summaryrefslogtreecommitdiff
path: root/debian/patches-applied
Commit message (Collapse)AuthorAge
...
* revert the 'fix' for bug #515673, since this isn't really a bug at all.Steve Langasek2019-01-08
|
* shadow the finite kernel defaults for RLIMIT_SIGPENDING andSteve Langasek2019-01-08
| | | | | RLIMIT_MSGQUEUE as well, so that the preceding changes don't suddenly expose systems to DoS or other issues.
* 027_pam_limits_better_init_allow_explicit_root: also fix the patch soSteve Langasek2019-01-08
| | | | | that our limit resets are actually *applied*, which has apparently been broken for who knows how long!
* 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY may or maySteve Langasek2019-01-08
| | | | | | | not be invalid for RLIMIT_NOFILE, but we don't want to set a hard limit of 1024 by default; try to set this limit to the value of /proc/sys/fs/nr_open if we can, or fall back to RLIM_INFINITY. Closes: #515673, LP: #327597.
* New patch dont_freeze_password_chain, cherry-picked from upstream:Steve Langasek2019-01-03
| | | | | | | | don't always follow the same path through the password stack on the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK pass; this Linux-PAM deviation from the original PAM spec causes a number of problems, in particular causing wrong return values when using the refactored pam-auth-update stack. LP: #303515, #305882.
* 055_pam_unix_nullok_secure: also don't call the helper at all fromSteve Langasek2019-01-03
| | | | | | _unix_blankpasswd when we can detect that null passwords are disallowed, to avoid causing spammy logs on successful authentications. Closes: #496620.
* 007_modules_pam_unix: update the manpage at the same time as the xmlSteve Langasek2019-01-03
| | | | source (grr, autogenerated files in source packages). Closes: #495804.
* adjust the log error messageSteve Langasek2019-01-03
|
* pam_unix-chkpwd-wait: don't assume that the unix_chkpwd processJulien Cristau2019-01-03
| | | | | | exits normally; if it was killed by a signal, we don't want to accept the password.
* 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULLSteve Langasek2019-01-03
| | | | | | tty argument, since this will cause our helper to segfault instead of returning a useful value. Thanks to Troy Davis for the report. Closes: #495806.
* debian/patches/054_pam_security_abstract_securetty_handling: move theSteve Langasek2019-01-03
| | | | | | | | warning log about an insecure tty back to pam_securetty proper; we don't want to generate log messages every time pam_unix is called as non-root. Closes: #493283. As a side-effect, pam_unix no longer logs any warnings about NULL password + insecure tty, but I don't think this is critical.
* * 007_modules_pam_unix: update the documentation to correctly documentSteve Langasek2019-01-03
| | | | the default minimum password length is 6, not 1.
* document updated patch statusSteve Langasek2019-01-03
|
* drop the patch to restore the particular setreuid() handling, which was in factSteve Langasek2019-01-03
| | | | buggy before and fixed now.
* Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanksSteve Langasek2019-01-03
| | | | | to Tomas Mraz <tmraz@redhat.com> for indirectly bringing this to my attention
* drop the patch to do NIS+ auth in-process, the uid changing is better handledSteve Langasek2019-01-03
| | | | by a subprocess.
* drop the patch to do NIS+ auth in-process, the uid changing is better handledSteve Langasek2019-01-03
| | | | by a subprocess.
* * New patch, pam.d-manpage-section, to fix the manpage references toSteve Langasek2019-01-03
| | | | | | point to section 5 instead of section 8. * Update patch PAM-manpage-section to fix the references to pam(7) from other manpages. Closes: #470137.
* New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back anSteve Langasek2019-01-03
| | | | | | upstream change that causes unix_chkpwd to assume that setuid(getuid()) is sufficient to drop permissions and attempt any authentication on behalf of the user.
