summaryrefslogtreecommitdiff
path: root/debian/patches-applied
Commit message (Collapse)AuthorAge
* refresh other patches for new upstream versionSteve Langasek2019-01-08
|
* debian/patches/026_pam_unix_passwd_unknown_user: don't returnSteve Langasek2019-01-08
| | | | | PAM_USER_UNKNOWN on password change of a user that has no shadow entry, upstream now implements auto-creating the shadow entry in this case.
* Drop patches pam.d-manpage-section, namespace_with_awk_not_gawk, andSteve Langasek2019-01-08
| | | | pam_securetty_tty_check_before_user_check, which are included upstream.
* debian/patches/007_modules_pam_unix: recognize that *all* of the passwordSteve Langasek2019-01-08
| | | | | hashes other than traditional crypt handle passwords >8 chars in length. LP: #356766.
* debian/patches/sys-types-include.patch: fix pam_modutil.h so that it canSteve Langasek2019-01-08
| | | | | be included directly, without having to include sys/types.h first. Closes: #556203.
* debian/patches/pam_securetty_tty_check_before_user_check: new patch,Steve Langasek2019-01-08
| | | | | | to make pam_securetty always return success on a secure tty regardless of what username was passed. Thanks to Nicolas Fran├žois <nicolas.francois@centraliens.net> for the patch. Closes: #537848
* debian/patches/autoconf.patch: pull ltmain.sh in, to fix some spuriousSteve Langasek2019-01-08
| | | | library linkage in the modules.
* patch committed upstreamSteve Langasek2019-01-08
|
* debian/patches/namespace_with_awk_not_gawk: fix the sampleSteve Langasek2019-01-08
| | | | | namespace.init script's dependency on non-POSIX features of gawk, since we don't use gawk by default. Closes; #518908.
* debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patchSteve Langasek2019-01-08
| | | | | | | to call setregid() instead of always returning an error on username mismatch in unix_chkpwd, needed in the SELinux case and in some corner cases with the broken_shadow option. Thanks to Michael Spang for the analysis. Closes: #543589.
* final pass of manpage fixesSteve Langasek2019-01-08
|
* another pass of manpage fixesSteve Langasek2019-01-08
|
* oops, we don't want to remove the manpages entirely...Steve Langasek2019-01-08
|
* another pass of manpage fixesSteve Langasek2019-01-08
|
* debian/patches/fix-man-crud: new patch, fix "undefined macro" errors inSteve Langasek2019-01-08
| | | | | manpages caused by oddities of toolchain used when generating them upstream.
* add config.h.in changes to autoconf.patch, which will show up upon running aSteve Langasek2019-01-08
| | | | build in any case
* Include changes to pam_limits/README in the patch, since they end up in theSteve Langasek2019-01-08
| | | | | package anyway and this gives us a cleaner ./debian/rules clean
* pam_unix-chkpwd-wait also merged upstreamSteve Langasek2019-01-08
|
* debian/patches/007_modules_pam_unix: drop divergence from upstreamSteve Langasek2019-01-08
| | | | | | | that treats "0" as a special value in various fields in /etc/shadow, and document this in debian/NEWS. Thanks to Nicolas Fran├žois <nicolas.francois@centraliens.net> for the detailed analysis. Closes: #308229.
* Committed upstreamSteve Langasek2019-01-08
|
* refresh other patches for new upstream releaseSteve Langasek2019-01-08
|
* Trim pam.d-manpage-section patch, which was mostly but not completelySteve Langasek2019-01-08
| | | | applied upstream.
* Drop patches pam_unix_thread-safe_save_old_password.patch,Steve Langasek2019-01-08
| | | | | | pam_env_ignore_garbage.patch, dont_freeze_password_chain, pam_1.0.4_mindays, pam_mail-fix-quiet, and cve-2009-0887-libpam-pam_misc.patch, which are included upstream.
* cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problemSam Hartman2019-01-08
| | | | (CVE-2009-0887) (Closes: #520115)
* Merge debian sid branchSam Hartman2019-01-08
|\
| * correct a typo in the update-motd patch, introduced by me :(Steve Langasek2019-01-08
| |
| * pam_motd: run the update-motd scripts in pam_motd; render update-motdSteve Langasek2019-01-08
| | | | | | | | obsolete, LP: #399071
* | pam_mail-fix-quiet: patch from Andreas HenrikssonSam Hartman2019-01-08
|/ | | | applied upstream to fix quiet option of pam_mail, Closes: #439268
* refresh quilt patch offsetsKees Cook2019-01-08
|
* Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixesKees Cook2019-01-08
| | | | for MINDAYS-Field regression (closes: #514437).
* 027_pam_limits_better_init_allow_explicit_root: defaults need to beSteve Langasek2019-01-08
| | | | | declared as LIMITS_DEF_DEFAULT instead of LIMITS_DEF_ALL, otherwise global limits will fail to be applied. LP: #314222.
* 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCKSteve Langasek2019-01-08
| | | | limit correctly to match the kernel default, which is not RLIM_INFINITY.
* include documentation in the patch, giving examples of how to set Steve Langasek2019-01-08
| | | | limits for root. Thanks to Jonathan Marsden.
* revert the 'fix' for bug #515673, since this isn't really a bug at all.Steve Langasek2019-01-08
|
* shadow the finite kernel defaults for RLIMIT_SIGPENDING andSteve Langasek2019-01-08
| | | | | RLIMIT_MSGQUEUE as well, so that the preceding changes don't suddenly expose systems to DoS or other issues.
* 027_pam_limits_better_init_allow_explicit_root: also fix the patch soSteve Langasek2019-01-08
| | | | | that our limit resets are actually *applied*, which has apparently been broken for who knows how long!
* 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY may or maySteve Langasek2019-01-08
| | | | | | | not be invalid for RLIMIT_NOFILE, but we don't want to set a hard limit of 1024 by default; try to set this limit to the value of /proc/sys/fs/nr_open if we can, or fall back to RLIM_INFINITY. Closes: #515673, LP: #327597.
* New patch dont_freeze_password_chain, cherry-picked from upstream:Steve Langasek2019-01-03
| | | | | | | | don't always follow the same path through the password stack on the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK pass; this Linux-PAM deviation from the original PAM spec causes a number of problems, in particular causing wrong return values when using the refactored pam-auth-update stack. LP: #303515, #305882.
* 055_pam_unix_nullok_secure: also don't call the helper at all fromSteve Langasek2019-01-03
| | | | | | _unix_blankpasswd when we can detect that null passwords are disallowed, to avoid causing spammy logs on successful authentications. Closes: #496620.
* 007_modules_pam_unix: update the manpage at the same time as the xmlSteve Langasek2019-01-03
| | | | source (grr, autogenerated files in source packages). Closes: #495804.
* adjust the log error messageSteve Langasek2019-01-03
|
* pam_unix-chkpwd-wait: don't assume that the unix_chkpwd processJulien Cristau2019-01-03
| | | | | | exits normally; if it was killed by a signal, we don't want to accept the password.
* 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULLSteve Langasek2019-01-03
| | | | | | tty argument, since this will cause our helper to segfault instead of returning a useful value. Thanks to Troy Davis for the report. Closes: #495806.
* debian/patches/054_pam_security_abstract_securetty_handling: move theSteve Langasek2019-01-03
| | | | | | | | warning log about an insecure tty back to pam_securetty proper; we don't want to generate log messages every time pam_unix is called as non-root. Closes: #493283. As a side-effect, pam_unix no longer logs any warnings about NULL password + insecure tty, but I don't think this is critical.
* * 007_modules_pam_unix: update the documentation to correctly documentSteve Langasek2019-01-03
| | | | the default minimum password length is 6, not 1.
* document updated patch statusSteve Langasek2019-01-03
|
* drop the patch to restore the particular setreuid() handling, which was in factSteve Langasek2019-01-03
| | | | buggy before and fixed now.
* Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanksSteve Langasek2019-01-03
| | | | | to Tomas Mraz <tmraz@redhat.com> for indirectly bringing this to my attention
* drop the patch to do NIS+ auth in-process, the uid changing is better handledSteve Langasek2019-01-03
| | | | by a subprocess.
* drop the patch to do NIS+ auth in-process, the uid changing is better handledSteve Langasek2019-01-03
| | | | by a subprocess.