Commit message (Collapse) | Author | Age | |
---|---|---|---|
* | cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem | Sam Hartman | 2019-01-08 |
| | | | | (CVE-2009-0887) (Closes: #520115) | ||
* | Merge debian sid branch | Sam Hartman | 2019-01-08 |
|\ | |||
| * | correct a typo in the update-motd patch, introduced by me :( | Steve Langasek | 2019-01-08 |
| | | |||
| * | pam_motd: run the update-motd scripts in pam_motd; render update-motd | Steve Langasek | 2019-01-08 |
| | | | | | | | | obsolete, LP: #399071 | ||
* | | pam_mail-fix-quiet: patch from Andreas Henriksson | Sam Hartman | 2019-01-08 |
|/ | | | | applied upstream to fix quiet option of pam_mail, Closes: #439268 | ||
* | refresh quilt patch offsets | Kees Cook | 2019-01-08 |
| | |||
* | Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes | Kees Cook | 2019-01-08 |
| | | | | for MINDAYS-Field regression (closes: #514437). | ||
* | 027_pam_limits_better_init_allow_explicit_root: defaults need to be | Steve Langasek | 2019-01-08 |
| | | | | | declared as LIMITS_DEF_DEFAULT instead of LIMITS_DEF_ALL, otherwise global limits will fail to be applied. LP: #314222. | ||
* | 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK | Steve Langasek | 2019-01-08 |
| | | | | limit correctly to match the kernel default, which is not RLIM_INFINITY. | ||
* | include documentation in the patch, giving examples of how to set | Steve Langasek | 2019-01-08 |
| | | | | limits for root. Thanks to Jonathan Marsden. | ||
* | revert the 'fix' for bug #515673, since this isn't really a bug at all. | Steve Langasek | 2019-01-08 |
| | |||
* | shadow the finite kernel defaults for RLIMIT_SIGPENDING and | Steve Langasek | 2019-01-08 |
| | | | | | RLIMIT_MSGQUEUE as well, so that the preceding changes don't suddenly expose systems to DoS or other issues. | ||
* | 027_pam_limits_better_init_allow_explicit_root: also fix the patch so | Steve Langasek | 2019-01-08 |
| | | | | | that our limit resets are actually *applied*, which has apparently been broken for who knows how long! | ||
* | 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY may or may | Steve Langasek | 2019-01-08 |
| | | | | | | | not be invalid for RLIMIT_NOFILE, but we don't want to set a hard limit of 1024 by default; try to set this limit to the value of /proc/sys/fs/nr_open if we can, or fall back to RLIM_INFINITY. Closes: #515673, LP: #327597. | ||
* | New patch dont_freeze_password_chain, cherry-picked from upstream: | Steve Langasek | 2019-01-03 |
| | | | | | | | | don't always follow the same path through the password stack on the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK pass; this Linux-PAM deviation from the original PAM spec causes a number of problems, in particular causing wrong return values when using the refactored pam-auth-update stack. LP: #303515, #305882. | ||
* | 055_pam_unix_nullok_secure: also don't call the helper at all from | Steve Langasek | 2019-01-03 |
| | | | | | | _unix_blankpasswd when we can detect that null passwords are disallowed, to avoid causing spammy logs on successful authentications. Closes: #496620. | ||
* | 007_modules_pam_unix: update the manpage at the same time as the xml | Steve Langasek | 2019-01-03 |
| | | | | source (grr, autogenerated files in source packages). Closes: #495804. | ||
* | adjust the log error message | Steve Langasek | 2019-01-03 |
| | |||
* | pam_unix-chkpwd-wait: don't assume that the unix_chkpwd process | Julien Cristau | 2019-01-03 |
| | | | | | | exits normally; if it was killed by a signal, we don't want to accept the password. | ||
* | 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL | Steve Langasek | 2019-01-03 |
| | | | | | | tty argument, since this will cause our helper to segfault instead of returning a useful value. Thanks to Troy Davis for the report. Closes: #495806. | ||
* | debian/patches/054_pam_security_abstract_securetty_handling: move the | Steve Langasek | 2019-01-03 |
| | | | | | | | | warning log about an insecure tty back to pam_securetty proper; we don't want to generate log messages every time pam_unix is called as non-root. Closes: #493283. As a side-effect, pam_unix no longer logs any warnings about NULL password + insecure tty, but I don't think this is critical. | ||