* refresh patches for new upstream versionSteve Langasek2019-01-03
|
* Drop another patch that's integrated upstreamSteve Langasek2019-01-03
|
* Drop another patch that's integrated upstreamSteve Langasek2019-01-03
|
* patch refresh for new upstream versionSteve Langasek2019-01-03
|
* patch refresh for new upstream versionSteve Langasek2019-01-03
|
* don't use _unix_blankpasswd() when trying to decide whether to pass theSteve Langasek2019-01-03
| | | | | 'nullok' option to the helper, because _unix_blankpasswd() will itself call in to the helper... instead, check directly for a secure tty.
* committed to CVSSteve Langasek2019-01-03
|
* fix up the patch so that pamh isn't undefined...Steve Langasek2019-01-03
|
* fix patch names so it's clear these are all for pam_unixSteve Langasek2019-01-03
|
* New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstreamSteve Langasek2019-01-03
| | | | | | | | regression which prevents sgid shadow apps from being able to authenticate any more because the module forces use of the helper and the helper won't allow authentication of arbitrary users. This change does mean we're going to be noisier for the time being in an SELinux environment, which should be addressed but is not a regression on Debian.
* not actually done on work time; use the right email addressSteve Langasek2019-01-03
|
* New patch no_helper_for_nis+.patch, which restores the behavior of doingSteve Langasek2019-01-03
| | | | | in-process NIS+ account checking instead of unconditionally passing it off to the unix_chkpwd helper; if it wasn't broke, don't fix it.
* New patch setreuid_juggling.patch: restore the 0.99.9.0 behavior wrt uidSteve Langasek2019-01-03
| | | | | changes for NIS+, since I know the old behavior was right and don't believe anyone has tested the new code.
* move the getpwnam patch to the beginning of the series, since it should beSteve Langasek2019-01-03
| | | | committed upstream soon
* New patch thread-safe_save_old_password.patch, to make sure all ourSteve Langasek2019-01-03
| | | | getpwnam() use in pam_unix is thread-safe (fixes an upstream regression)
* whack-a-mole: fix a syntax error missed when hand-applying the patchSteve Langasek2019-01-03
|
* s/name/user/, now that this code is in a different functionSteve Langasek2019-01-03
|
* another fix-up for a hand-merged patchSteve Langasek2019-01-03
|
* fix up a typo when hand-applying the patchSteve Langasek2019-01-03
|
* add a couple of new Makefiles to the autotools patchSteve Langasek2019-01-03
|
* refresh more patches for new upstream versionSteve Langasek2019-01-03
|
* no_pthread_mutexes, limits_wrong_strncpy, misc_conv_allow_sigint.patch,Steve Langasek2019-01-03
| | | | and pam_tally_audit.patch, which have been merged upstream.
* refresh more patches for new upstream versionSteve Langasek2019-01-03
|
* Drop patch 049_pam_unix_sane_locking, which upon review is not needed;Steve Langasek2019-01-03
| | | | | it reduces the length of time we hold the lock, but at the expense of being able to enforce minimum times between password changes.
* refresh patches for new upstream versionSteve Langasek2019-01-03
|
* New patch do_not_check_nis_accidentally: respect the 'nis' optionSteve Langasek2019-01-03
| | | | | | (set or unset) when looking up the user's password entry for password changes. Thanks to Quentin Godfroy <godfroy@clipper.ens.fr> for the patch. Closes: #469635.
* 026_pam_unix_passwd_unknown_user: drop a redundant, and broken, check forSteve Langasek2019-01-03
| | | | | the NSS source of our user; this was preventing password changes for NIS users, which otherwise should have worked. Closes: #203222.
* refresh patches for new upstream versionSteve Langasek2019-01-03
|
* refresh patch 007_modules_pam_unix for new upstream version; partiallySteve Langasek2019-01-03
| | | | | superseded upstream, as stripping of hpux-style expiry information from password fields is now supported.
* revert rhosts_int32_not_bool.patch; doesn't matter now, pam_rhosts_auth hasSteve Langasek2019-01-03
| | | | been dropped upstream
* 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY is alsoSteve Langasek2019-01-03
| | | | | invalid for RLIMIT_NOFILE, so when resetting the limits for a new session, use the kernel default of 1024 instead. Closes: #404836.
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 14:53:19 +0000