From f03a6cee3de793ea6afa30b147e947b215d00011 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 03:38:36 +0200 Subject: Adding debian version 1.3.1-5. Signed-off-by: Daniel Baumann --- debian/changelog | 2781 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2781 insertions(+) create mode 100644 debian/changelog (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..5ea250f --- /dev/null +++ b/debian/changelog @@ -0,0 +1,2781 @@ +pam (1.3.1-5) unstable; urgency=medium + + * xdm restart check was inverted in the prior upload; turn it the right + way around + * Correctly display the notification when a manual DM restart is needed. + + -- Steve Langasek Thu, 14 Feb 2019 07:08:47 +0000 + +pam (1.3.1-4) unstable; urgency=medium + + * Fix the name of the samba services to be restarted on upgrade. + + -- Steve Langasek Wed, 13 Feb 2019 23:39:03 +0000 + +pam (1.3.1-3) unstable; urgency=medium + + * Fix debian/patches-applied/update-motd to apply the correct changes + to the README (should be forwarded to Debian) + * debian/libpam-modules.lintian-overrides: update for the current lintian + warning given for DSOs with no dependencies. + * debian/rules: set $DEB_HOST_MULTIARCH only if unset. + * debian/source.lintian-overrides: update for the current quilt warnings. + * debian/control: drop redundant priority fields. + * Standards-Version 4.3.0. + * Restore lintian overrides for hardening false-positives. + * debian/libpam0g.postinst: update the xdm restart handling to cope with + changes to what xdm writes to utmp. Closes: #922239. + + -- Steve Langasek Wed, 13 Feb 2019 20:41:46 +0000 + +pam (1.3.1-2) unstable; urgency=medium + + * Bump the version check for service restarts to 1.3.1-2. + Closes: #922178. + * Drop hard-coded pre-dep on libpam0g, now superseded by shlibdeps. + + -- Steve Langasek Tue, 12 Feb 2019 23:52:04 +0000 + +pam (1.3.1-1) unstable; urgency=medium + + * New upstream release. Closes: #821408. + - Don't try to close an excessive number of fds when we have a high + ulimit. Closes: #890524. + - Clarify pam_access docs regarding handling of daemons and X sessions. + Closes: #762110. + - Fix handling of rhost and tty fields in pam_succeed_if. + Closes: #889910. + - Fix wrong documentation of pam_umask module behavior. + Closes: #825782. + * Refresh patches. + * Drop patches included or obsoleted upstream: + - debian/patches-applied/README-rebuild + - debian/patches-applied/pam-loginuid-in-containers + - debian/patches-applied/cve-2013-7041.patch + - debian/patches-applied/cve-2014-2583.patch + - debian/patches-applied/cve-2015-3238.patch + - debian/patches-applied/pam_namespace_fix_bashism.patch + * Drop unused lintian overrides. + * Fix lintian warnings; thanks to Andreas Henriksson + and Florian Vessaz + * Switch source package to 3.0 (quilt) to consume upstream .tar.xz. + * Update debian/watch. + + [ Andreas Henriksson ] + * Update debian/libpam0g.symbols + * debian/patches-applied/fix-autoreconf.patch: Do not override user + variables in Makefile.am + + -- Steve Langasek Tue, 12 Feb 2019 07:38:11 +0000 + +pam (1.1.8-4) unstable; urgency=medium + + * Acknowledge various NMUs; thanks to the various folks who have helped + keep this package in good condition. + * debian/control: update VCS headers to point to git (temporarily under + my personal salsa namespace, until I get around to restoring team + setup). + * Actually remove Roger Leigh from uploaders (change not included in + previous upload). Thanks Roger for your contributions to Debian! + * Use DEB_BUILD_PROFILES instead of the obsolete DEB_BUILD_PROFILE. + Closes: #907492. + * Don't include changes to autogenerated files in patches. + * Use LC_ALL=C.UTF-8, not LC_ALL=C, when generating documentation. + * Consistently include documentation changes in patches, for clean source + package. + * debian/patches-applied/README-rebuild: rebuild README files with + current docs toolchain. + + -- Steve Langasek Wed, 09 Jan 2019 00:29:55 +0000 + +pam (1.1.8-3.8) unstable; urgency=medium + + * Non-maintainer upload. + * Set Rules-Requires-Root to binary-targets as pam relies on + chgrp in debian/rules. + * Update pam-auth-update to detect write errors and properly + fail when that happens. (Closes: #880501) + * Remove Roger Leigh from uploaders as he has restired from + Debian. (Closes: #869348) + * Reduce priority of libpam0g to optional. + * Rebuild with a recent version of dpkg-source, which ensures + that the Build-Depends are correct in the .dsc file. + (Closes: #890602) + * Apply patch from Felix Lechner to make pam-auth-update ignore + editor backup files. (Closes: #519361) + * Apply update to Brazilian Portuguese translations of the + debconf templates. Thanks to Adriano Rafael Gomes. + (Closes: #799417) + + -- Niels Thykier Sat, 11 Aug 2018 15:31:24 +0000 + +pam (1.1.8-3.7) unstable; urgency=medium + + * Non-maintainer upload. + * libpam-modules: Added a config for pam_mkhomedir, disabled by default. + (Closes: #568577) + * pam-auth-update: Add support for --enable option which is useful for + enabling non-default configs without prompting the admin. (LP: #1192719) + + -- Timo Aaltonen Fri, 02 Feb 2018 16:57:43 +0200 + +pam (1.1.8-3.6) unstable; urgency=medium + + * Non-maintainer upload. + * cve-2015-3238.patch: Add the changes in the generated pam_exec.8 + and pam_unix.8 in addition to (and after) the changes to the + source .xml files. This avoids unwanted rebuilds that can cause + problems due to differing files on different architectures of + the Multi-Arch: same libpam-modules. (Closes: #851545) + + -- Adrian Bunk Sat, 27 May 2017 18:44:02 +0300 + +pam (1.1.8-3.5) unstable; urgency=medium + + * Non-maintainer upload. + * Build-Depend on libfl-dev:native as well, for cross builds. + Re-closes: #846459 + * Fix "Unescaped left brace in regex" with Perl 5.22. Closes: #810873 + + -- Adam Borowski Fri, 30 Dec 2016 14:37:29 +0100 + +pam (1.1.8-3.4) unstable; urgency=medium + + * Non-maintainer upload. + * Add libfl-dev to Build-Depends, fixing FTBFS. Closes: #846459 + * Move xsl stuff to Build-Depends from -Indep to fix misbuilt manpages. + Closes: #812566 + + -- Adam Borowski Sun, 18 Dec 2016 01:03:58 +0100 + +pam (1.1.8-3.3) unstable; urgency=low + + * Non-maintainer upload. + [ Steve Langasek ] + * Updated Swedish translation to correct a typo, thanks to Anders Jonsson + and Martin Bagge. Closes: #743875 + * Updated Turkish translation, thanks to Mert Dirik . + (closes: #756756) + * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default + soft nofile limit read from pid 1 to FD_SETSIZE. Thanks to Robie Basak + for the patch. Closes: #783105. + * Acknowledge security NMU. + * pam-auth-update: don't mishandle trailing whitespace in profiles. + LP: #1487103. + + [ Laurent Bigonville ] + * debian/control: Fix Vcs-* and Homepage fields (Closes: #752343) + * debian/watch: Update watch file and point it to http://www.linux-pam.org + * debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in + namespace.init script (Closes: #624842) + * debian/control: Build-depends against debhelper (>= 9) to match the + defined debhelper compatibility + * Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality, + thanks to Jakub Wilk for noticing (Closes: #761594) + * debian/control: Bump Standards-Version to 3.9.8 (no further changes) + * debian/libpam-doc.doc-base.applications-guide: Fix spelling + * debian/libpam0g-dev.examples: Do not use shell brace expansion + * debian/patches-applied/pam-loginuid-in-containers: Updated with the version + from Ubuntu, this should fix logins in containers (Closes: #726661) + * debian/patches-applied/update-motd: Updated with the version from Ubuntu: + use /run/motd.dynamic instead of /var/run/motd, nothing in the archive + uses the later (Closes: #743286) + * debian/patches-applied/make_documentation_reproducible.patch: Make the + build reproducible, removes differences when building with different + locale values (Closes: #792127) + + -- Laurent Bigonville Wed, 18 May 2016 02:04:29 +0200 + +pam (1.1.8-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix + module (Closes: #789986) + + -- Tianon Gravi Wed, 06 Jan 2016 15:53:31 -0800 + +pam (1.1.8-3.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix CVE-2013-7041: case-insensitive comparison used for verifying + passwords in the pam_userdb module (closes: #731368). + * Fix CVE-2014-2583: multiple directory traversal issues in the + pam_timestamp module (closes: 757555) + + -- Michael Gilbert Sat, 09 Aug 2014 09:50:42 +0000 + +pam (1.1.8-3) unstable; urgency=low + + * debian/rules: On hurd, link libpam explicitly with -lpthread since glibc + will not dynamically switch between the libc stubs and the libpthread + implementations on this architecture. Thanks to Samuel Thibault for the + patch. Closes: #743891. + + -- Steve Langasek Mon, 07 Apr 2014 17:49:38 -0700 + +pam (1.1.8-2) unstable; urgency=medium + + * Mark the libaudit-dev build-dependency linux-any, since it's not + available on non-Linux archs. Closes: #737035. + + -- Steve Langasek Thu, 13 Feb 2014 15:02:00 -0800 + +pam (1.1.8-1) unstable; urgency=medium + + * New upstream release. + - includes upstream changes to pam_exec. Closes: #670147. + - adds support for newer hashing algorithms to pam_userdb. + Closes: #671740. + - fixes handling of 'quiet' argument to pam_listfile, to match the + documentation. Closes: #592219. + - fixes handling of @users@@hosts netgroup syntax in access.conf. + Closes: #681223. + - fixes installation of the /etc/security/namespace.d directory. + Closes: #710998. + - 027_pam_limits_better_init_allow_explicit_root: support for reading + /proc/1/limits is upstream, this patch now only handles the policy + of resetting limits by default and not applying glob limits to root. + - debian/patches/fix-manpage-crud: drop, manpages now being generated + upstream with a newer, fixed xsltproc. + - debian/patches/pam_env-fix-overflow.patch, pam_env-fix-dos.patch, + glibc-2_16-compilation-fix.patch, sys-types-include.patch: drop, + included upstream. + * Add build-dependency on pkg-config. + * Ensure autogenerated files are after source files in all relevant patches, + so that regenerating documentation doesn't cause build skew. + * Drop the --disable-regenerate-docu argument, restoring the HTML manuals + to the libpam-doc package. Closes: #700485. + * No need to override dh_compress in debian/rules, it already handles .html + files correctly. + * debian/libpam-cracklib.prerm: use $DPKG_MAINTSCRIPT_PACKAGE_COUNT to avoid + prematurely removing the PAM config when the package is installed for + multiple architectures. Closes: #647428. + + -- Steve Langasek Thu, 16 Jan 2014 00:38:42 +0000 + +pam (1.1.3-11) unstable; urgency=low + + [ Wookey ] + * Disable libaudit for stage1 bootstrap. + + [ Steve Langasek ] + * debian/patches-applied/pam-loginuid-in-containers: pam_loginuid: + Ignore failure in user namespaces. + * Use [linux-any] in build-deps, instead of hard-coding a list of + non-Linux archs. Closes: #634516. + + -- Steve Langasek Tue, 14 Jan 2014 03:33:31 +0000 + +pam (1.1.3-10) unstable; urgency=low + + * Fix pam-auth-update handling of trailing blank lines in the fields of + profiles. LP: #1160288. + * Reintroduce libaudit support now that libaudit has been multiarched. + Closes: #699159. + + -- Steve Langasek Sun, 20 Oct 2013 15:30:46 -0700 + +pam (1.1.3-9) unstable; urgency=low + + * Revert libaudit support for now, because libaudit isn't multiarched yet + in unstable so this regresses cross-installability. Reopens bug + #699159. + * Add an or'ed dependency on cdebconf, which also implements the + xloadtemplatefile extension that prevents us from depending on just + 'debconf-2.0'. Thanks to Régis Boudin for the info. + Closes: #677278. + + -- Steve Langasek Tue, 12 Feb 2013 23:06:30 +0000 + +pam (1.1.3-8) unstable; urgency=low + + * Confirm NMU for bug #611136; thanks to Michael Gilbert. + - As a side effect, there will no longer be errors from reading the + .pam_environment twice since we are now reading it 0 times. + LP: #955032. + * Adjust the pam_env documentation to match the module behavior resulting + from the previous security upload. Closes: #693995. + * debian/rules: never regenerate manpages at build time; this may cause + build skew that breaks the world in a multiarch context. LP: #1095887. + * debian/patches-applied/glibc-2_16-compilation-fix.patch: fix missing + include causing build failure with eglibc 2.16. Thanks to Daniel + Schepler . Closes: #693450. + * Ditch autoconf patch in favor of a build-dependency on dh-autoreconf, + which will let us keep up-to-date with newer autotools. In the present + instance, this gets us aarch64 support. + * Install pam_timestamp_check - and while we're at it, move the manpage + to the correct binary package. Closes: #648695. + * Update lintian overrides to suppress some noise about hardening and + manpages. + * Enable audit support, by popular demand. This should have no major + impact unless you're also running auditd; but I reserve the right to + disable this again in the event that this causes a performance hit or + breaks upgrades (since the dependency is pulled into libpam, not just + into pam_tty_audit). Closes: #699159, LP: #937005. + + -- Steve Langasek Tue, 12 Feb 2013 05:36:29 +0000 + +pam (1.1.3-7.