fix CVE-2022-28321 patch location
- debian/patches-applied/CVE-2022-28321.patch: pam_access: handle
hostnames in access.conf
- CVE-2022-28321
-- Nishit Majithia <nishit.majithia@canonical.com> Thu, 02 Feb 2023 14:51:46 +0530
pam (1.4.0-11ubuntu2.1) jammy-security; urgency=medium
* SECURITY UPDATE: authentication bypass vulnerability
- debian/patches/CVE-2022-28321.patch: pam_access: handle hostnames in
access.conf
- CVE-2022-28321
-- Nishit Majithia <nishit.majithia@canonical.com> Tue, 24 Jan 2023 17:07:01 +0530
pam (1.4.0-11ubuntu2) jammy; urgency=medium
* Drop Recommends on update-motd which is no longer used and is not being
maintained.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 23 Mar 2022 18:43:24 -0700
pam (1.4.0-11ubuntu1) jammy; urgency=medium
* Merge from Debian unstable, remaining changes:
- debian/control: have libpam-modules recommend update-motd package
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
- d/libpam-modules.postinst: Add /snap/bin to $PATH in /etc/environment
* Dropped changes, included in Debian:
- d/p/pam_env-allow-environment-files-without-EOL-at-EOF.patch:
Allow /etc/environment files without EOL at EOF.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 07 Feb 2022 08:51:50 -0800
pam (1.4.0-11) unstable; urgency=medium
* Whitespace fixes in debconf templates.
[ Sergio Durigan Junior ]
* d/p/pam_env-allow-environment-files-without-EOL-at-EOF.patch:
Allow /etc/environment files without EOL at EOF. In other words,
allow files without a newline at the end. (LP: #1953201)
-- Steve Langasek <vorlon@debian.org> Mon, 06 Dec 2021 11:11:31 -0800
pam (1.4.0-10ubuntu2) jammy; urgency=medium
[ Sergio Durigan Junior ]
* d/p/pam_env-allow-environment-files-without-EOL-at-EOF.patch:
Allow /etc/environment files without EOL at EOF. In other words,
allow files without a newline at the end. (LP: #1953201)
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 06 Dec 2021 11:05:28 -0800
pam (1.4.0-10ubuntu1) jammy; urgency=medium
* Merge from Debian unstable (LP: #1916509). Remaining changes:
- debian/control: have libpam-modules recommend update-motd package
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
- d/libpam-modules.postinst: Add /snap/bin to $PATH in /etc/environment
* Dropped changes, obsoleted:
- pam_motd: Export MOTD_SHOWN=pam after showing MOTD
- Return only PAM_IGNORE or error from pam_motd
- Fix patches to fix FTBFS
- Backport pam_faillock module from pam 1.4.0
- debian/patches-applied/nullok_secure-compat.patch: Support
nullok_secure as a deprecated alias for nullok.
- debian/pam-configs/unix: use nullok, not nullok_secure.
* Patches:
- d/p/pam_motd-legal-notice: refreshed
- Refreshed d/p/pam_umask_usergroups_from_login.defs.patch to use
pam_modutil_search_key instead of our own hand-rolled version
- d/p/extrausers.patch: Refreshed the patch and fixed the
HAVE_LIBSELINUX conditional removed upstream.
* d/local/pam-auth-update: refreshed the md5sum for debian/local/common-session
-- Simon Chopin <simon.chopin@canonical.com> Tue, 26 Oct 2021 10:49:14 +0200
pam (1.4.0-10) unstable; urgency=medium
* Fix syntax error in libpam0g.postinst when a systemd unit fails,
Closes: #992538
* Include upstream patch not to use crypt_checksalt; without this
passwords set prior to bullseye were considered expired, Closes:
#992848
* Support DPKG_ROOT for pam-auth-update, thanks Johannes 'josch' Schauer
Closes: #983427
-- Sam Hartman <hartmans@debian.org> Thu, 26 Aug 2021 13:43:23 -0600
pam (1.4.0-9) unstable; urgency=medium
* Revert prefer the multiarch path from 1.4.0-8: It turns out that
Debian uses DEFAULT_MODULE_PATH and _PAM_ISA in the opposite meaning
of upstream. If I had read the patch header of
patches-applied/lib_security_multiarch_compat more closely I would
have noticed this. The effect of 1.4.0-9 is what is stated in the
1.4.0-8 changelog: we prefer multiarch paths, but the original patch
did that.
* I did test this in 1.4.0-8, but my test design was flawed. I placed a
invalid shared object in /lib/security and confirmed it did not shadow
an object in /lib/x86_64-linux-gnu/security. However I realized
shortly after releasing 1.4.0-8 that a valid shared object in
/lib/security will shadow one in the multiarch path.
-- Sam Hartman <hartmans@debian.org> Fri, 09 Jul 2021 10:55:02 -0600
# For older changelog entries, run 'apt-get changelog libpam0g'
Generated by dwww version 1.14 on Wed Jan 22 09:11:19 CET 2025.