* | * 007_modules_pam_unix: update the documentation to correctly document | Steve Langasek | 2019-01-03 |
| | | | | the default minimum password length is 6, not 1. | ||
* | document updated patch status | Steve Langasek | 2019-01-03 |
| | |||
* | drop the patch to restore the particular setreuid() handling, which was in fact | Steve Langasek | 2019-01-03 |
| | | | | buggy before and fixed now. | ||
* | Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanks | Steve Langasek | 2019-01-03 |
| | | | | | to Tomas Mraz <tmraz@redhat.com> for indirectly bringing this to my attention | ||
* | drop the patch to do NIS+ auth in-process, the uid changing is better handled | Steve Langasek | 2019-01-03 |
| | | | | by a subprocess. | ||
* | drop the patch to do NIS+ auth in-process, the uid changing is better handled | Steve Langasek | 2019-01-03 |
| | | | | by a subprocess. | ||
* | * New patch, pam.d-manpage-section, to fix the manpage references to | Steve Langasek | 2019-01-03 |
| | | | | | | point to section 5 instead of section 8. * Update patch PAM-manpage-section to fix the references to pam(7) from other manpages. Closes: #470137. | ||
* | New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an | Steve Langasek | 2019-01-03 |
| | | | | | | upstream change that causes unix_chkpwd to assume that setuid(getuid()) is sufficient to drop permissions and attempt any authentication on behalf of the user. | ||
* | refresh patches for new upstream version | Steve Langasek | 2019-01-03 |
| | |||
* | Drop another patch that's integrated upstream | Steve Langasek | 2019-01-03 |
| | |||
* | Drop another patch that's integrated upstream | Steve Langasek | 2019-01-03 |
| | |||
* | patch refresh for new upstream version | Steve Langasek | 2019-01-03 |
| | |||
* | patch refresh for new upstream version | Steve Langasek | 2019-01-03 |
| | |||
* | don't use _unix_blankpasswd() when trying to decide whether to pass the | Steve Langasek | 2019-01-03 |
| | | | | | 'nullok' option to the helper, because _unix_blankpasswd() will itself call in to the helper... instead, check directly for a secure tty. | ||
* | committed to CVS | Steve Langasek | 2019-01-03 |
| | |||
* | fix up the patch so that pamh isn't undefined... | Steve Langasek | 2019-01-03 |
| | |||
* | fix patch names so it's clear these are all for pam_unix | Steve Langasek | 2019-01-03 |
| | |||
* | New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream | Steve Langasek | 2019-01-03 |
| | | | | | | | | regression which prevents sgid shadow apps from being able to authenticate any more because the module forces use of the helper and the helper won't allow authentication of arbitrary users. This change does mean we're going to be noisier for the time being in an SELinux environment, which should be addressed but is not a regression on Debian. | ||
* | not actually done on work time; use the right email address | Steve Langasek | 2019-01-03 |
| | |||
* | New patch no_helper_for_nis+.patch, which restores the behavior of doing | Steve Langasek | 2019-01-03 |
| | | | | | in-process NIS+ account checking instead of unconditionally passing it off to the unix_chkpwd helper; if it wasn't broke, don't fix it. | ||
* | New patch setreuid_juggling.patch: restore the 0.99.9.0 behavior wrt uid | Steve Langasek | 2019-01-03 |
| | | | | | changes for NIS+, since I know the old behavior was right and don't believe anyone has tested the new code. | ||
* | move the getpwnam patch to the beginning of the series, since it should be | Steve Langasek | 2019-01-03 |
| | | | | committed upstream soon | ||
* | New patch thread-safe_save_old_password.patch, to make sure all our | Steve Langasek | 2019-01-03 |
| | | | | getpwnam() use in pam_unix is thread-safe (fixes an upstream regression) | ||
* | whack-a-mole: fix a syntax error missed when hand-applying the patch | Steve Langasek | 2019-01-03 |
| | |||
* | s/name/user/, now that this code is in a different function | Steve Langasek | 2019-01-03 |
| | |||
* | another fix-up for a hand-merged patch | Steve Langasek | 2019-01-03 |
| | |||
* | fix up a typo when hand-applying the patch | Steve Langasek | 2019-01-03 |
| | |||
* | add a couple of new Makefiles to the autotools patch | Steve Langasek | 2019-01-03 |
| | |||
* | refresh more patches for new upstream version | Steve Langasek | 2019-01-03 |
| |