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix cve-2010-4708: user-configurable .pam_environment allows + administrator-level changes without root access (closes: #611136). + + -- Michael Gilbert Sun, 29 Apr 2012 02:23:26 -0400 + +pam (1.1.3-7) unstable; urgency=low + + * Updated debconf translations: + - Danish, thanks to Joe Dalton (closes: #648382) + - French, thanks to Jean-Baka Domelevo Entfellner + (closes: #649850) + - Dutch, thanks to Jeroen Schot + (closes: #650755) + - Russian, thanks to Yuri Kozlov (closes: #650867) + - Portuguese, thanks to Pedro Ribeiro + (closes: #652493) + - German, thanks to Sven Joachim (closes: #653407) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #654043) + - Bulgarian, thanks to Damyan Ivanov (closes: #656518) + - Slovak, thanks to Ivan Masár (closes: #656521) + - Japanese, thanks to Kenshi Muto (closes: #656834) + - Polish, thanks to Michał Kułach + (closes: #657476) + - Catalan, thanks to Innocent De Marchi + (closes: #657489) + - Czech, thanks to Miroslav Kure + (closes: #657578) + - Swedish, thanks to Martin Bagge (closes: #651349) + + -- Steve Langasek Sat, 28 Jan 2012 10:57:49 -0800 + +pam (1.1.3-6) unstable; urgency=low + + * debian/patches-applied/hurd_no_setfsuid: we don't want to check all + setre*id() calls; we know that there are situations where some of these + may fail but we don't care. As long as the last setre*id() call in each + set succeeds, that's the state we mean to be in. + * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer + keeps libpam loaded persistently at runtime, so it's not necessary to + force a kdm restart on ABI bump. Which is good, since restarting kdm + now seems to also log users out of running sessions, which we rather + want to avoid. Closes: #632673, LP: #744944. + * debian/patches-applied/update-motd: set a sane umask before calling + run-parts, and restore the old mask afterwards, so /run/motd gets + consistent permissions. LP: #871943. + * debian/patches-applied/update-motd: new module option for pam_motd, + 'noupdate', which suppresses the call to run-parts /etc/update-motd.d. + LP: #805423. + * debian/libpam0g.templates, debian/libpam0g.postinst: add a new question, + libraries/restart-without-asking, that allows admins to accept the + service restarts once for all so that they don't have to repeatedly + say "ok". LP: #745004. + * debian/libpam-runtime.templates, debian/local/pam-auth-update: add a + new 'title' template, so pam-auth-update doesn't give a blank title + when called outside of a maintainer script. LP: #882794. + + -- Steve Langasek Sun, 06 Nov 2011 19:43:14 -0800 + +pam (1.1.3-5) unstable; urgency=low + + [ Kees Cook ] + * debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use + setresgid() to wipe out saved-gid just in case. + * debian/patches-applied/008_modules_pam_limits_chroot: + - fix off-by-one when parsing configuration file. + - when using chroot, chdir() to root to lose links to old tree. + * debian/patches-applied/022_pam_unix_group_time_miscfixes, + debian/patches-applied/026_pam_unix_passwd_unknown_user, + debian/patches-applied/054_pam_security_abstract_securetty_handling: + improve descriptions. + * debian/patches-applied/{007_modules_pam_unix,055_pam_unix_nullok_secure}: + drop unneeded no-op change to reduce delta from upstream. + * debian/patches-applied/hurd_no_setfsuid: check all set*id() calls. + * debian/patches-applied/update-motd: correctly clear environment when + building motd. + * debian/patches-applied/pam_env-fix-overflow.patch: fix stack overflow + in environment file parsing (CVE-2011-3148). + * debian/patches-applied/pam_env-fix-dos.patch: fix DoS in environment + file parsing (CVE-2011-3149). + + -- Steve Langasek Thu, 27 Oct 2011 21:33:57 -0700 + +pam (1.1.3-4) unstable; urgency=low + + * Make sure shared library links are also installed to the multiarch + directory, not just the .a files; otherwise the static libs get found + first by the linker. Thanks to Russ Allbery for catching this. + Closes: #642952. + + -- Steve Langasek Sun, 25 Sep 2011 22:33:55 +0000 + +pam (1.1.3-3) unstable; urgency=low + + * Look for /etc/init.d/postgresql, not /etc/init.d/postgresql-8.{2,3}, + for service restarts; the latter are obsolete since squeeze. + Closes: #631511. + * Move debian/libpam0g-dev.install to debian/libpam0g-dev.install.in + and substitute the multiarch path at build time, so our .a files go to + the multiarch dir instead of to /usr/lib. Thanks to Riku Voipio for + pointing out the bug. + * debian/control: adjust the package descriptions, as the current ones + use some awkward language that's gone unnoticed for a long time. Thanks + to Martin Eberhard Schauer for pointing this + out. Closes: #633863. + * Build-depend on debhelper 8.9.4 and bump debian/compat to 9 for + dpkg-buildflags integration, and drop manual setting of -g -O options in + CFLAGS now that we can let dh do it for us + * Don't set --sbindir when calling configure; upstream takes care of this + for us + + -- Steve Langasek Sat, 24 Sep 2011 20:08:56 +0000 + +pam (1.1.3-2) unstable; urgency=low + + [ Kees Cook ] + * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + - only report about unknown kernel rlimits when "debug" is set + (Closes: 625226, LP: #794531). + + [ Steve Langasek ] + * Build for multiarch. Closes: #463420. + * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + don't reset the process niceness for root; since it's root, they can + still renice to a lower nice level if they need to and changing the + nice level by default is unexpected behavior. Closes: #594377. + + -- Steve Langasek Tue, 21 Jun 2011 11:41:12 -0700 + +pam (1.1.3-1) unstable; urgency=low + + * New upstream release. + - Fixes CVE-2010-3853, executing namespace.init with an insecure + environment set by the caller. Closes: #608273. + - Fixes CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435. + Closes: #599832. + * Port hurd_no_setfsuid patch to new pam_modutil_{drop,restore}_priv + interface; now possibly upstreamable + * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root: + set a better default RLIMIT_MEMLOCK value for BSD kernels. Thanks to + Petr Salinger for the fix. Closes: #602902. + * bump the minimum version check in maintainer scripts for the restart + handling. + + -- Steve Langasek Sat, 04 Jun 2011 03:10:50 -0700 + +pam (1.1.2-3) unstable; urgency=low + + [ Kees Cook ] + * 027_pam_limits_better_init_allow_explicit_root: load rlimit defaults + from the kernel (via /proc/1/limits), instead of continuing to hardcode + the settings internally. Fall back to internal defaults when the kernel + rlimits are not found. Closes: #620302. (LP: #746655, #391761) + + * Updated debconf translations: + - Vietnamese, thanks to Clytie Siddall + (closes: #601197) + - Dutch, thanks to Eric Spreen (closes: #605592) + - Danish, thanks to Joe Dalton (closes: #606739) + - Catalan, thanks to Innocent De Marchi + (closes: #622786) + + -- Steve Langasek Sun, 01 May 2011 01:49:11 -0700 + +pam (1.1.2-2) unstable; urgency=low + + * debian/patches-applied/hurd_no_setfsuid: handle some new calls to + setfsuid in pam_xauth that I overlooked, so that the build works again + on non-Linux. Closes: #613630. + + -- Steve Langasek Wed, 16 Feb 2011 09:27:11 -0800 + +pam (1.1.2-1) unstable; urgency=low + + * New upstream release. + - Add support for NSS groups to pam_group. Closes: #589019, + LP: #297408. + - Support cross-building the package. Thanks to Neil Williams + for the patch. Closes: #284854. + * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit + interface. Closes: #579402. + * Drop patches conditional_module,_conditional_man and + mkhomedir_linking.patch, which are included upstream. + * debian/patches/hurd_no_setfsuid: pam_env and pam_mail now also use + setfsuid, so patch them to be likewise Hurd-safe. + * Update debian/source.lintian-overrides to clean up some spurious + warnings. + * debian/libpam-modules.postinst: if any 'min=n' options are found in + /etc/pam.d/common-password, convert them on upgrade to 'minlen=n' for + compatibility with upstream. + * debian/NEWS: document the disappearance of 'min=n', in case users have + encoded this option elsewhere outside of /etc/pam.d/common-password. + * debian/patches/007_modules_pam_unix: drop compatibility handling of + 'max=' no-op; use of this option will now log an error, as warned three + years ago. + * Bump Standards-Version to 3.9.1. + * Add lintian overrides for a few more spurious warnings. + * debian/patches-applied/no_PATH_MAX_on_hurd: define PATH_MAX for + compatibility when it's not already set. Closes: #552043. + * debian/local/pam-auth-update: Don't try to pass embedded newlines to + debconf; backslash-escape them instead and use CAPB escape. + * debian/local/pam-auth-update: sort additional module options before + writing them out, so that we don't wind up with a different config file + on every invocation. Thanks to Jim Paris for the patch. + Closes: #594123. + * debian/libpam-runtime.{postinst,templates}: since 1.1.2-1 is targeted + for post-squeeze, we don't need to support upgrades from 1.0.1-6 to + 1.0.1-10 anymore. Drop the debconf error note about having configured + your system with a lack of authentication, so that translators don't + spend any more time on it. + * Updated debconf translations: + - Swedish, thanks to Martin Bagge (closes: #575875) + + -- Steve Langasek Tue, 15 Feb 2011 23:21:41 -0800 + +pam (1.1.1-7) UNRELEASED; urgency=low + + * Updated debconf translations: + - Italian, thanks to Nicole B. (closes: #602112) + + -- Steve Langasek Wed, 17 Nov 2010 16:53:46 -0800 + +pam (1.1.1-6.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix pending l10n issues. Debconf translations: + - Czech (Miroslav Kure). Closes: #598329 + - Slovak (Ivan Masár). Closes: #600164 + - Japanese (Kenshi Muto). Closes: #600247 + - Finnish (Esko Arajärvi). Closes: #600641 + + -- Christian Perrier Tue, 19 Oct 2010 07:30:49 +0200 + +pam (1.1.1-6) unstable; urgency=low + + * Updated debconf translations: + - Swedish, thanks to Martin Bagge (closes: #575875) + + -- Steve Langasek Sun, 05 Sep 2010 23:36:35 -0700 + +pam (1.1.1-5) unstable; urgency=low + + * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit + interface. Closes: #579402. + * Update debian/source.lintian-overrides to clean up some spurious + warnings. + * Bump Standards-Version to 3.9.1. + * Add lintian overrides for a few more spurious warnings. + * debian/patches-applied/no_PATH_MAX_on_hurd: define PATH_MAX for + compatibility when it's not already set. Closes: #552043. + * debian/local/pam-auth-update: Don't try to pass embedded newlines to + debconf; backslash-escape them instead and use CAPB escape. + * debian/local/pam-auth-update: sort additional module options before + writing them out, so that we don't wind up with a different config file + on every invocation. Thanks to Jim Paris for the patch. + Closes: #594123. + + -- Steve Langasek Sun, 05 Sep 2010 12:42:34 -0700 + +pam (1.1.1-4) unstable; urgency=low + + * debian/patches/conditional_module,_conditional_man: if we don't have the + libraries required for building pam_tty_audit, we shouldn't install the + manpage either. LP: #588547. + * Updated debconf translations: + - Portuguese, thanks to Eder L. Marques + (closes: #581746) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #592172) + - Galician, thanks to Jorge Barreiro + (closes: #592808) + * Don't pass --version-script options when linking executables, + only when linking libraries. Thanks to Julien Cristau + for the fix. Closes: #582362. + + -- Steve Langasek Sun, 15 Aug 2010 21:53:46 -0700 + +pam (1.1.1-3) unstable; urgency=low + + * pam-auth-update: fix a bug in our handling of module options when the + module name contains digits, caused by a buggy regexp. :/ Partially + addresses LP #369575. + * Install /sbin/pam_tally2 in the libpam-modules package; thanks to + Olivier BONHOMME for reporting. Closes: #554010. + + -- Steve Langasek Sun, 25 Apr 2010 05:53:44 -0700 + +pam (1.1.1-2) unstable; urgency=low + + * Document the new symbols added in 1.1.1 in debian/libpam0g.symbols, and + raise the minimum version for the service restarting code. + Closes: #568480. + + -- Steve Langasek Wed, 17 Feb 2010 23:21:23 -0800 + +pam (1.1.1-1) unstable; urgency=low + + * New upstream version. + - restore proper netgroup handling in pam_access. + Closes: #567385, LP: #513955. + * Drop patches pam.d-manpage-section, namespace_with_awk_not_gawk, and + pam_securetty_tty_check_before_user_check, which are included upstream. + * debian/patches/026_pam_unix_passwd_unknown_user: don't return + PAM_USER_UNKNOWN on password change of a user that has no shadow entry, + upstream now implements auto-creating the shadow entry in this case. + * Updated debconf translations: + - French, thanks to Jean-Baka Domelevo Entfellner + (closes: #547039) + - Bulgarian, thanks to Damyan Ivanov (closes: #562835) + * debian/patches/sys-types-include.patch: fix pam_modutil.h so that it can + be included directly, without having to include sys/types.h first. + Closes: #556203. + * Add postgresql-8.3 to the list of services in need of restart on upgrade. + Closes: #563674. + * And drop postgresql-{7.4,8.1} from the list, neither of which is present + in stable. + * debian/patches/007_modules_pam_unix: recognize that *all* of the password + hashes other than traditional crypt handle passwords >8 chars in length. + LP: #356766. + + -- Steve Langasek Mon, 01 Feb 2010 02:04:33 -0800 + +pam (1.1.0-4) unstable; urgency=low + + * debian/patches/pam_securetty_tty_check_before_user_check: new patch, + to make pam_securetty always return success on a secure tty regardless + of what username was passed. Thanks to Nicolas François + for the patch. Closes: #537848 + * debian/local/pam-auth-update: only reset the seen flag on the template + when there's new information; this avoids reprompting users for the same + information on upgrade, regardless of the debconf priority used. + Closes: #544805. + * libpam0g no longer depends on libpam-runtime; packages that use + /etc/pam.d/common-* must depend directly on libpam-runtime, and most do + (including the Essential: yes ones), so let's break this circular + dependency. Closes: #545086, LP: #424566. + + -- Steve Langasek Mon, 14 Sep 2009 18:47:25 -0700 + +pam (1.1.0-3) unstable; urgency=low + + * Bump debian/compat to 7, so we can use sane contents in debian/*.install + * Switch all packages over to dh_install + * Rename debian/*.lintian to debian/*.lintian-overrides and use dh_lintian + * Move installation logic out of debian/rules into individual .install + files + * Drop superfluous options to dh_installchangelogs, dh_shlibdeps + * Use debian/clean instead of rm -f'ing files in debian/rules clean target + * Drop ./configure options that are no-ops + * Drop the /lib/security/pam_unix_*.so symlinks, which have been deprecated + now for 10 years and are not used at all if pam-auth-update is in play. + * Drop the pam_rhosts_auth.so symlink as well, and document in NEWS.Debian + that this is now obsolete. + * Drop stale content from README.debian: some of this should have been in + NEWS.Debian instead (but is so old it's not worth putting it there now), + some of it is obsolete by the change in package VCS. + * Convert debian/rules to debhelper 7 and add versioned build-dependencies + on debhelper and quilt to suit. + * Drop CFLAGS that we don't need anymore (-fPIC, -D_REENTRANT, + -D_GNU_SOURCE). + * Explicitly add -O0 to CFLAGS when noopt is set. + * debian/patches/autoconf.patch: pull ltmain.sh in, to fix some spurious + library linkage in the modules. + * Move pam_cracklib manpage to the libpam-cracklib package, and add the + requisite Replaces + * Drop dh_makeshlibs -V; everything from lenny on should use the .symbols + file instead, making the shlibs redundant so we don't need to care what + version gets listed there. + + -- Steve Langasek Mon, 07 Sep 2009 18:47:45 -0700 + +pam (1.1.0-2) unstable; urgency=low + + [ Steve Langasek ] + * debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patch + to call setregid() instead of always returning an error on username + mismatch in unix_chkpwd, needed in the SELinux case and in some corner + cases with the broken_shadow option. Thanks to Michael Spang for the + analysis. Closes: #543589. + * fix the PAM mini-policy to not tell