Your message dated Mon, 26 Sep 2005 20:47:07 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#300775: fixed in pam 0.79-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Mar 2005 19:07:50 +0000
>From [EMAIL PROTECTED] Mon Mar 21 11:07:50 2005
Return-path: <[EMAIL PROTECTED]>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1DDSFh-0004XG-00; Mon, 21 Mar 2005 11:07:49 -0800
Received: (qmail 28956 invoked by uid 1013); 21 Mar 2005 19:07:47 -0000
Date: Mon, 21 Mar 2005 20:07:47 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Pam: newer upstream version (0.78) available fixing security bugs
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="lMM8JwqTlfDpEaS6"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--lMM8JwqTlfDpEaS6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: libpam-runtime
Version: 0.76-22
Priority: serious
Tags: security
It seems we are missing some of upstream releases (0.77 was released in=20
September 2002 and 0.78 was released in November 2004). Please package this=
=20
new release:
ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/
The 0.78 release includes two important security bugs as well as some of=20
the patches from Debian and other releases. The relevant security bugs are:
- Severe denial of service possible in pam_unix
- Pam_wheel with the trust module can be spoofed
Some other fixes in the PAM modules might be security-related, see below.
The full changelog entries are:
0.78: Do Nov 18 14:48:36 CET 2004
* pam_unix: change the order of trying password changes - local first,
NIS second (t8m)
* pam_wheel: add option only_root to make it affect authentication
to root account only
* pam_unix: test return values on renaming files and report error to
syslog and to user
* pam_unix: forced password change shouldn't trump account expiration
* pam_unix: remove the use of openlog (from debian - toady)
* pam_unix: NIS cleanup (patch from Philippe Troin)
* pam_access: you can now authenticate an explicit user on an explicit
tty (from debian - toady)
* pam_limits, pam_rhosts, pam_unix: fixed hurd portability issues
(patch from Igor Khavkine)
* pam_env: added comments in the configuration file to avoid errors
(from debian - toady)
* pam_mail: check PAM_NO_ENV to know if we can delete the environment
variable (from debian - toady)
* pam_filter: s/termio/termios/g (from debian - toady)
* pam_mkhomedir: no maxpathlen required (from debian - toady)
* pam_limits: applied patch to allow explicit limits for root
and remove limits on su. (from debian - toady)
* pam_unix: severe denial of service possible with this module since
it locked too aggressively. Bug report and testing help from Sascha
Loetz. (Bug 664290 - agmorgan)
* getlogin was spoofable: "/tmp/" and "/dev/" have the same number of
characters, so 'ln /dev/tty /tmp/tty1 ; bash < /tmp/tty1 ; logname'
attacks could potentially spoof pam_wheel with the 'trust' module
argument into granting access to a luser. Also, pam_unix gave
odd error messages in such a situation (logname !=3D uid). This
problem was found by David Endler of iDefense.com (Bug 667584 -
agmorgan).
* added my new DSA public key to the pgp.keys.asc file. Also included
a signed copy of my new public key (1024D/D41A6DF2) made with my old
key (1024/2A398175).
* added "include" directive to config file syntax.
The whole idea is to create few "systemwide" pam configs and include
parts of them in application pam configs.
(patch by "Dmitry V. Levin" <[EMAIL PROTECTED]>) (Bug 812567 - baggins).