app maintainers that they don't need + to depend on libpam-modules if they reference modules from there. + * make libpam-runtime depend on libpam-modules (>= 1.0.1-6) - nothing else + guarantees that we have pam_unix available for use by pam-auth-update. + * Use /bin/sh instead of /bin/bash for libpam0g.postinst, since we've + confirmed there are no longer any bashisms there. Closes: #519973. + * Clean up the libpam0g postinst a bit; invoke-rc.d has been a guaranteed + interface for two stable release cycles now + * debian/patches/namespace_with_awk_not_gawk: fix the sample + namespace.init script's dependency on non-POSIX features of gawk, since + we don't use gawk by default. Closes: #518908. + * Updated debconf translations: + - German, thanks to Sven Joachim (closes: #544464) + + [ Kees Cook ] + * debian/local/common-password, debian/pam-configs/unix: switch from "md5" + to "sha512" as password crypt default. + + -- Steve Langasek Mon, 31 Aug 2009 14:21:27 -0700 + +pam (1.1.0-1) unstable; urgency=low + + * New upstream version. + - pam_access no longer does DNS lookups when we know we're comparing + with a tty name or a service name. Closes: #376209. + - fixes for manpage spelling. Closes: #488690. + - fix evaluation of or'ed list of users in time.conf and group.conf. + Closes: #326407, #514423. + * Drop patches pam_unix_thread-safe_save_old_password.patch, + pam_env_ignore_garbage.patch, dont_freeze_password_chain, + pam_1.0.4_mindays, pam_mail-fix-quiet, pam_unix-chkpwd-wait, and + cve-2009-0887-libpam-pam_misc.patch, which are included upstream. + * Trim pam.d-manpage-section patch, which was mostly but not completely + applied upstream. + * Update debian/libpam0g.symbols for new extension. + * Bump the shlibs version as well, for our dpkg-shlibdeps fallback. + * And bump the version checks in the libpam-modules {pre,post}inst, so that + the necessary services get restarted for any modules that need the new + symbols. + * Add /sbin/mkhomedir_helper to libpam-modules. + * Document that pam_cracklib no longer checks /etc/security/opasswd. + Closes: #263767. + * debian/patches/007_modules_pam_unix: drop divergence from upstream + that treats "0" as a special value in various fields in /etc/shadow, + and document this in debian/NEWS. Thanks to Nicolas François + for the detailed analysis. + Closes: #308229. + * Updated debconf translations: + - French, thanks to Jean-Baka Domelevo Entfellner + (closes: #521266) + * Build with LDFLAGS=-Wl,-z,defs to guard against the possibility of + any undefined symbols (due to typos or otherwise) at build time. + Closes: #102311. + * On upgrade from versions before 1.1.0-1, if + /etc/pam.d/common-session-noninteractive has not been created (because + the user declined use of pam-auth-update), create it by copying + /etc/pam.d/common-session. Closes: #543401. + * debian/patches/fix-man-crud: new patch, fix "undefined macro" errors in + manpages caused by oddities of toolchain used when generating them + upstream. + + -- Steve Langasek Tue, 25 Aug 2009 20:35:26 -0700 + +pam (1.0.1-11) unstable; urgency=low + + * debian/libpam-runtime.postinst: bump the --force version check to + 1.0.1-11, to allow for a new common-session-noninteractive config file; + and include md5sum checking logic that will work the same with old + unmanaged and new managed /etc/pam.d/common-* files. + * debian/local/common-{auth,account,session,password}.md5sums: document + the known md5sums for the new managed files. + * debian/local/common-session-noninteractive{,.md5sums}, + debian/local/pam-auth-update: split out a session-noninteractive include + file, so that we can at last distinguish between interactive and + non-interactive PAM sessions at a policy level. Closes: #169930, + LP: #287715. + * debian/local/pam-auth-update: prune md5sums for unsupported upgrade + paths (intrepid pre-release -> karmic/squeeze) + * Clean up the PAM mini-policy, which hasn't been touched in a number of + years and was looking a bit crufty + * debian/libpam-runtime.templates: correctly tag the URL as a + non-translatable string. + * Updated debconf translations: + - Swedish, thanks to Martin Bagge (closes: #541399) + - Portuguese, thanks to Américo Monteiro + (closes: #541108) + - Russian, thanks to Yuri Kozlov (closes: #541094) + + -- Steve Langasek Sun, 23 Aug 2009 18:07:11 -0700 + +pam (1.0.1-10) unstable; urgency=high + + [ Steve Langasek ] + * Updated debconf translations: + - Finnish, thanks to Esko Arajärvi (closes: #520785) + - Russian, thanks to Yuri Kozlov (closes: #521874) + - German, thanks to Sven Joachim (closes: #521530) + - Basque, thanks to Piarres Beobide + (closes: #524285) + * When no profiles are chosen in pam-auth-update, throw an error message + and prompt again instead of letting the user end up with an insecure + system. This introduces a new debconf template. Closes: #519927, + LP: #410171. + + [ Kees Cook ] + * Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes + for MINDAYS-Field regression (closes: #514437). + * debian/control: add missing misc:Depends for packages that need it. + + [ Sam Hartman ] + * Remove conflicts information for transitions prior to woody release + * Fix lintian overrides for libpam-runtime + * Overrides for lintian finding quilt patches + * pam_mail-fix-quiet: patch from Andreas Henriksson + applied upstream to fix quiet option of pam_mail, Closes: #439268 + + [ Dustin Kirkland ] + * debian/patches/update-motd: run the update-motd scripts in pam_motd; + render update-motd obsolete, LP: #399071 + + [ Sam Hartman ] + * cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem + (CVE-2009-0887) (Closes: #520115) + + -- Steve Langasek Thu, 06 Aug 2009 17:54:32 +0100 + +pam (1.0.1-9) unstable; urgency=low + + * Move the pam module packages to section 'admin'. + * 027_pam_limits_better_init_allow_explicit_root: defaults need to be + declared as LIMITS_DEF_DEFAULT instead of LIMITS_DEF_ALL, otherwise + global limits will fail to be applied. LP: #314222. + + -- Steve Langasek Fri, 20 Mar 2009 19:48:47 -0700 + +pam (1.0.1-8) unstable; urgency=low + + * Updated debconf translations: + - Bulgarian, thanks to Damyan Ivanov (closes: #518121) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #518214) + - Swedish, thanks to Martin Bagge (closes: #518324) + - Vietnamese, thanks to Clytie Siddall + (closes: #518329) + - Japanese, thanks to Kenshi Muto (closes: #518335) + - Slovak, thanks to Ivan Masár (closes: #518341) + - Czech, thanks to Miroslav Kure (closes: #518992) + - Portuguese, thanks to Américo Monteiro + (closes: #519204) + - Galician, thanks to Marce Villarino + (closes: #519447) + - Romanian, thanks to Eddy Petrișor + (closes: #520552) + * 027_pam_limits_better_init_allow_explicit_root: set the RLIMIT_MEMLOCK + limit correctly to match the kernel default, which is not RLIM_INFINITY. + Closes: #472629. + + -- Steve Langasek Fri, 20 Mar 2009 18:15:07 -0700 + +pam (1.0.1-7) unstable; urgency=low + + * 027_pam_limits_better_init_allow_explicit_root: + - fix the patch so that our limit resets are actually *applied*, + which has apparently been broken for who knows how long! + - shadow the finite kernel defaults for RLIMIT_SIGPENDING and + RLIMIT_MSGQUEUE as well, so that the preceding change doesn't + suddenly expose systems to DoS or other issues. + - include documentation in the patch, giving examples of how to set + limits for root. Thanks to Jonathan Marsden. + * pam-auth-update: swap out known md5sums from intrepid pre-release + versions with the md5sums from the released intrepid version + * pam-auth-update: set the umask, so we don't accidentally mark + /etc/pam.d/common-* unreadable. Thanks to Martin Krafft for catching. + Closes: #518042. + + -- Steve Langasek Tue, 03 Mar 2009 17:18:42 -0800 + +pam (1.0.1-6) unstable; urgency=low + + * Updated debconf translations: + - Vietnamese, thanks to Clytie Siddall + * New patch dont_freeze_password_chain, cherry-picked from upstream: + don't always follow the same path through the password stack on + the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK + pass; this Linux-PAM deviation from the original PAM spec causes a + number of problems, in particular causing wrong return values when + using the refactored pam-auth-update stack. LP: #303515, #305882. + * debian/local/pam-auth-update (et al): new interface for managing + /etc/pam.d/common-*, using drop-in config snippets provided by module + packages. + + -- Steve Langasek Sat, 28 Feb 2009 13:36:57 -0800 + +pam (1.0.1-5) unstable; urgency=low + + * Build-conflict with libxcrypt-dev, which otherwise pulls libxcrypt in as + a dependency of libpam-modules if it's installed during the build. + Thanks to Larry Doolittle for catching. + * Don't refer to gnome-screensaver in the debconf template; it isn't + actually affected by the libpam symbol issue because it forks a separate + process to display the screensaver dialog. + * Have libpam-modules Pre-Depend on ${misc:Depends}, so that we can + warn users about needing to disable xscreensaver and xlockmore + before libpam-modules is unpacked. Closes: #502140, LP: #256238. + * Updated debconf translations for the new template: + - Italian, thanks to David Paleino + - Simplified Chinese, thanks to Deng Xiyue + (closes: #510371) + - Portuguese, thanks to Américo Monteiro + - Swedish, thanks to Martin Bagge (closes: #510379) + - Japanese, thanks to Kenshi Muto (closes: #510380) + - Finnish, thanks to Esko Arajärvi (closes: #510382) + - Spanish, thanks to Javier Fernandez-Sanguino Peña + (closes: #510389) + - Galician, thanks to Marce Villarino + - Slovak, thanks to helix84 (closes: #510412) + - Bulgarian, thanks to Damyan Ivanov + - Czech, thanks to Miroslav Kure < + (closes: #510608) + - French, thanks to Steve Petruzzello + - German, thanks to Sven Joachim (closes: #510617) + - Basque, thanks to Piarres Beobide + (closes: #510699) + - Russian, thanks to Yuri Kozlov (closes: #510701) + - Turkish, thanks to Mert Dirik (closes: #510707) + + -- Steve Langasek Tue, 06 Jan 2009 00:05:13 -0800 + +pam (1.0.1-4) unstable; urgency=high + + * High-urgency upload for RC bugfix. + + [ Julien Cristau ] + * pam_unix-chkpwd-wait: don't assume that the unix_chkpwd process exits + normally; if it was killed by a signal, we don't want to accept the + password. Closes: #495879. + + [ Steve Langasek ] + * 007_modules_pam_unix: update the manpage at the same time as the xml + source (grr, autogenerated files in source packages). Closes: #495804. + * 055_pam_unix_nullok_secure: also don't call the helper at all from + _unix_blankpasswd when we can detect that null passwords are disallowed, + to avoid causing spammy logs on successful authentications. + Closes: #496620. + * debian/rules: call chgrp *before* calling chmod, lest the sgid bit + on unix_chkpwd be cleared during the build when using -rsudo. + Closes: #496983. + + -- Steve Langasek Thu, 28 Aug 2008 22:59:23 -0700 + +pam (1.0.1-3) unstable; urgency=high + + * 055_pam_unix_nullok_secure: don't call _pammodutil_tty_secure with a NULL + tty argument, since this will cause our helper to segfault instead of + returning a useful value. Thanks to Troy Davis for the report. + Closes: #495806. + + -- Steve Langasek Wed, 20 Aug 2008 11:55:47 -0700 + +pam (1.0.1-2) unstable; urgency=low + + * 007_modules_pam_unix: update the documentation to correctly document + the default minimum password length is 6, not 1. + * Look for cups instead of cupsys as an init script name when restarting + services; thanks to Stephen Olander-Waters for pointing this out. + Closes: #492977. + * Update the Debian PAM mini-policy to remove references to the + long-obsolete pam_pwdb, and clarify the relationship between pam_stack + and @include. + * Drop various bits of unused cruft from the debian/ directory. + * Drop libpam-runtime.preinst, only used for upgrades from woody to sarge + to deal with modified conffiles. + * Build-Conflict with libdb4.2-dev, which satisfies the libdb-dev + build-dependency but causes pam_userdb to be silently omitted. + Closes: #493574. + * 054_pam_security_abstract_securetty_handling: move the warning log about + an insecure tty back to pam_securetty proper; we don't want to generate + log messages every time pam_unix is called as non-root. + Closes: #493283. As a side-effect, pam_unix no longer logs any warnings + about NULL password + insecure tty, but I don't think this is critical. + + -- Steve Langasek Fri, 08 Aug 2008 10:47:26 -0700 + +pam (1.0.1-1) unstable; urgency=low + + * New upstream version. + - pam_limits: bound RLIMIT_NICE from below. Closes: #403718. + - pam_mail: set the MAIL variable even when .hushlogin is set. + Closes: #421010. + - new minclass option introduced for pam_cracklib. Closes: #454237. + - fix a failure to check the string length when matching usernames in + pam_group. Closes: #444427. + - fix setting shell security context in pam_selinux. Closes: #451722. + - use --disable-audit, to avoid libaudit being linked in + accidentally + - pam_unix now supports SHA-256 and SHA-512 password hashes. + Closes: #484249, LP: #245786. + - pam_rhosts_auth is dropped upstream (closes: #382987); add a compat + symlink to pam_rhosts to support upgrades for a release, and give a + warning in NEWS.Debian. + - new symbol in libpam.so.0, pam_modutil_audit_write; shlibs bump, and + do another round of service restarts on upgrade. + - pam_unix helper is now called whenever an unprivileged process + tries and fails to query a user's account status. Closes: #367834. + * Drop patches 006_docs_cleanup, 015_hurd_portability, + 019_pam_listfile_quiet, 024_debian_cracklib_dict_path, 038_support_hurd, + 043_pam_unix_unknown_user_not_alert, 046_pam_group_example, + no_pthread_mutexes, limits_wrong_strncpy, misc_conv_allow_sigint.patch, + pam_tally_audit.patch, 057_pam_unix_passwd_OOM_check, and + 065_pam_unix_cracklib_disable which have been merged upstream. + * Patch 022_pam_unix_group_time_miscfixes: partially merged upstream; + now is really just "pam_group_miscfixes". + * Patch 007_modules_pam_unix partially superseded upstream; stripping + hpux-style expiry information off of password fields is now supported. + * New patch pam_unix_thread-safe_save_old_password.patch, to make sure all + our getpwnam() use in pam_unix is thread-safe (fixes an upstream + regression) + * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream + regression which prevents sgid shadow apps from being able to authenticate + any more because the module forces use of the helper and the helper won't + allow authentication of arbitrary users. This change does mean we're + going to be noisier for the time being in an SELinux environment, which + should be addressed but is not a regression on Debian. + * New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an + upstream change that causes unix_chkpwd to assume that setuid(getuid()) + is sufficient to drop permissions and attempt any authentication on + behalf of the user. + * The password-changing helper functionality for SELinux systems has been + split out into a separate unix_update binary, so at long last we can + change unix_chkpwd to be sgid shadow instead of suid root. + Closes: #155583. + - Update the lintian override to match. + * Install the new unix_update helper into libpam-modules. + * Use a pristine upstream tarball instead of repacking; requires various + changes to debian/rules and debhelper files. + * Replace the Vcs-Svn field with a Vcs-Bzr field; jumping ship from svn, + and how! + * Debconf translations: + - Romanian, thanks to Igor Stirbu + (closes: #491821) + * Add libpam0g.symbols, for finer-grained package dependencies with + dpkg-gensymbols. + * Fix debian/copyright to list the known copyright holders + * Fix up the doc-base sections for the libpam-doc documentation, "Apps" + should not be part of the section name + * Also fix up whitespace issues in the doc-base abstracts + * Fix a typo in the libpam0g-dev description. + * 027_pam_limits_better_init_allow_explicit_root: RLIM_INFINITY is also + invalid for RLIMIT_NOFILE, so when resetting the limits for a new session, + use the kernel default of 1024 instead. Closes: #404836. + * Create /etc/environment on initial install of libpam-modules (or on + upgrade from an old version), to quell warnings in the logs about it + being missing. Closes: #442049. + * 026_pam_unix_passwd_unknown_user: drop a redundant, and broken, check for + the NSS source of our user; this was preventing password changes for NIS + users, which otherwise should have worked. Closes: #203222, LP: #9224. + * New patch do_not_check_nis_accidentally: respect the 'nis' option + (set or unset) when looking up the user's password entry for password + changes. Thanks to Quentin Godfroy for the + patch. Closes: #469635. + * Drop patch 049_pam_unix_sane_locking, which upon review is not needed; + it reduces the length of time we hold the lock, but at the expense of + being able to enforce minimum times between password changes. + * debian/watch: upstream has hit 1.0, so we're no longer in a "pre" + directory. Fix up the regex for uscan. + * Fix the libpam0g-dev examples directory to not include a gratuitous + .cvsignore file. + * New patch, pam.d-manpage-section, to fix the manpage references to + point to section 5 instead of section 8. + * Update patch PAM-manpage-section to fix the references to pam(7) from + other manpages. Closes: #470137. + * Add debian/README.source documenting that this package uses quilt. + * Bump Standards-Version to 3.8.0. + * Fix a bug in the uid-restoring code in the hurd_no_setfsuid patch; thanks + to Tomas Mraz for indirectly bringing this to my + attention + + -- Steve Langasek Mon, 28 Jul 2008 13:56:26 -0700 + +pam (0.99.7.1-7) unstable; urgency=medium + + * Medium-urgency upload for RC bugfix + * Debconf translations: + - Italian, thanks to David Paleino (closes: #483913) + - Slovak, thanks to Ivan Masár (closes: #488908) + - Turkish, thanks to Mert Dirik (closes: #490880) + - Basque, thanks to Piarres Beobide + (closes: #473975) + * Drop the 'XS' from Vcs-Svn/Vcs-Browser, since these are now officially + recognized fields. + * Add a Homepage field. Closes: #473338. + * Drop -DCRACKLIB_DICTS from CFLAGS, since the referenced define is no + longer provided by cracklib2-dev 2.8 and above. This requires a + build-dependency on the corresponding version of libcrack2-dev. + Closes: #490236. + + -- Steve Langasek Mon, 21 Jul 2008 11:49:59 -0700 + +pam (0.99.7.1-6) unstable; urgency=low + + * Debconf translations: + - Updated Vietnamese, thanks to Clytie Siddall + (closes: #444437) + - Updated Spanish, thanks to Javier Fernández-Sanguino Peña + (closes: #444479) + - Updated German, thanks to Sven Joachim + (closes: #444566) + - Galician, thanks to Jacobo Tarrio (closes: #444758) + - Updated Czech, thanks to Miroslav Kure + (closes: #445022) + - French, thanks to Cyril Brulebois + (closes: #445869) + - Japanese, thanks to Kenshi Muto (closes: #446584) + - Dutch, thanks to Bart Cornelis (closes: #448930) + - Basque, thanks to Piarres Beobide (closes: #457042) + - Updated Finnish, thanks to Esko Arajärvi (closes: #458264) + - Swedish, thanks to Christer Andersson + (closes: #457674) + * Make sure the "audit" option is specified in octal instead of in decimal, + so that it doesn't randomly set other options. Thanks to Corey Wright + for the catch. Closes: #446327. + + -- Steve Langasek Sun, 16 Mar 2008 02:06:28 -0700 + +pam (0.99.7.1-5) unstable; urgency=low + + * More lintian overrides, related to debconf prompting in the postinst + * Debconf translations: + - Brazilian Portuguese, thanks to Eder L. Marques + (closes: #440385) + - Russian, thanks to Yuri Kozlov + (closes: #440390, #440953, #444039) + - Bulgarian, thanks to Damyan Ivanov + (closes: #441863) + - Finnish, thanks to Esko Arajärvi (closes: #443720) + - Simplified Chinese, thanks to Ming Hua + (closes: #443924) + - Updated Portuguese, thanks to Américo Monteiro + - Updated Vietnamese, thanks to Clytie Siddall + (closes: #440800) + - Updated German, thanks to Sven Joachim + - Updated Spanish, thanks to Javier Fernández-Sanguino Peña + + - Updated Czech, thanks to Miroslav Kure + (closes: #441325) + * Further cleanups of 007_modules_pam_unix -- don't use a global variable + for pass_min_len, don't gratuitously move the length checking into the + "obscure" checks, and internationalize the error strings. + * Stop overriding the built-in default minimum password length in + /etc/pam.d/common-password, and also drop the "max" option which has now + been obsoleted. + * Fix up the comments in /etc/pam.d/common-password to make it clear that + the options are specific to pam_unix. Closes: #414559. + * Patch 038: fix another thinko in the getline handling. Closes: #442276. + * If there are active X logins, don't restart kdm, wdm, and xdm by default; + instead, display a debconf error if they haven't been restarted. + Closes: #441843. + * Drop the local patch for Linux capabilities in pam_limits; Linux + capabilities are not generally useful in a PAM context, and the PAM + capabilities patch has been broken through much of its life. + Closes: #440130. + * -Wl,-z,defs was never enabled correctly, drop it since upstream is + already using -no-undefined + * Pass --build and --host args to ./configure as necessary, for + cross-building support. + + -- Steve Langasek Fri, 28 Sep 2007 00:17:00 -0700 + +pam (0.99.7.1-4) unstable; urgency=low + + * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted + to fix the library skew, only reloaded; special-case this daemon in the + postinst and remove the mention of it from the debconf template, also + tightening the language of the debconf template in the process. + Closes: #440074. + * Add courier-authdaemon to the list of services that need to be + restarted; thanks to Micah Anderson for reporting. + * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over + garbage lines in /etc/environment and log an error, instead of failing + with an obscure error; and ignore any PAM_BAD_ITEM values returned + by pam_putenv(), since this is the expected error return when trying + to delete a non-existent var. Closes: #439984. + * Yet another thinko in hurd_no_setfsuid and in + 029_pam_limits_capabilities; this code should really be Hurd-safe at + last... + * getline() returns -1 on EOF, not 0; check this appropriately, to fix + an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl + for the fix. Closes: #440019. + * Use ${misc:Depends} for libpam0g, so we get a proper dependency on + debconf. + * 019_pam_listfile_quiet: per discussion with upstream, don't suppress + errors about missing files or files with wrong permissions; these are + real errors that should not be buried. + * Drop the remainder of 061_pam_issue_double_free, not required for the + original bugfix. + * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that + we define CRACKLIB_DICTS in debian/rules. + * Drop patch 063_paswd_segv, superseded by a different upstream fix + * Split 047_pam_limits_chroot_string_value up between + 008_modules_pam_limits_chroot and 029_pam_limits_capabilites + * Updates to patch 007_modules_pam_unix: restore the same built-in min + password len of 6 that upstream uses; fix a typo panlindrome -> + palindrome. + * The 'max=' option was never intended to be used to limit maximum password + length for users, only to declare what the number of significant + characters /is/ for a password. But we don't need a config option to + tell us that, we know the answer based on which crypt type we're using, + so drop this as a config file option. Closes: #389197. + * Debconf translations: + - Spanish, thanks to Javier Fernández-Sanguino Peña + - Vietnamese, thanks to Clytie Siddall + - German, thanks to Sven Joachim (closes: #440355) + - Czech, thanks to Miroslav Kure + (closes: #440362) + - Portuguese, thanks to Américo Monteiro + (closes: #440368) + + -- Steve Langasek Fri, 31 Aug 2007 17:11:05 -0700 + +pam (0.99.7.1-3) unstable; urgency=low + + * New patch limits_wrong_strncpy: fix unnecessary manipulations of string + buffers, including an illegal use of strncpy(). Thanks to Paul Hampson + for reporting. Closes: #331278. + * New patch misc_conv_allow_sigint.patch: allow SIGINT to be handled by the + application, instead of blocking it when misc_conv is in use and + preventing users from being able to ^C at any PAM prompt. Closes: #1708. + * 024_debian_cracklib_dict_path: default to NULL instead of a specific + dictionary path when none is defined for consistency with the new upstream + version of cracklib, and define our path in debian/rules. + * 055_pam_unix_nullok_secure: document the pam_unix "nullok_secure" option, + a prereq for forwarding this patch upstream. Closes: #325974. + * Create /etc/security/opasswd on new installs or on upgrades from + 0.99.7.1-2 or below, so that users that enable the remember= option to + pam_unix aren't left unable to change passwords. Closes: #95324. + * Fix a couple of thinkos in hurd_no_setfsuid, that were preventing the code + from compiling on the Hurd still. Thanks to Michael Banck for the catch. + * Fix a memory leak in the pam_limits capabilities patch: always + cap_free() the cap_t before returning from pam_sm_open_session(). + Closes: #153157. + * libpam0g.postinst, libpam0g.templates: on upgrades from versions + prior to 0.99.7.1-3, restart known PAM-using services so that they + get the new libpam symbols, since otherwise the newer PAM modules + will fail to load. Postinst taken from libssl0.9.8; thanks to + Christoph Martin for the fine example! Closes: #439835. + * Build-depend on po-debconf to support l10n of the debconf questions + from the above. + + -- Steve Langasek Tue, 28 Aug 2007 06:33:33 -0700 + +pam (0.99.7.1-2) unstable; urgency=low + + * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz + for their extensive work in helping to prepare for this update in Debian. + Closes: #360460. + - now uses autoconf for library detection, so SELinux should not be + unconditionally enabled on non-Linux archs. Closes: #333141. + - pam_mail notice handling has been completely reworked, so there should + no longer be missing spaces in the messages. Closes: #119689. + - with libtool and autoconf, now behaves "sensibly" on unknown + platforms. Closes: #165067. + - the source now builds without warnings. Closes: #212165. + - uses automake instead of hand-rolled makefiles with indentation + bugs. Closes: #241661, #328084. + - pam_mkhomedir now creates directories recursively as needed. + Closes: #178225. + - pam_listfile now supports being used as a session module too. + Closes: #416665. + - misspelled pam_userdb log message has been corrected. Closes: #305058. + - the current pam_strerror manpage no longer mentions "Unknown + Linux-PAM error". Closes: #220157. + - the text documentation no longer uses ANSI bold sequences. + Closes: #181451. + - pam_localuser now supports being used as a session module. + Closes: #412484. + - package no longer fails to build with dash as /bin/sh. + Closes: #331208. + - All modules should now be documented in the system administrator + guide. Closes: #350620. + - pam_userdb now logs an error instead of segfaulting when no db= + option is provided. Closes: #436005. + - pam_time now warns on a missing tty instead of erroring out, + making it possible to use the module with non-console services. + Closes: #127931. + - upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install + accordingly + - bump the shlibs + - the 'test.c' example no longer exists + - add /usr/share/locale to libpam-runtime. + - CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an + arbitrary username, and then only when SELinux is active. + Closes: #336344. + * Mark myself as primary maintainer as previously discussed with Sam, and + add Roger as an uploader. + * Refactor to use quilt. + * Update to Standards-Version 3.7.2. + * Drop unnecessary build-dependency on patch, which is + build-essential (and no longer invoked directly). + * Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus, + 018_man_fixes, 030_makefile_link_against_libpam, + 037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd, + 050_configure_in_gnu and 052_pam_unix_no_openlog, which have been + superseded upstream. + * Drop patches 005_pam_limits_099_6, + 012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes, + 048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv, + 060_pam_tally_segv and 062_c++_safe_headers, which have been integrated + upstream. + * Patch 057: SELinux support is merged upstream, leaving only an + unrelated OOM check for pam_unix_passwd. Rename as + 057_pam_unix_passwd_OOM_check. + * Patches 006, 008, 036: update for the switch from SGML to XML. + * Patch 007: update for the switch from SGML to XML; drop some log + messages that were already added upstream; update for the pam_modutil + changes; tighten the flag handling of the 'obscure' option; drop bogus + check in unix_chkpwd for null passwords. Also fix a grammar error + along the way. Closes: #362855. + * Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch + pam_cracklib.c instead to use the default dictpath already available + from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead + of AC_CHECK_HEADER, so crack.h is actually included. Also remove + unnecessary string copies, which break on the Hurd due to PATH_MAX. + * Patch 038: partially merged/superseded upstream; also add new Hurd + fix for pam_xauth. + * Patch 061: partially merged upstream + * Use ${binary:Version} instead of ${Source-Version} in + debian/control. + * Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm}, + debian/libpam0g.