* doc/modules/pam_mkhomedir.sgml: Remove wrong debug options
(Bug 591605 - kukuk)
* pam_unix: Call password checking helper whenever the password field
contains only one character (Bug 1027903 - kukuk)
* libpam/pam_start.c: All service names should be files below /etc/pam.d
and nothing else. Forbid paths. (Bug 1027912 - kukuk)
* pam_cracklib: Fix error in distance algorithm in the 0.9 pam_cracklib
module (Bug 1010142 - toady)
* pam_userdb: applied patch from Paul Walmsley <[EMAIL PROTECTED]>
it now indicates whether encrypted or plaintext passwords are stored
in the database needed for pam_userdb (BerliOS - toady)
* pam_group: The module should also ignore PAM_REINITIALIZE_CRED to
avoid spurious errors (from Linux distributors - kukuk)
* pam_cracklib: Clear the entire options structure (from Linux
distributors - kukuk)
* pam_issue: We write a NUL to prompt_tmp[tot_size] later, so make sure
that the destination is part of the allocated block, make do_prompt
static (from Linux distributors - kukuk)
* ldconfig: Only run full ldconfig, if we don't install into a FAKEROOT
environment, else let ldconfig only create the symlinks correct
(from Linux distributors - kukuk)
* pam_unix/pam_pwdb: Use SIG_DFL instead of SIG_IGN for SIGCHLD
(from Linux distributors - kukuk)
* Add most of Steve Grubb's resource leak and other fixes (from
Linux distributors - kukuk)
* doc/Makefile: Don't include .cvsignore files in tar ball (kukuk)
* libpam_misc/misc_conv.c: Differentiate between Ctrl-D and
<Return> (Bug 1032604 - kukuk)
* Make.Rules.in: Add targets for installing man pages for modules
(from Linux distributors - kukuk)
* Add pam_xauth module (Bug 436440 - kukuk)
* Add pam_localuser module (Bug 436444 - kukuk)
* Add pam_succeed_if module (from Linux distributors - kukuk)
* configure.in: Fix check for libcrypt (Bug 417704 - kukuk)
* Add the "broken_shadow" argument to pam_unix, for ignoring errors
reading shadow information (from Linux distributors - kukuk)
* Add patches to make PAM modules reentrant (Bug 440107 - kukuk)
* Merge patches from Red Hat (Bug 477000 and other - kukuk)
* Fix pam_rhosts option parsing (Bug 922648 - kukuk)
* Add $ISA support in config files (from Red Hat - kukuk)
0.77: Mon Sep 23 10:25:42 PDT 2002
* documentation support for pdf files was not quite right -
installation was messed up.
* pam_wheel was too aggressive to grant access (in the case of the
'deny' option you want to pay attention to 'trust'). Fix from
Nalin (Bugs 476951, 476953 - agmorgan)
* account management support for: pam_shells, pam_listfile, pam_wheel
and pam_securetty (+ static module fix for pam_nologin). Patch from
redhat through Harald Welte (Bug 436435 - agmorgan).
* pam_wheel feature from Nalin - can use the module to provide wheel
access to non-root accounts. Also from Nalin, a bugfix related to
the primary group of the applicant is the 'wheel' group. (Bugs
476980, 476941 - agmorgan)
* pam_unix and pam_pwdb: by default turn off the SIGCHLD handler while
running the helper binary (patch from Nalin) added the "noreap"
module argument to both of these modules to turn off this new
default. Bugfix found by Silvan Minghetti for former module and
521314 checkin. (Bugs 476963, 521314 - agmorgan).
* updated CHANGELOG and configure.in for 0.77 work.
Regards
Javier
--lMM8JwqTlfDpEaS6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCPxuCi4sehJTrj0oRAixJAJ4l0rOJ/ng6gRCvFrsTWsq9odWfNgCgoEPT
K48NQJJalHoj8SBasufJmEY=
=0wp8
-----END PGP SIGNATURE-----
--lMM8JwqTlfDpEaS6--
---------------------------------------
Received: (at 300775-close) by bugs.debian.org; 27 Sep 2005 03:48:41 +0000
>From [EMAIL PROTECTED] Mon Sep 26 20:48:41 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EK6Qt-0002he-00; Mon, 26 Sep 2005 20:47:07 -0700
From: Steve Langasek <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#300775: fixed in pam 0.79-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 26 Sep 2005 20:47:07 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 5
Source: pam
Source-Version: 0.79-1
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:
libpam-cracklib_0.79-1_i386.deb
to pool/main/p/pam/libpam-cracklib_0.79-1_i386.deb
libpam-doc_0.79-1_all.deb
to pool/main/p/pam/libpam-doc_0.79-1_all.deb
libpam-modules_0.79-1_i386.deb
to pool/main/p/pam/libpam-modules_0.79-1_i386.deb
libpam-runtime_0.79-1_all.deb
to pool/main/p/pam/libpam-runtime_0.79-1_all.deb
libpam0g-dev_0.79-1_i386.deb
to pool/main/p/pam/libpam0g-dev_0.79-1_i386.deb
libpam0g_0.79-1_i386.deb
to pool/main/p/pam/libpam0g_0.79-1_i386.deb
pam_0.79-1.diff.gz
to pool/main/p/pam/pam_0.79-1.diff.gz
pam_0.79-1.dsc
to pool/main/p/pam/pam_0.79-1.dsc
pam_0.79.orig.tar.gz
to pool/main/p/pam/pam_0.79.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <[EMAIL PROTECTED]> (supplier of updated pam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 25 Sep 2005 22:08:20 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime
libpam-cracklib
Architecture: source i386 all
Version: 0.79-1
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <[EMAIL PROTECTED]>
Changed-By: Steve Langasek <[EMAIL PROTECTED]>
Description:
libpam-cracklib - PAM module to enable cracklib support.