{postinst,prerm}, and + debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these + just fine without our help. + * Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl + and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra, + groff, and opensp. + * Also build-depend on flex for libfl.a. + * Updates for documentation handling: + - move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide, + and invoke dh_installdocs instead of installing these by hand. + - drop libpam-doc.{postinst,prerm}, which are no longer needed. + - add an install target to debian/rules, and have binary-indep depend on + it instead of trying to install doc files individually from the source + tree + - consequently, drop libpam-doc.dirs as well which is no longer needed + and no longer accurate + - add debian/libpam-doc.install for moving the docs to the right place, + and also replace libpam-runtime.files with libpam-runtime.install; + for the moment this means we're using both dh_movefiles and + dh_install... + - libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further + cleaning up debian/rules + * Drop debian/libpam0g.links, no longer needed because upstream now has a + working install target which creates the library symlinks + * Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so + symlinks by hand, no longer provided upstream. + * debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage + belongs in section 7, not in section 8. + * Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime. + * debian/patches-applied/autoconf.patch: move all changes to autotools + generated files into a single patch at the end of the stack. + - don't touch configure in debian/rules, the quilt patch takes care + of this for us. + * New patch 064_pam_unix_cracklib_dictpath: correctly define + CRACKLIB_DICTS, since this is not defined by configure. Thanks to Jan + Christoph Nordholz. + * New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable + cracklib support in pam_unix. Thanks to Christoph Nordholz. + * debian/rules: + - Rename OS_CFLAGS to CFLAGS. + - kill off references to unused variables + - make binary-arch also depend on the install target, and streamline the + rules + - fix up the clean target to not ignore errors; thanks to Roger Leigh + - drop the local module_check target in favor of using -Wl,-z,defs + in LDFLAGS to enforce correct linkage of all objects at build time + * Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage. + * libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally + for consistency. + * Update to debhelper V5. + * Don't ship Makefiles as part of the libpam0g-dev examples. + * libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages: + put all the manpages in the correct packages. Closes: #411812, + #62193, #313486, #300773, #330545, #184270. + * Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything + because we aren't trying to ship empty directories in the packages + * Build-Conflict with fop, to avoid unreproducible builds of pdf + documentation from a tool in contrib. + * libpam-cracklib should depend on a real wordlist package, per policy; + use wamerican as the default. + * Drop local/pam-undocumented.7 from the package, since we no longer have + a reason to ship it + * Add lintian overrides for known false-positives + * Conflicts/Replaces/Provides libpam-umask, now included upstream. + Closes: #436222. + * Upstream no longer marks unix_chkpwd suid-root for us, so set the perms + by hand in debian/rules. In the process, unix_chkpwd is now writable + by the owner, as expected by policy. Closes: #368100. + * Migrate from db4.3 to db4.6; once again, no administrator action should + be needed for upgrading on-disk database formats. Closes: #354309. + * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to + Laurent Bigonville for the hint. Closes: #439038. + * Add a watch file for use with uscan; thanks to Laurent Bigonville for + this patch as well. Closes: #439040. + * Rewrite of 031_pam_include, fixing a memory leak and letting us drop + patch 056_no_label_at_end; thanks to Jan Christoph Nordholz + for this much-improved version! + * New patch no_pthread_mutexes: don't use pthread mutexes in + pam_modutil functions, they're not needed because pam handles + themselves should not be used concurrently by multiple threads and + using pthreads causes problems for portable linking. + * New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around + using setreuid instead. + + -- Steve Langasek Sun, 26 Aug 2007 19:15:09 -0700 + +pam (0.79-4) unstable; urgency=medium + + * Medium-urgency upload; at least one RC bugfix, but also a + significant number of changes, hence not urgency=high. + * Move libpam-modules and libpam0g to Section: libs and libpam-runtime + to section: admin, to match the overrides in the archive. + * Move old changelog entries (well, entry) that don't follow the current + format to debian/changelog.old, since there's no way to figure out a + timestamp for an 8-year-old upload, and this is the most effective + way to clear a glut of lintian warnings. + * Fix the formatting of the libpam-cracklib package description. + * Patch 010: remove parts of the patch that aren't necessary for C++ + compatibility. + * Patch 060: fix a segfault in pam_tally caused by misuse of + pam_get_data(); already fixed upstream. Closes: #335273. + * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse) + of strdup (similar to patch 059). Already fixed upstream. + Closes: #327272. + * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs. + Closes: #352329. + * Patch 005: sync pam_limits with upstream: + - support "-" (unlimited) for all limit types except process priority. + - support the additional aliases "-1", "unlimited", and "infinity" for + clearing the limits; closes: #122400, #149027. + - restrict the range of process priority, login count, and system login + count settings to (INT_MIN,INT_MAX) (heh). + - special-case RLIM_INFINITY when applying multipliers to values from + the config. + - document maxsyslogins in the default limits.conf; closes: #149883. + - use the current process priority as a default instead of resetting to + 0; closes: #241663. + - add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO + settings in Linux 2.6.12 and above; closes: #313542, #313588. + - allow imposing limits on uid=0. + * Patch 027: only set RLIM_INFINITY as the default for the limits where + we know this is sensible, so that recompiling in an environment with new + limits doesn't create a security hole -- as happened with RLIMIT_NICE and + RLIMIT_RTPRIO! Thanks to Ville Hallik for the initial patch. + Closes: #388431. + * Patch 029, 047: Fix up the broken pam_limits capabilities patch so it + actually works -- which may well be a first... Closes: #318452. + + -- Steve Langasek Mon, 23 Oct 2006 05:36:08 -0700 + +pam (0.79-3.2) unstable; urgency=low + + * Non-maintainer upload to fix important bug, that makes passwd segfault + when CTRL-D is pressed at the password prompt. Applied the patch + provided by Dann Frazier. (Closes: #360657) + + -- Margarita Manterola Sat, 5 Aug 2006 02:11:22 -0300 + +pam (0.79-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Linux-PAM/libpamc/include/security/pam_client.h, + Linux-PAM/libpamc/pamc_converse.c: Apply patch from + latest upstream version to remove redefinition of internal + glibc/libstdc++ types. Closes: #344447. + + -- Roger Leigh Sun, 5 Feb 2006 21:46:59 +0000 + +pam (0.79-3) unstable; urgency=low + + * Patch 059 + - Fix a segfault in pam_userdb when the new "crypt=" option + is unset, as will be the case for all existing users; already fixed + upstream. Closes: #330829. + - Fix a memory leak in the same code due to gratuitous strdup()s. + * Further regression in pam_env: don't treat a missing /etc/environment + as a fatal error, either. Amend patch 058 accordingly. Closes: #330852. + + -- Steve Langasek Fri, 30 Sep 2005 01:17:53 -0700 + +pam (0.79-2) unstable; urgency=low + + The ".c.o: rm -rf $@" release + * Fix debian/rules so that make clean doesn't remove ./configure when the + timestamp on configure.in is newer (!). + * Switch pam_userdb from db3 to db4.3, which according to the libdb + maintainers should require no manual intervention for upgrading on-disk + database formats. Closes: #165068. + * Patch 058: yes, of course we want to read /etc/environment by + default. Grr! Revert upstream change which disables this for no + apparent reason (closes: #330458). + * Tweak selinux rootok code to use the version of the function call that + doesn't pollute namespace + + -- Steve Langasek Tue, 27 Sep 2005 02:44:36 -0700 + +pam (0.79-1) unstable; urgency=low + + * New upstream version (closes: #284954, #300775). + - includes some fixes for typos (closes: #319026). + - pam_unix should now be LSB 3.0-compliant (closes: #323982). + - fixes segfaults in libpam on config file syntax errors + (closes: #330097). + * Drop patches 000_bootstrap, 004_libpam_makefile_static_works, + 011_pam_access, 013_pam_filter_termio_to_termios, 017_misc_fixes, + 025_pam_group_conffile_name, 028_pam_mail_delete_only_when_set, + 033_use_gcc_not_ld, 034_pam_dispatch_ignore_PAM_IGNORE, + 035_pam_unix_security, 039_pam_mkhomedir_no_maxpathlen_required, + 041_call_bootstrap, 042_pam_mkhomedir_dest_not_source_for_errors, + 051_32_bit_pam_lastlog_ll_time, and + 053_pam_unix_user_known_returns_user_unknown which have been + integrated upstream. + * Merge one last bit of patch 053 into patch 043, where it should have + been in the first place + * Patch 057: SELinux support: + - add support to pam_unix for copying SELinux security contexts when + writing out new passwd/shadow files and creating lockfiles + - support calling unix_chkpwd if opening /etc/shadow fails due to + SELinux permissions + - allow unix_chkpwd to authenticate for any user when in an SELinux + context (hurray!); we depend on SELinux policies to prevent the + helper's use as a brute force tool + - also support querying user expiration info via unix_chkpwd + - misc cleanup: clean up file descriptors when invoking unix_chkpwd + (closes: #248310) + - make pam_rootok check the SELinux passwd class permissions, not just + the uid + - add new pam_selinux module (closes: #249499) + * Build-depend on libselinux1-dev. + * Fix pam_getenv, so that it can read the actual format of /etc/environment + instead of trying to read it using the syntax of + /etc/security/pam_env.conf; thanks to Colin Watson for the patch. + Closes: #327876. + * Set LC_COLLATE=C when using alphabetic range expressions in + debian/rules; bah, so *that's* what kept happening to my README file + when trying to build out of svn! Closes: #295296. + * Add a reference to the text of the GPL to debian/copyright. + + -- Steve Langasek Sun, 25 Sep 2005 22:08:20 -0700 + +pam (0.76-23) unstable; urgency=low + + * Fix Gcc 3.4 compilation, Closes: #259634 + * Note that pam.conf is not read if /etc/pam.d exists, Closes: #248928 + * Fix typo in pam_env.conf, Closes: #277633 + + -- Sam Hartman Sun, 10 Jul 2005 16:42:25 -0400 + +pam (0.76-22) unstable; urgency=medium + + * Add uploaders + * Document location of repository + * Fix options containing arguments in pam_unix, Closes: #254904 + + -- Sam Hartman Mon, 28 Jun 2004 14:28:08 -0400 + +pam (0.76-21) unstable; urgency=medium + + * Fix patch 055 again because -20 was broken and didn't actually fix the + problem. + + -- Sam Hartman Tue, 4 May 2004 21:37:38 -0400 + +pam (0.76-20) unstable; urgency=medium + + * Update to patch 55 to only check securetty when we are sure the + password is null, Closes: #243698 + * Medium urgency because the version now in testing has confusing and + verbose log messages. + * Include pam_getenv script which hopefully will be used by some people + somewhere for some purpose + + -- Sam Hartman Wed, 28 Apr 2004 22:51:18 -0400 + +pam (0.76-19) unstable; urgency=low + + * Oops, too busy testing the upgrade from woody to make sure the upgrade + from -16 to -18 worked. Thanks to all those who reported, + Closes: #243413 + + -- Sam Hartman Tue, 13 Apr 2004 16:08:54 -0400 + +pam (0.76-18) unstable; urgency=low + + * Manipulate conffiles to avoid unnecessary prompt in woody to sarge + upgrade, Closes: #218318 + + -- Sam Hartman Sat, 10 Apr 2004 18:10:35 -0400 + +pam (0.76-17) unstable; urgency=low + + * common-password now includes length restrictions and cracklib + examples, Closes: #227681, #237537 + * Patch 054: abstract out the logic from pam_securetty to determine if a + tty is in /etc/securetty into a library function + * Patch 55: Add nullok_secure option to pam_unix. If set, then null + passwords are accepted from terminals in /etc/securetty. + * common-auth now includes nullok_secure, Closes: #228114 + + + -- Sam Hartman Sun, 4 Apr 2004 23:10:11 -0400 + +pam (0.76-16) unstable; urgency=low + + * Patch 51 from the x86-64 folks to support 32-bit ll_time in + pam_lastlog even if time_t is 64-bits + * Don't call openlog in pam_unix (patch 52), Closes: #213566 + * Return PAM_USER_UNKNOWN for unknown users in pam_unix (patch 53), Closes: #204506 + + -- Sam Hartman Tue, 23 Mar 2004 22:26:04 -0500 + +pam (0.76-15) unstable; urgency=low + + * Fix description of libpam-runtime, Closes: #209755 + * Fix description of libpam-cracklib, Closes: #210014 + * Depend on libc6-dev|libc-dev not libc6-dev, Closes: #212354 + * Clean up binaries, Thanks Russell, Closes: #212158 + * Depend on sufficiently new cracklib2-dev, Closes: #214092 + * Treate GNU/* as GNU for OS variable to make pam_limits compile, + (patch 050) Closes: #220980 + * No longer build-depend on latex2html, Closes: #221318 + * Allow : in tty specification for pam_group, (patch 048) Closes: #220439 + * Pull in locking patch from Linux-PAM CVS; this ended up causing + 021_pam_nis_locking to be reworked and that patch now no longer + contains locking fixes, but just NIS cleanup in general. See + 049_pam_unix_sane_locking for the locking changes, Closes: #220158 + + -- Sam Hartman Mon, 12 Jan 2004 02:23:59 -0500 + +pam (0.76-14) unstable; urgency=low + + * Pull in NMU diff from 13.1, Closes: #186011 + * Split out common-password into its own file, Closes: #207497 + * Make other a conffile again and update to @include stuff + * Add missing symlink, Closes: #196605 + * Remove undocumented manpages + * Update PAM mini-policy + + -- Sam Hartman Mon, 1 Sep 2003 18:08:54 -0400 + +pam (0.76-13.1) unstable; urgency=low + + * NMU with maintainer's permission. + * Add three new config files (/etc/pam.d/common-{auth,account,session}) + to libpam-runtime. Other packages which depend on libpam-runtime + can now @include these files from their own PAM configs. + * Convert /etc/pam.d/other from a conffile to a non-conffile config + file. Closes: #186011. + * Remove empty libpam-runtime.prerm script (debhelper will autocreate if needed) + + -- Steve Langasek Tue, 19 Aug 2003 19:41:03 -0500 + +pam (0.76-13) unstable; urgency=low + + * Nope, that dependency didn't work, so let's remove it. If we run into other module versioning issues, I now have an arm build environment to debug with. Closes: #198618 + + -- Sam Hartman Mon, 7 Jul 2003 00:22:34 -0400 + +pam (0.76-12) unstable; urgency=low + + * Fix group.conf example, (patch 046) Closes: #197080 + * Ignore module return value in jumps, (patch 045) Closes: #176693 + * Accept string value for chroot limit, thanks Andrei Pelinescu-Onciul, + Patch (047), Closes: #196903 + * Depend on libpam-modules instead of conflicting with older versions. + This creates a circular dependency between libpam0g and + libpam-modules. James says this works fine; we hope he's right. + Closes: #196949 + -- Sam Hartman Sat, 21 Jun 2003 17:19:29 -0400 + +pam (0.76-11) unstable; urgency=low + + * Don't allow db4 to satisfy build-depends because it doesn't actually + work, and sometimes building with it would be wrong. + * Don't depend on libpcap-dev on Debian BSD + * Conflict with old libpam-modules, Closes: #191906 + * Incorrect username should not be logged at alert (patch 43), + Closes: #175900 + * Patch to support FreeBSD (patch 44, thanks Robert), Closes: #191906 + + -- Sam Hartman Sat, 31 May 2003 19:55:26 -0400 + +pam (0.76-10) unstable; urgency=low + + * Don't double list conffiles, Closes: #190954 + * Only install example sources not executables, Closes: #185286 + * Display correct directory in error message for pam_mkhomedir, patch + 042 thanks to Akira TAGOH, Closes: #165240 + * Don't log EPERM when setting NOFILE limit as Linux doesn't let you + set that to -1, Closes: #180310 + * Add newline to end of distributed time.conf, Closes: #172229 + * Up our standards version and support noopt in DEB_BUILD_OPTIONS + + -- Sam Hartman Sat, 3 May 2003 22:28:37 -0400 + +pam (0.76-9) unstable; urgency=low + + * Fix pam_rhosts hurd patch so it actually works, Closes: #172914 + * Fix patch 040 not to clobber errno when logging the error fails, + Closes: #172186 + * Fix dependency for linuxdoc-tools, Closes: #173097 + + -- Sam Hartman Sun, 15 Dec 2002 17:10:58 -0500 + +pam (0.76-8) unstable; urgency=low + + * Have makefile appropriately depend on bootstrap-libpam + * Install pam minipolicy, Closes: #167798 + * Don't segfault if ttyname is null; this avoids the segfault but does + not actually make pam_issue useful for ssh. I believe the way + pam_issue works is fundamentally incompatible with what sshd expects + from PAM (patch 037), Closes: #153152 + * We actually fixed passwords containing , in 0.76-6, but failed to + document it. They do work, Closes: #164713 + * Note that /etc/pam.d/other is a fall back for each service + * Patches from Michal 'hramrach' Suchanek" to + make HURD work, Closes: #165066 (patch 038 and 039) + * Don't depend on gs and other doc prep tools for build-depends, just + build-depends-indep, Closes: #165065 + * Patch from Eric Anderson to log failures of + setrlimit (patch 040), Closes: #169836 + * Build pam_limits on hurd, Closes: #165190 + + -- Sam Hartman Sun, 24 Nov 2002 22:04:28 -0500 + +pam (0.76-7) unstable; urgency=low + + * Fix handling of pam_ignore in case where we're skipping modules; + update to patch 034 + + -- Sam Hartman Sun, 20 Oct 2002 21:49:22 -0400 + +pam (0.76-6) unstable; urgency=low + + * The "No, I don't think I actually want any of what upstream is + smoking" release + * If this were already in testing, this would be an severity emergency + upload + * pam_unix currently treats * in shadow file as no password not + disabled; major security issue; fixed in upstream CVS, (patch 035) Closes: #164659 + * OK, I think this actually fixes the rest of the manpage symlinks, + Closes: #163839, #164298 + * You don't want to use getlogin for pam_wheel because utmp may be wrong or for xterm have no entry, pull forward patch from the 0.72 packages (patch 036), Closes: #163787 + + -- Sam Hartman Tue, 15 Oct 2002 10:44:56 -0400 + +pam (0.76-5) unstable; urgency=low + + * Fix library links from 0.75 to 0.76 + * Ignore PAM_IGNORE in _pam_dispatch_aux (patch 34), Closes: #163841 + * Fix man page symlinks, Closes: #163839 + + -- Sam Hartman Fri, 11 Oct 2002 01:08:06 -0400 + +pam (0.76-4) unstable; urgency=low + + * Upstream correctly states that one should use gcc not ld when + linking and then hapilly proceeds to actually use ld, fixed, Closes: #163711 + + * Remove experimental warning from readme, Closes: 163742 + + -- Sam Hartman Mon, 7 Oct 2002 23:45:53 -0400 + +pam (0.76-3) unstable; urgency=low + + * Oops, let's try building -fpic. This currently builds everything + -fpic which is somewhat wrong, but doing more than that requires + significant build system hacking (touch every makefile for dynamic + objects), so it will wait, Closes: #163600 + + -- Sam Hartman Sun, 6 Oct 2002 23:33:12 -0400 + +pam (0.76-2) unstable; urgency=low + + * Link against appropriate libraries so we find the symbols we need, + Closes: #162175 + * The if everyone's going to complain when I upload broken software to + experimental release, I might as well upload to unstable and give them + something worth actually complaining about release. + * Also the remove the scourge of dbs release + * Include patch 034 from the 0.72 packages, meaning that we've included + all the patches we need before release + * Reject the patch to pam_wheel as I cannot find out what reasonable + thing it was trying to do and it seemed broken + * libpam-cracklib should depend on wordlist so it actually works; + thanks Olaf Meeuwissen, + Closes: #112965 + * Merge build-depends and build-depends-indep because I'm a bad person + and was too lazy to make docs build in a separate pass. I'll deal in + a few versions. + + -- Sam Hartman Sun, 6 Oct 2002 18:52:13 -0400 + +pam (0.76-1) experimental; urgency=low + + * New upstream version + * Upstream includes fix to not break cron, Closes: 160566 + * New Upstream correctly handles priority < 0 for pam_limits, Closes: #126251 + * .cvsignores removed, Closes: #159961 + + -- Sam Hartman Sun, 22 Sep 2002 16:11:35 -0400 + +pam (0.75-3) experimental; urgency=low + + * Apply patch 027 pam_limits so that we initialize to wide open not + current limits. + * In pam_mail, don't complain about deleting environment variable if + we never set it, Closes: #58429 + * Don't set default max procs limit in pam_limits, Closes: #116874 + * libpam-runtime now arch all since it has no arch-specific files, + Closes: #132545 + * Update mini policy to reflect confusion on debian-devel + + -- Sam Hartman Tue, 16 Jul 2002 09:30:50 -0400 + +pam (0.75-2) experimental; urgency=low + + * Fix pam_userdb to build and to build against db3, fixes patch 020 + * Fix upstream makefile so pam_group has valid configuration, closes: #148657 + * time.conf reference to logoutd removed, closes: #143801 + * The static library contains all the appropriate symbols in this + version. You may find the complete lack of PAM modules somewhat + frustrating; currently the static pam library is only useful if you + register your own modules. Fixing this would require annoying hacking + on the upstream build system, closes: #103495 + * unix_chkpwd.8 typo fixes thanks to dancer@anthill.echidna.id.au, + Closes: #139949 + * Since we're working on the new upstream version, we also have the new docs, closes: #147763 + * Patch from Martin Schwenke to only change + passwords in pam_unix when they exist in the password file; hopefully + does not break NIS, closes: #135990 + * Another patch from Martin to return PAM_USER_UNKNOWN if we ever + actually do get into the password changing routine only to find that + we have no password to change, closes: #135604 + * .cvsignore no longer installed, closes: #120795 + * We're using debhelper 3, just in time to be obselete, Closes: #93414 + + -- Sam Hartman Sat, 8 Jun 2002 18:04:40 -0400 + +pam (0.75-1) experimental; urgency=low + + * Preliminary test packages + * New upstream version + * Hopefully works mostly the same as 0.72 except for upstream bug + fixes and for the fact that pam_limits is fairly broken right now. + * If it breaks you are lucky if you get to keep both pieces release. + + -- Sam Hartman Sat, 25 May 2002 22:57:57 -0400 + +pam (0.72-35) unstable; urgency=medium + + * Fix like_auth to make libpam-krb5 and libpam-heimdal actually useful, + patch from RISKO Gergely , closes: #126251 + + -- Sam Hartman Mon, 21 Jan 2002 15:20:22 -0500 + +pam (0.72-34) unstable; urgency=medium + + * Note that HOME may not be useful in pam_environment, closes: #109281 + * Don't smash case domains (groups/users) in pam_limits, closes: #119893 + * Remove double the from description, closes: #107705 + * Fix typo on mail message, closes: #119689 + * Medium since these are small fixes that should go into woody + + -- Sam Hartman Fri, 23 Nov 2001 21:24:20 -0500 + +pam (0.72-33) unstable; urgency=low + + * Fix pam_mail to look in /var/mail not /var/spool/mail, thanks mjb. + + -- Sam Hartman Thu, 11 Oct 2001 15:44:32 -0400 + +pam (0.72-32) unstable; urgency=medium + + * This should probably get into testing before freeze; medium. + * Patch from Volker Stolz to fix bug in previous pam_group patch, + closes: #111854 + + -- Sam Hartman Sat, 22 Sep 2001 06:32:29 -0400 + +pam (0.72-31) unstable; urgency=low + + * Add support for credential reinitialization in pam_group, closes: #108697 + + -- Sam Hartman Fri, 31 Aug 2001 13:16:39 -0400 + +pam (0.72-30) unstable; urgency=low + + * Include patch from robbe@orcus.priv.at to build pam_limits on hurd, + closes: #103556 + * Start installing limits.conf for hurd (may not work quite right) + + -- Sam Hartman Mon, 16 Jul 2001 09:35:51 -0400 + +pam (0.72-29) unstable; urgency=low + + * Correctly declare uint32 type for ia64, closes: #104584 + + -- Sam Hartman Sat, 14 Jul 2001 01:30:39 -0400 + +pam (0.72-28) unstable; urgency=low + + * Fix scanf string so pam_limits chroot works, closes: #100812 + * Only log unknown user at warning, not alert, closes: #95220 + * By default do complete matches not substring matches for pam_time. + You can include explicit wildcard for substring, closes: #66152 + + -- Sam Hartman Tue, 3 Jul 2001 17:31:45 -0400 + +pam (0.72-27) unstable; urgency=low + + * Fix typo in last patch + + -- Sam Hartman Mon, 25 Jun 2001 18:27:42 -0400 + +pam (0.72-26) unstable; urgency=low + + * Block SIGCHLD when calling unix password verification program, patch from mdz@debian.org, fixes pam part of #97977 + + -- Sam Hartman Mon, 25 Jun 2001 08:47:12 -0400 + +pam (0.72-25) unstable; urgency=medium + + * Depend on opensp, working around #89063, closes: #100125 + * This is urgency medium to get docs back into testing. + + -- Sam Hartman Fri, 8 Jun 2001 11:44:12 -0400 + +pam (0.72-24) unstable; urgency=low + + * New NIS double locking and root password patch from Philippe Troin + , fixes bug in unreleased patch submitted for + 0.72-23. Also improves changing root password so it does something; + ongoing discussion on whether this is right. + + -- Sam Hartman Mon, 21 May 2001 08:06:05 -0400 + +pam (0.72-23) unstable; urgency=low + + * Patch from Benoit Gaussen , Don't trim from , to end + of string in user input, only trim from salt + grabbed from passwd file, closes: #96779 + * Fix NIS double locking, closes: #96736 + + -- Sam Hartman Wed, 16 May 2001 15:46:34 -0400 + +pam (0.72-22) unstable; urgency=low + + * Fix pam.8 to be pam.7, closes: #92874 + + -- Sam Hartman Tue, 17 Apr 2001 23:04:04 -0400 + +pam (0.72-21) unstable; urgency=low + + * Don't depend on libcap for hurd, closes: #91998 + * Don't list scurity/limits.conf as a conffile for hurd + + -- Sam Hartman Mon, 9 Apr 2001 12:30:18 -0400 + +pam (0.72-20) unstable; urgency=low + + * Install pam-undocumented in -runtime not -dev, closes: #93063 + * Mark pam-runtime as replacing files from -dev in case you installed + -19 and have pam-undocumented in the wrong place + + -- Sam Hartman Fri, 6 Apr 2001 06:38:15 -0400 + + + +pam (0.72-19) unstable; urgency=low + + * New maintainer, closes: #92353 + * Install pam-undocumented; somehow it was not installed in -18 + + -- Sam Hartman Wed, 4 Apr 2001 21:32:17 -0400 + +pam (0.72-18) unstable; urgency=low + + * pam_securetty: log failed tty checks. Normally this was only done if + the "debug" option was on...do it regardless now, closes: #89390 + * Get rid of log message for when "root" is not applied to group checks. + closes: #88825 + * Add quiet option to pam_listfile, closes: #84428 + * pam(8) should be pam(7), pam.conf(8) should be pam.conf(5), closes: + #89322 + * Added groff to Build-Depends-Indep, closes: #88794 + + -- Ben Collins Sun, 25 Mar 2001 21:40:32 -0500 + +pam (0.72-17) unstable; urgency=low + + * Fixed login in pam_limits where the max logins could be ignored. + + -- Ben Collins Fri, 9 Mar 2001 09:14:48 -0500 + +pam (0.72-16) unstable; urgency=low + + * New pam limits cap patch from Topi Miettinen + , closes: #88401, #88406, #88525, #88399, + #86197 + * pwdb no longer used, closes: #59917 + * fix patch 023 for gethostbyname build failure, closes: #86156 + * Make sure unix_chkpwd gets installed as suid root, closes: #88519 + * Fix whatis parse of manpages, closes: #86203 + * pam_listfile, fix arg parsing when arg does not contain '=', closes: + #86070 + + -- Ben Collins Sun, 4 Mar 2001 22:45:58 -0500 + +pam (0.72-15) unstable; urgency=low + + * Doh, added build-depends for libcap, closes: #85352 + * Change section of libpam-cracklib from admin to libs to match + overrides. + + -- Ben Collins Fri, 9 Feb 2001 09:06:40 -0500 + +pam (0.72-14) unstable; urgency=low + + * Added fix to pam_access for gethostname decleration. closes: #82100 + * Just name the lib/security directory instead of all the modules + seperately for dh_movefiles. closes: #76119 + * Fix pam_env corruption, closes: #66849, #77229 + * Add patch to allow recursive /etc/skel copy in pam_mkhomedir, closes: + #67211 + * remove dh_suidregister call, added conflict for old suidregister + package + * Applied patch for Linux capabilities in pam_limits, closes: #74176 + * pam_issue.so works for me, without segv, and even with escapes. This + is with login. Note, things like pam_issue do not work with ssh simply + because ssh is not able to work in that way (does not support + arbiitrary conversations). So if you want it to work there, file a bug + on ssh, not on libpam-modules. closes: #77228 + * unix_chkpwd: check for NULL password, closes: #69960 + + -- Ben Collins Thu, 8 Feb 2001 11:06:03 -0500 + +pam (0.72-13) unstable; urgency=low + + * Fix grammar in pam_source.sgml, closes: #78959 + * pam_undocumented.7: Fix escaped 's, closes: #75987 + * Fix build ordering, closes: #71442, #80397, #77017 + * Applied Hurd patch, closes: #76119 + * Use gcc for linking, not ld. closes: #71941 + * Pretty sure this was fixed, closes: #67172 + * Applied