libpam-doc - Documentation of PAM
libpam-modules - Pluggable Authentication Modules for PAM
libpam-runtime - Runtime support for the PAM library
libpam0g - Pluggable Authentication Modules library
libpam0g-dev - Development files for PAM
Closes: 248310 249499 284954 295296 300775 319026 323982 327876 330097
Changes:
pam (0.79-1) unstable; urgency=low
.
* New upstream version (closes: #284954, #300775).
- includes some fixes for typos (closes: #319026).
- pam_unix should now be LSB 3.0-compliant (closes: #323982).
- fixes segfaults in libpam on config file syntax errors
(closes: #330097).
* Drop patches 000_bootstrap, 004_libpam_makefile_static_works,
011_pam_access, 013_pam_filter_termio_to_termios, 017_misc_fixes,
025_pam_group_conffile_name, 028_pam_mail_delete_only_when_set,
033_use_gcc_not_ld, 034_pam_dispatch_ignore_PAM_IGNORE,
035_pam_unix_security, 039_pam_mkhomedir_no_maxpathlen_required,
041_call_bootstrap, 042_pam_mkhomedir_dest_not_source_for_errors,
051_32_bit_pam_lastlog_ll_time, and
053_pam_unix_user_known_returns_user_unknown which have been
integrated upstream.
* Merge one last bit of patch 053 into patch 043, where it should have
been in the first place
* Patch 057: SELinux support:
- add support to pam_unix for copying SELinux security contexts when
writing out new passwd/shadow files and creating lockfiles
- support calling unix_chkpwd if opening /etc/shadow fails due to
SELinux permissions
- allow unix_chkpwd to authenticate for any user when in an SELinux
context (hurray!); we depend on SELinux policies to prevent the
helper's use as a brute force tool
- also support querying user expiration info via unix_chkpwd
- misc cleanup: clean up file descriptors when invoking unix_chkpwd
(closes: #248310)
- make pam_rootok check the SELinux passwd class permissions, not just
the uid
- add new pam_selinux module (closes: #249499)
* Build-depend on libselinux1-dev.
* Fix pam_getenv, so that it can read the actual format of /etc/environment
instead of trying to read it using the syntax of
/etc/security/pam_env.conf; thanks to Colin Watson for the patch.
Closes: #327876.
* Set LC_COLLATE=C when using alphabetic range expressions in
debian/rules; bah, so *that's* what kept happening to my README file
when trying to build out of svn! Closes: #295296.
* Add a reference to the text of the GPL to debian/copyright.
Files:
b538a52de86f4ec392e47e916de5da26 935 base optional pam_0.79-1.dsc
e33cc6e6fd86b01d0a44ec3232a2fb74 491964 base optional pam_0.79.orig.tar.gz
76b7ed9a2ce75c3b98a5c08d07d53e95 127029 base optional pam_0.79-1.diff.gz
712ee3ba2994dcde53cfc1a1d902822c 62900 base required
libpam-runtime_0.79-1_all.deb
9f6225763560fba7b5160a71077a6389 674712 doc optional libpam-doc_0.79-1_all.deb
97b75dfca8ecaf2643107673df7bee46 77758 base required libpam0g_0.79-1_i386.deb
f8d043742dacff0b1da3fdc45e7d83cb 181676 base required
libpam-modules_0.79-1_i386.deb
ecbf56a7bb3930a2eff53573595d1558 115480 libdevel optional
libpam0g-dev_0.79-1_i386.deb
0aa8356c9bbd004a0294e9a3f6cb0f38 57820 libs optional
libpam-cracklib_0.79-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDOIxvKN6ufymYLloRAk5PAJ4pIunm/TewJai4u7AJxIdWyQFGtgCeMTdc
1Ewv31KV3kxWGlHBPzSxX+g=
=QPW8
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