spealang fixes to Debian-mini-policy. closes: #80249 + * Applied patch to allow devfs style terminal devices with pam_group, + closes: #77661 + * Could not reproduce, even using md5 passwords. User, if you still have + * this problem, you need to tell me with what service (login, which I + tested, sshd, telnet, etc...) and also send me the entire pam.d file + for that service. closes: #76087 + * Fixed awhile back, closes: #72858 + * Closing this since I am not going to include any modules in this + package that aren't in upstream. If someone else wants to package + these modules seperately, they can do so. closes: #69550 + * For correct usage, pam_wheel.so should be used with "sufficient" and + not "required". This is documented. If you use "required", then you + must also use the "trust" option, but that doesn't give you the + results you want. closes: #76236 + + -- Ben Collins Sun, 31 Dec 2000 05:38:23 -0500 + +pam (0.72-12) frozen unstable; urgency=low + + * Recompile against db2 for glibc change + * Add db2 to build-deps + + -- Ben Collins Wed, 27 Sep 2000 12:08:11 -0400 + +pam (0.72-11) frozen unstable; urgency=low + + * Removed all traces of pwdb in packages. libpwdb has been removed from + the archive. This means that the pam_pwdb and pam_radius modules are + no longer available (from the libpam-pwdb package). + * doc/modules/pam_wheel.sgml: Really spell out that being a member of a + group meands the user is listed in /etc/group, closes: #69242 + * doc/*: s/PAM_AUTHOK_RECOVERY_ERR/PAM_AUTHOK_RECOVER_ERR/g, + closes: #64473 + * pam_wheel: PAM does not distinguish it, the libc calls make the + distinction. The users gid is returned in their passwd info, while + getgrent() returns only the members of the group listed in /etc/group. + This is ok, because if it's really that important, you can actually + have it in both places. The fact that it's documented should suffice + in making this clear, closes: #69236 + * Sorry, but seperate modules generally need to be packaged seperately. + I don't want to overload this package with everyone's pet module, so I + have to put my foot down, closes: #61759 + * Actually, I'm going to move in Woody to make packages depend more on + the defaults in /etc/pam.d/other, so that admins have less to + maintain. For one, all packages should not have a password service + listed, closes: #70000 (YAY! I got the 70k rollover bug number!) + * Sorry, I can't include this. "," is a legitimate char in a password + salt/hash. If you can code up something that is super intelligent + about lenghts of the field, I can go for it, maybe, closes: #59459 + * modules/pam_limits: Added chroot feature patch, closes: #61090 + * modules/pam_access: Allow last field to contain ':', closes: #67291 + * modules/pam_limits: Allow explicit limits for root, closes: #62448 + * modules/pam_unix: Do not zero old/new password fields, libpam does + this itself, and doing so in the module breaks stacking, + closes: #66270 + * modules/pam_group: Allow alpha *and* numeric in tty field (duh), + closes: #63752 + * modules/pam_access: Enable NIS, closes: #64854 + * libpam0g-dbg: removed, useless anyway + + -- Ben Collins Wed, 30 Aug 2000 18:39:32 -0400 + +pam (0.72-10) frozen unstable; urgency=low + + * Update build depends + * Fixed logic for showing non-existent user names when auth failed in + pam_unix.so, closes: #67786 (thanks to Jim Breton for being patient in + helping track this down). It would sometimes show them, even if we + didn't want to. + + -- Ben Collins Thu, 27 Jul 2000 09:17:08 -0400 + +pam (0.72-9) frozen unstable; urgency=low + + * pam_unix: do not call obscure_msg() of pass_old is NULL, + closes: #65321 + * pam_access: check for from[0] == '\0' so that tty logic is actually + used, closes: #65401 + + -- Ben Collins Wed, 14 Jun 2000 11:38:35 -0400 + +pam (0.72-8) frozen unstable; urgency=low + + * Build depends added in previous version, closes: #60817, #61439 + * Allow use of ":0" in group.conf, closes: #61966 + * Added syslog entry to notify that a user succesfully changed their + password, closes: #61724 + * Make pam_unix compatible with HP-UX style NIS+ password information, + patch from ldaffner@rsn.hp.com, closes: #61942 + * If "audit" is not enabled, don't let pam_unix print the names of + unknown users for auth attempts, closes: #61942 + * Fixed ttyname() parsing in pam_access to match that of the old shadow + access.conf s,/dev/,, closes: #61644 + * Set some sane defaults for pam_limits.so instead of carrying over + potentially bad defaults, patch from Peter Paluch + closes: #63230 + * Allow explicit (e.g. specified specifically for) limits for root, + patch from Topi Miettinen , closes: #62448 + * Added information to time.conf about logoutd, which is now enabled via + this file. + * cracklib maintainer claims this isn't a bug, closes: #54180 + * fixed control syntax handling which was causing segfaults, closes: #62237 + + -- Ben Collins Sat, 29 Apr 2000 11:39:59 -0400 + +pam (0.72-7) frozen unstable; urgency=low + + * pam_limits: fix parsing of users which explicitly removes limits, + closes: #59911, #60287 + * Added build-depends + + -- Ben Collins Mon, 20 Mar 2000 16:06:28 -0500 + +pam (0.72-6) frozen unstable; urgency=low + + * Remove conflict for libpam0g-util from libpam0g and put it in + libpam-runtime. This should fix a problem with upgrades that apt + experiences, closes: #58677 + + -- Ben Collins Mon, 28 Feb 2000 14:05:28 -0500 + +pam (0.72-5) frozen unstable; urgency=low + + * Added obscure password checks to pam_unix. Required for shadow to be + able to emulate the pre-PAM setup (referenced in a bug on passwd). + * Applied patch from #57800 to fix NIS/NIS+ shadow accounting checks, + closes: #57800, #58164 + * Fixed two typos in the PAM System Administrators Guide, + closes: #56578, #56587 + + -- Ben Collins Mon, 28 Feb 2000 10:58:09 -0500 + +pam (0.72-4) frozen unstable; urgency=low + + * unix_chkpwd: check for NULL on stdin aswell as 0 reads, closes: #56375 + * pam_unix/Makefile: removed bashism, closes: #56370 + * fixed in shadow upload, closes: #49832 + + -- Ben Collins Sat, 29 Jan 2000 00:27:28 -0500 + +pam (0.72-3) unstable; urgency=low + + * Added cpluplus wraps in all the headers, closes: #53653 + + -- Ben Collins Sun, 2 Jan 2000 15:15:40 -0500 + +pam (0.72-2) unstable; urgency=low + + * Well, this is an odd one. A recompile fixes it. So it must have been a + problem from linking with 0.71 when this is version 0.72. All of this + build daemons seem to have compiled the latest 0.72, so this should be + resolved after this gets recompiled on all of them, closes: #51619, #49584 + * This is from a very old version (0.56) of libpam0. It is not relevant + to the latest version, closes: #47162 + + -- Ben Collins Sun, 26 Dec 1999 09:10:13 -0500 + +pam (0.72-1) unstable; urgency=low + + * New upstream source release, lots of patches merged upstream (thanks + Andrew). + * libpam-doc: now provides pam-doc, closes: #45631 + * cleanups to the build system + * shlibs.local: bumped shlib deps + + -- Ben Collins Tue, 14 Dec 1999 11:17:36 -0500 + +pam (0.71-3) unstable; urgency=low + + * Debian-PAM-MiniPolicy: new document describing how PAM is implemented + in Debian + + -- Ben Collins Fri, 26 Nov 1999 17:26:40 -0500 + +pam (0.71-2) unstable; urgency=low + + * pam_listfile: lstat -> stat, closes: #49833 + * pam_tally: install the pam_tally program, closes: #50314 + * debian/control: libpam-modules, replaces libpam0g-util, closes: #50716 + + -- Ben Collins Thu, 25 Nov 1999 21:02:23 -0500 + +pam (0.71-1) unstable; urgency=low + + * New upstream release, merges lots of patches from the Debian source, + also merges the pam_{motd,mkhomedir,issue} modules into the main + source. Lots of minor bugs fixed, and compiler warnings + * pam_mail: Reimplemented the authentication handlers, so now this works + as both (changes nothing in Debian, but was required to get the patch + accepted upstream) + * general: Lots of small edits to fix compiler warnings + * pam_userdb: fixed potential usage of an unitialized value as + PAM_AUTHTOK, doesn't look particularly exploitable, but better safe + than sorry + + -- Ben Collins Mon, 8 Nov 1999 19:21:52 -0500 + +pam (0.70-4) unstable; urgency=low + + * pam_wheel/pam_wheel.c: change to use getpwuid(getuid()) by default, so + avoid the problems associated with getlogin() + + -- Ben Collins Mon, 1 Nov 1999 13:33:10 -0500 + +pam (0.70-3) unstable; urgency=low + + * Applied patch from Herbert Xu to enable PAM_CONV_AGAIN support in + pam_ftp, closes: #47288 + + -- Ben Collins Wed, 13 Oct 1999 13:25:21 -0400 + +pam (0.70-2) unstable; urgency=low + + * 100_pam_pwdb_security_fix: new patch fixes security problem with + regard to NIS accounts + + -- Ben Collins Wed, 13 Oct 1999 11:42:41 -0400 + +pam (0.70-1) unstable; urgency=low + + * New upstream release + * Seems there were a lot of fixes merged/matches upstream, looks good, + (maybe it's time I start sending my patches in, since the maintainer + is active again). + * libpamc: new library (libpam client library), this actually used to be + in the Debian packages for a few versions, but it was removed upstream. + Guess what, it's back :) + + -- Ben Collins Sun, 10 Oct 1999 01:07:43 -0400 + +pam (0.69-11) unstable; urgency=low + + * {pwdb,unix}_chkpwd.8: fixed format to get rid of "no whatis" warnings + from mandb, closes: #47004 + * pam_unix.sgml: new file, documents the pam_unix.so module, + closes: #46511 + + -- Ben Collins Sat, 9 Oct 1999 12:41:58 -0400 + +pam (0.69-10) unstable; urgency=low + + * libpam/pam_item.c: fixed debug message being in wrong place + * 013_pam_issue: new patch, provides issue file parsing for PAM + applications (helps to replace lost functionality in login). + + -- Ben Collins Wed, 6 Oct 1999 20:30:17 -0400 + +pam (0.69-9) unstable; urgency=low + + * Fix typo in pam_mail.so module's "no" return + + -- Ben Collins Sun, 3 Oct 1999 15:08:56 -0400 + +pam (0.69-8) unstable; urgency=low + + * docs/modules/pam_mkhomedir.sgml: Fixed module name + * changed build system structure + * libpam/Makefile: add -lcrypt to the linked libs, closes: #46104 + * increase shlib deps to 0.69-7, closes: #45801 + * pam_motd.c: close motd file after reading, closes: #46122 + * pam_motd.c: fix setting \0 in the wrong place when motd file is + zero length, closes: #45686, #45632 + * pam_unix_acct.c: allow '0' to denote disabled for some expiry fields + since chage(1) documents it this way, closes: #45446 + * pam_mail.c|modules/pam_mail.sgml: added 2 options, one "standard" to + give the old style "You have ..." response and "quiet" which only + reports new mail for both formats, documented both options, + closes: #45670 + * with the new pam_unix module, this bug is fixed, closes: #42230 + * pam_limits.c: make sure that we not only ignore limits on root, we + also remove them just in case we are su'ing from a limited user to + the root account (since as root they can remove the limits anyway), + closes: #35302 + + -- Ben Collins Sun, 3 Oct 1999 12:07:28 -0400 + +pam (0.69-7) unstable; urgency=low + + * debian/rules: fixed module_check + * pam_env/pam_env.c: fixed env parsing to include values wrapped in '' + and also allow continued lines with a trailing '\'. + * pam_motd,pam_mail: converted to session modules, so that they could + be ordered with the lastlog module + * updated default pam.d/login to reflect above change (now login looks + the same as the non-PAM version, lastlog, then motd, and then mail + check) + * pam_motd: removed extraneous \n from output + * modules/pam_limits/pam_limits.c: Fixed parsing of lines with only + "domain -", which was documented as being able to get rid of limits + for that user or group. + * debian/control: (libpam-cracklib) Added depends for cracklib-runtime, + closes: #45488 + * modules/pam_env.c: Fixed /etc/environment parsing causing segfaults on + long lines, closes: #45408 + + -- Ben Collins Sun, 19 Sep 1999 13:50:40 -0400 + +pam (0.69-6) unstable; urgency=low + + * Install unix_chkpwd suid root, it's needed for NIS to work without + modification to the binary. + * modules/pam_limits/pam_limits.c: hmm, some how I got a strange broken + patch left over from the source upgrade...removed all but the pwdb + purging, closes: #45088 + * modules/pam_env/pam_env.c: Changed to a debug message, instead of a + syslog message when /etc/environment does not exist. + + -- Ben Collins Wed, 15 Sep 1999 04:25:21 -0400 + +pam (0.69-5) unstable; urgency=low + + * Removed libpam0g's preinst check for full paths in the pam.d files, + this should really be a lintian check at build (i think the old libpam + could not work like this, but hey...things change for the better some + times. This PAM works fine like that). closes: #45001 + +NOTE: Debian packages should not reference modules by the full path + so they don't break if I ever decide to move the modules to a different + default directory. Only the admin should reference full paths and only + for locally installed modules. I have submitted a request to check for + this in lintian along with a few other devious things. + * debian/patches/008_pam_mkhomedir: Fix title of sgml doc + * modules/pam_userdb/Makefile: added patch for building against glibc 2.0 + (request from Roman Hodek), closes: #45064 + + -- Ben Collins Tue, 14 Sep 1999 06:12:34 -0400 + +pam (0.69-4) unstable; urgency=low + + * Link all dynamic modules with libpam. For some reason, alpha doesn't + like it when we don't + + -- Ben Collins Mon, 13 Sep 1999 06:01:40 -0400 + +pam (0.69-3) unstable; urgency=low + + * doc/modules/pam_cracklib.sgml: changed to correct path for + cracklib_dict reference. + * modules/pam_env/pam_env.c: now groks bash style env's from + /etc/environment to be compatible with other programs that use it. + * modules/pam_securetty/pam_securetty.c: don't just plain fail when + root isn't allowed to login, fake a password request just like any + good auth module would. Keeps us from letting them know that they + are doing something bad :) + * modules/pam_{motd,mkhomedir}: merged these two modules into this + source, also wrote corresponding sgml files for libpam-doc, + closes: #40754 + * debian/control: Moved libpam0g, libpam-modules and libpam-runtime + to base with required priority since login depends on them and + policy will require this + + -- Ben Collins Sat, 11 Sep 1999 08:06:02 -0400 + +pam (0.69-2) unstable; urgency=low + + * Modified build so that it uses libs and headers in the build tree + rather than on the local system. This involved changint the build + order slightly and should make it easier to compile on new archs. + * Modified pam_limits so that it was invoked during pam_sm_setcred() + instead of during pam_sm_session_open() so that it will work with + shadow's su. + * Fixed missing symbols in libpam.so, they were caused by it thinking + it was supposed to have static modules built in. + * Fixed problem where libpam was getting built with -DDEBUG + * pam_unix_passwd.c: Changed the perms on shadow to be 0.42 and 0640 + instead of 0.0 and 0600 + * unix_chkpwd: fix it not being sgid shadow + + -- Ben Collins Thu, 9 Sep 1999 13:52:01 -0400 + +pam (0.69-1) unstable; urgency=low + + * New upstream source + - Now with a new and improved pam_unix module, closes: #38631 + - Lot's of documentation cleanups + * Converted build system to dbs (doogie's build system, aka Adam Heath) + * Fixed libpam.so compilation so that it did not link with any of the + modules (this was causing lot's of problems, closes; #43913, #40739 + * modules/pam_ftp/pam_ftp.c: Fixed sizeof, to use strlen, + closes: #44054, #41845, #44142, #39129, #39871, #44412 + * Postscript pages are now generated correctly, closes: #41608 + * Moved to FHS compliance (including use of debhelper 2.0.40), + this also raises the policy version to 3.0.1.1 + * Don't check the paths in /etc/pam.d files anymore. This is old + and causes nothing but complaints, closes: #39747 + * Build libpam0g-dbg with debuggable static and shared libraries, also + enabled the internal DEBUG_REL compile flag for these so that the + debugging messages will also be output + + -- Ben Collins Tue, 7 Sep 1999 17:45:20 -0400 + +pam (0.66-10) unstable; urgency=low + + * Added ability for pam_env to parse /etc/environment and updated + docs to reflect it + * Applied patch for pwdb_chkpwd man page, closes: #38976 + * Merged pam_unix_*.so modules into one pam_unix.so with symlinks + for backward compatibility. This helps centralize this module the + same way the pam_pwdb.so is and the way pam_unix.so is on other + operating systems (commercial ones specifically). + * Closed by pam-apps upload, closes: #38632 + * Fixed `sgml2latex' syntax, closes: #39119 + * Added doc-base support, closes: #37627 + + -- Ben Collins Wed, 16 Jun 1999 01:20:23 -0400 + +pam (0.66-9.1) unstable; urgency=low + + * SPARC NMU to fix chown symbols when compiling with glibc 2.1.1 + + -- Ben Collins Tue, 11 May 1999 13:33:33 +0000 + +pam (0.66-9) unstable; urgency=low + + * Changed the debian/rules to not mess with the library symlinks (ie + running ldconfig in the lib dir) and all is well, closes: #36169 + + -- Ben Collins Sun, 18 Apr 1999 09:09:51 -0400 + +pam (0.66-8) unstable; urgency=low + + * Compiled with libpam_client.so now (seperate lib in libpam0g) + * Made regex for libpam0g postinst a little more specific so it + didn't flag false problems. closes: #34626 + * Applied patch to fix pam_ftp, closes: #35388 + * Modified pam_mail and pam_lastlog to honor PAM_SILENT in order to + enable apps to use hushlogin/PAM_SILENT + * Fixed problem with libpam_client.so being static + + -- Ben Collins Mon, 15 Mar 1999 20:54:23 -0500 + +pam (0.66-7) unstable; urgency=low + + * Fixed XCASE in pam_filter.c (not really in glibc 2.1 by default) + + -- Ben Collins Sat, 6 Mar 1999 18:46:56 -0500 + +pam (0.66-6) unstable; urgency=low + + * Removed empty /lib/security/ from libpam0g (is created in + libpam-runtime) + * Added a depends for libpam-runtime to libpam0g (was supposed to be + there, must have deleted it) + * Removed empty /usr/bin from libpam-runtime (old directory where + upperLOWER was) + + -- Ben Collins Wed, 24 Feb 1999 13:14:25 -0500 + +pam (0.66-5) unstable; urgency=low + + * Removed harcoded libc6 dependency from libpam0g-dev and changed it to + libc6-dev. closes: #33615 + * Added md5 flag for pam_unix_passwd.so + * Removed upperLOWER program since it is just an example. Moved it's + source to the examples directory in libpam-modules + * Fixed documentation of pam_strerror() and examples. closes #31142 + * Made pam_unix_passwd.so leave /etc/shadow mode 640 and root.shadow + after changes + * Fixed problem in pam_unix_auth that didn't let you su from a normal + user to another normal user (ie. neither one was root) + * Closing misc fixed bugs. closes #32809, #32274 (have been fixed, + just need closing) + * Tested lockvc with pam support, works for normal users (pam_pwdb) + closes: #31150 + * Changed /var/log/wtmp in pam_lastlog docs to reflect correct + /var/log/lastlog file. closes: #26544 + * Added -ldl to libpam.so, so apps don't have to + + -- Ben Collins Fri, 19 Feb 1999 18:47:30 -0500 + +pam (0.66-4) unstable; urgency=low + + * Changed pwdb_chkpwd to sgid shadow instead of suid root since it only + needs read permissions to /etc/shadow and not write. + * Moved a lot of files arouns to get rid of libpam-runtime dependencies + * Put libpam-pwdb into it's own package + * Removed -lpwdb links for modules since libpwdb is somewhat buggy (or + alteast it's interaction with libpam is) + * Fixed bug in pam_unix_passwd.so that caused it to never authenticate + the correct passwd, making it so you couldn't change the passwd + + -- Ben Collins Tue, 16 Feb 1999 15:50:28 -0500 + +pam (0.66-3) unstable; urgency=low + + * Fixed defaults in /etc/pam.d/other to be pam_unix_*.so modules instead + of the accidental pam_pwdb.so module + * Fixed suid of pwdb_chkpwd (had to move dh_fixperms after + dh_suidregister) + * Added Replaces: libpam0g-util in order to help dpkg upgrade from + older packages + * Applied glibc 2.1 patch from Christian Meder. closes: #32809 + * Moved libpam-doc to Section doc. closes: #32274 + + -- Ben Collins Fri, 12 Feb 1999 02:01:43 -0500 + +pam (0.66-2) unstable; urgency=low + + * Removed all of the versioned module stuff. Modules are now in + /lib/security and stay there. Seems after discussion, that modules may + not change as often as thought + * Fixed suidregister for pwdb_chkpwd + * Fixed incomplete descriptions in control file + * This is a kludge to close some bugs since the last upload was yanked + before being installed in the archive, closes: #16882, #30862, #7725, + #10234, #10406, #12210, #14291, #15528, #15529, #20660, #25330, + #29868, #31088, #31128, #9131, #9919, #19383, #5132, #14533, #25915, + #28075, #31548, #31191 + + -- Ben Collins Tue, 2 Feb 1999 12:47:25 -0500 + +pam (0.66-1) unstable; urgency=low + + * New maintainer + * New upstream release. closes: #16882, #30862, #7725 + * Created a better split of the main lib and the runtime to kill the + circular dependencies and make it possible to have two .so version of + the library installed for upgrades. closes: #10234, #10406, #12210, + bug #14291, #15528, #15529, #20660, #25330, #29868, #31088, #31128, + bug #9131, #9919. + * Harcoded modules directory prefixed with the .so version, and + used alternatives to create the symlink to the 'default' modules + directory. libpam will use the full path when specified, but use the + versioned modules directory for relative names. + * Put libpam0g-cracklib modules back in (own package). This means that + cracklib support is _not_ in the static libpam.a, also cracklib + support is _not_ in pam_unix_passwd.o, but only in pam_cracklib.so + by itself. + * Fixed a few typos in the source causing compile errors + * Fixed source #include's so that pam _didn't_ have to be installed + in order to compile the source ( changed from <> to "" ) + * Removed empty directories from built packages + * Opted not to build examples, only going to put *.c files in examples + directory for libpam0g-dev + * Moved *.sgml files for modules into their own directory (looks like + that is what the original maintainer wanted to do, but it didn't go) + * Moved doc build to arch-indep build in rules so that it doesn't get + built when specifying -B with debuild/dpkg-buildpackage. + * Moved `touch .quiet...' to build-stamp in order to have -B builds not + ask about pam.conf + * Split out non-standard modules to their own package, so as to make the + base install smaller (planning for base inclusion here) + * Created small manpage for pwdb_chkpwd. closes: #10941 + * The Copright file in /usr/doc/*/ was already named copright and not + compressed. closes: #14533 + * Package is now lintian clean. closes #19383, #5132 + * There is a maintainer now and the patch for #25915 is still included + so.... closes: #25915 + * Added check for editor backup files in /etc/pam.d (*~). closes: #28075 + * Applied patch for md5.h in pam_pwdb module. closes: #31548 + * Added support for dhelp in libpam-doc. closes: #31191 + + -- Ben Collins Wed, 20 Jan 1999 07:09:15 -0500 + +pam (0.65-0.8) frozen unstable; urgency=high + + * Marked PAM as orphaned, given that there has been no maintainer upload + in almost two years. + * [defs/debian.defs] Removed superflous cracklib2 dependency. + (Urgent as cracklib still has release-critical bugs). + (Fixes #30862). + + -- J.H.M. Dassen (Ray) Wed, 20 Jan 1999 09:34:35 +0100 + +pam (0.65-0.7) frozen unstable; urgency=high + + * Fixed security vulnerability in the pam_unix and pam_tally modules + (reported by Michal Zalewski on bugtraq; patch + A000-SECURITY-PATCH-0.65-and-below.gz by Andrey V. Savochkin). + + -- J.H.M. Dassen (Ray) Tue, 29 Dec 1998 16:20:18 +0100 + +pam (0.65-0.6) unstable; urgency=high + + * Fixed distribution of files over the various packages, which was + severely messed up. + * Added appropriate Replaces: to ensure upgrading from both the hamm + version and previous slink versions. + * Fixed debug libraries, PAM module loading. + * Added examples. + * Added a "pam-undocumented" manpage pointing to libpam-doc, and + made links for functions without a manpage to that. + + -- J.H.M. Dassen (Ray) Sun, 11 Oct 1998 19:29:40 +0200 + +pam (0.65-0.5) unstable; urgency=low + + * Rewritten the preinst warning text (it still mentioned the search path). + + -- J.H.M. Dassen (Ray) Fri, 9 Oct 1998 14:23:18 +0200 + +pam (0.65-0.4) unstable; urgency=high + + * It looks like I misunderstood DEFAULT_MODULE_PATH: Linux-PAM does not + currently seem to be easily configured to look for modules in more than + one directory. With this version, it's configured to look only in + /lib/security . + + -- J.H.M. Dassen (Ray) Fri, 9 Oct 1998 11:43:34 +0200 + +pam (0.65-0.3) unstable; urgency=medium + + * Moving the PAM modules to /lib/security broke netatalk. + Added a preinst script to detect /etc/pam.d files with explicit paths to + PAM modules, give a warning about them, and offer to abort the install + (Fixes #27514). + + -- J.H.M. Dassen (Ray) Tue, 6 Oct 1998 20:10:43 +0200 + +pam (0.65-0.2) unstable; urgency=low + + * Argh. The tools didn't recognise -0.1 as a new upstream release, so + my previous upload was rejected due to a missing .orig.tar.gz . + + -- J.H.M. Dassen (Ray) Sun, 4 Oct 1998 17:15:09 +0200 + +pam (0.65-0.1) experimental; urgency=low + + * New upstream version. + * Non-maintainer upload. + * Major package overhaul; now uses debhelper. + * In experimental for now. *Please* provide feedback; if the feedback is + positive, we can put this in slink. + * Dropped libc5 support. + * [libpam/pam_static.c] Fixed compilation: "pamh" was undefined; use "NULL". + is this the correct fix? + * [defs/debian.defs] New. + * [Makefile] + * Exit when a make in a subdirectory fails. + * Compile statically too. + * New variables: LC, LP, LPLIBS, DEFAULT_MODULE_PATH . + * [libpam/Makefile] + * Use DEFAULT_MODULE_PATH if nonempty. + * Link libpam against LPLIBS. + * [modules/*/Makefile] + * Link the dynamic security objects against libpam and libc + (LP and LC). + * [modules/pam_pwdb/Makefile] + * Link dynamic security objects against libcrypt and libnsl. + * [conf/install_conf] Allow for non-interactive install (as the other + install_conf scripts already did). + * Automatically determine the list of /etc/security/* conffiles. + * Moved libpam to /lib, and PAM modules to /lib/security as they will + become part of the base system in the future. + * Built without cracklib support, to keep the base system smaller. + * /sbin/pwdb_chkpwd is undocumented, as is upperLOWER. + + -- J.H.M. Dassen (Ray) Fri, 2 Oct 1998 20:23:27 +0200 + +pam (0.57b-0.4) unstable; urgency=high + + * Non maintainer upload + My previous upload had removed the libc5 stuff from the controlfile + messing up things. Change 'Architecture: any' to 'i386 m68k' for those + .deb's instead. + + -- Turbo Fredriksson Thu, 20 Aug 1998 20:06:50 -0400 + +pam (0.57b-0.3) unstable; urgency=high + + * Non maintainer upload + On a glibc2.1 system, XCASE is only defined in the + _IF_ '__USE_MISC' or '__USE_UNIX98' is defined. + + -- Turbo Fredriksson Sun, 16 Aug 1998 22:13:45 -0400 + +pam (0.57b-0.2) unstable; urgency=high + + * Yet another non-maintainer release. + * Zero changes; simply a re-upload due to a rm-trigger happy release + ``manager''. + + -- James Troup Tue, 17 Mar 1998 19:55:16 +0100 + +pam (0.57b-0.1) unstable; urgency=medium + + * Non-maintainer release. + * debian/control (Standards-Version): Updated to 2.4.0.0. + * debian/control (libpam0g-dev): Also conflict with libpam-dbg. + * debian/postinst: use case statement instead of if. + * debian/rules (COMPAT_ARCHES): removed sparc. + * debian/rules (binary-libc6-dev, binary-libc5-altdev): strip static libraries with + --strip-debug, not --strip-unneeded. + * debian/rules: each package now has it's own doc directory under + /usr/doc/, containing at least the copyright file (Policy 5.6). + * debian/rules: install files with `install -m 644' not `cp -p' to avoid + read-only files. + * debian/rules (binary-libc6-util): strip /usr/lib/*/security/*.so with + --strip-unneeded. + * debian/rules (binary-libc5-util): ditto. + * debian/rules (binary-libc5): don't depend on binary-libc5. + + -- James Troup Sat, 7 Mar 1998 18:04:19 +0100 + +pam (0.57b-0) unstable; urgency=medium + + * Non-maintainer release. + * New upstream version. + * Doesn't use pristine upstream source as the upstream tar ball is broken. + * Added libc6 libraries libpam0g, libpam0g-dev, libpam0g-dbg and + libpam0g-util. [#11697] + * libpam-dev becomes libpam0-altdev, libpam-util -> libpam0-altutil and + libpam-dbg is removed. + * libpam0 depends on libpam0g because libpam0g contains the pam conffile. + * libpam0-util depends on libpam0g-util because libpam0g contains the binary. + * Compiled with -D_REENTRANT and link with -lc. + * Fixed permissions on shared libraries. + * Corrected syntax of /etc/pam.d/other. [#10497, #10758, #12030] + * Fixed typos in postinst. [#10474, #11365] + * Made /etc/pam.conf a conffile. + * Updated URL in copyright file. + * Removed over-zelaously installed README* files from libpam-doc. + + -- James Troup Sat, 22 Nov 1997 17:54:30 +0100 + +pam (0.56-2) unstable; urgency=low + + * Added /etc/pam.d/other with policy 'deny'. + * Add manual pages for PAM security modules. + + -- Klee Dienes Sat, 15 Mar 1997 22:33:22 -0500 + +pam (0.56-1) unstable; urgency=low + + * New upstream release. + * Converted to new packaging format. + * Reorganization of package structure (-dev, -dbg, etc). + + -- Klee Dienes Sat, 8 Mar 1997 01:21:17 -0500 -- cgit v1.2.3