summaryrefslogtreecommitdiffstats
path: root/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS433
1 files changed, 433 insertions, 0 deletions
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..ca436ba
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,433 @@
+Linux-PAM NEWS -- history of user-visible changes.
+
+Release 1.5.2
+* pam_exec: implemented quiet_log option.
+* pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs.
+* pam_timestamp: changed hmac algorithm to call openssl instead of the bundled
+ sha1 implementation if selected, added option to select
+ the hash algorithm to use with HMAC.
+* Added pkgconfig files for provided libraries.
+* Added --with-systemdunitdir configure option to specify systemd unit
+ directory.
+* Added --with-misc-conv-bufsize configure option to specify the buffer size
+ in libpam_misc's misc_conv() function, raised the default value for this
+ parameter from 512 to 4096.
+* Multiple minor bug fixes, portability fixes, documentation improvements,
+ and translation updates.
+
+Release 1.5.1
+* pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
+ doesn't exist and root password is blank
+* pam_faillock: added nodelay option to not set pam_fail_delay
+* pam_wheel: use pam_modutil_user_in_group to check for the group membership
+ with getgrouplist where it is available
+
+Release 1.5.0
+* Multiple minor bug fixes, portability fixes, and documentation improvements.
+* Extended libpam API with pam_modutil_check_user_in_passwd function.
+* configure: added --disable-unix option to disable build of pam_unix module.
+* pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
+* pam_limits: added support for nonewprivs item.
+* pam_motd: read motd files with target user credentials skipping unreadable ones.
+* pam_pwhistory: added a SELinux helper executable.
+* pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
+* pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
+* Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project)
+ or pam_pwquality (from libpwquality project) instead.
+* Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead.
+* pam_env: Reading of the user environment is deprecated and will be removed
+ at some point in the future.
+* libpam: pam_modutil_drop_priv() now correctly sets the target user's
+ supplementary groups, allowing pam_motd to filter messages accordingly
+
+Release 1.4.0
+* Multiple minor bug fixes and documentation improvements
+* Fixed grammar of messages printed via pam_prompt
+* Added support for a vendor directory and libeconf
+* configure: Added --enable-Werror option to enable -Werror build
+* configure: Allowed disabling documentation through --disable-doc
+* pam_get_authtok_verify: Avoid duplicate password verification
+* pam_cracklib: Fixed parsing of options without arguments
+* pam_env: Changed the default to not read the user .pam_environment file
+* pam_exec: Require a user name to be specified before the command is executed
+* pam_faillock: New module for locking after multiple auth failures
+* pam_group, pam_time: Fixed logical error with multiple ! operators
+* pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
+* pam_lastlog: Do not log info about failed login if the session was opened
+ with PAM_SILENT flag
+* pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
+* pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
+ limit
+* pam_mkhomedir: Fixed return value when the user is unknown
+* pam_motd: Export MOTD_SHOWN=pam after showing MOTD
+* pam_motd: Support multiple motd paths specified, with filename overrides
+* pam_namespace: Added a systemd service, which creates the namespaced
+ instance parent directories during boot
+* pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
+* pam_selinux: Check unknown object classes or permissions in current policy
+* pam_selinux: Fall back to log to syslog if audit logging fails
+* pam_setquota: New module to set or modify disk quotas on session start
+* pam_shells: Recognize /bin/sh as the default shell
+* pam_succeed_if: Fixed potential override of the default prompt
+* pam_succeed_if: Support lists in group membership checks
+* pam_time: Added conffile= option to specify an alternative configuration file
+* pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
+* pam_umask: Added new 'nousergroups' module argument and allowed specifying
+ the default for usergroups at build-time
+* pam_unix: Added 'nullresetok' option to allow resetting blank passwords
+* pam_unix: Report unusable hashes found by checksalt to syslog
+* pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable
+* pam_unix: Support for (gost-)yescrypt hashing methods
+* pam_unix: Use bcrypt b-variant when it bcrypt is chosen
+* pam_usertype: New module to tell if uid is in login.defs ranges
+* Fixed and documented possible values returned by pam_get_user()
+* Added new API call pam_start_confdir() for special applications that
+ cannot use the system-default PAM configuration paths and need to
+ explicitly specify another path
+* Deprecated pam_cracklib: this module is no longer built by default and will
+ be removed in the next release, use pam_passwdqc (from passwdqc project)
+ or pam_pwquality (from libpwquality project) instead
+* Deprecated pam_tally and pam_tally2: these modules are no longer built
+ by default and will be removed in the next release, use pam_faillock instead
+
+Release 1.3.1
+* pam_motd: add support for a motd.d directory
+* pam_umask: Fix documentation to align with order of loading umask
+* pam_get_user.3: Fix missing word in documentation
+* pam_tally2 --reset: avoid creating a missing tallylog file
+* pam_mkhomedir: Allow creating parent of homedir under /
+* access.conf.5: Add note about spaces around ':'
+* pam.8: Workaround formatting problem
+* pam_unix: Check return value of malloc used for setcred data
+* pam_cracklib: Drop unused prompt macros
+* pam_tty_audit: Support matching users by uid range
+* pam_access: support parsing files in /etc/security/access.d/*.conf
+* pam_localuser: Correct documentation
+* pam_issue: Fix no prompting in parse escape codes mode
+* Unification and cleanup of syslog log levels
+
+
+Release 1.3.0
+* Remove of static modules support
+* pam_unix: pass_not_set was removed
+* Lot of documentation fixes
+* Use TI-RPC function calls if we build against libtirpc
+* Add support for new, IPv6 enabled libnsl
+* Lot of bug fixes
+* Use fedora.zanata.org for translations
+
+
+Release 1.2.1
+* Fix CVE-2015-3238, affected PAM modules are pam_unix and pam_exec
+
+
+Release 1.2.0
+* Update documentation
+* Update translations
+* pam_unix: add quiet option
+* libpam: support alternative configuration files in /usr/lib/pam.d
+ as fallback
+* pam_env: add support for @{HOME} and @{SHELL}
+* libpam: add grantor field to audit records
+* libpam: Introduce pam_modutil_sanitize_helper_fds
+
+
+Release 1.1.8
+* pam_unix: bug fix for compiling with SELinux, fix crash at login time
+
+
+Release 1.1.7
+* Update translations
+* pam_exec: add stdout and type= options
+* pam_tty_audit: add options to control logging of passwords
+* pam_unix: Read defaults from /etc/login.defs
+* pam_userdb: Allow modern password hashes
+* pam_selinux/pam_tally2: Add tty and rhost to audit data
+* Lot of docu and code fixes
+
+
+Release 1.1.6
+* Update translations
+* pam_cracklib: Add more checks for weak passwords
+* pam_lastlog: Never lock out root
+* Lot of bug fixes and smaller enhancements
+
+
+Release 1.1.5
+* pam_env: Fix CVE-2011-3148 and CVE-2011-3149
+* pam_access: Add hostname resolution cache
+* Documentation: Improvements/fixes
+
+
+Release 1.1.4
+
+* Add vietnamese translation
+* pam_namepace: Add new functionality
+* pam_securetty: Honour console= kernel option, add noconsole option
+* pam_limits: Add %group syntax, drop change_uid option, add set_all option
+* Lot of small bug fixes
+* Lot of compiler warnings fixed
+* Add support for libtirpc
+
+
+Release 1.1.3
+
+* pam_namespace: Clean environment for child processes (CVE-2010-3853)
+* libpam: New interface to drop/regain privileges
+* Drop root privilegs in pam_env, pam_mail and pam_xauth before
+ accessing user files (CVE-2010-3430, CVE-2010-3431)
+* pam_unix: Add minlen option, change default from 6 to 0
+* Documentation improvements
+* Lot of small bug fixes
+
+Release 1.1.2
+
+* pam_unix: Add minlen= option
+* pam_group: Add support for UNIX groups beside netgroups
+* pam_tally: Document that it is deprecated
+* pam_rootok: Add support for chauthtok and acct_mgmt
+* Update translations
+
+Release 1.1.1
+
+* Update translations
+* pam_access: Revert netgroup match to original behavior, add new
+ syntax for adding the local hostname to netgroup match
+* libpam: Add new functions pam_get_authtok_noverify() and
+ pam_get_authtok_verify()
+* Add sepermit.conf.5 manual page
+* Lot of bug fixes
+
+Release 1.1.0
+
+* Update translations
+* Documentation updates and fixes
+
+Release 1.0.92
+
+* Update translations
+* pam_succeed_if: Use provided username
+* pam_mkhomedir: Fix handling of options
+
+Release 1.0.91
+
+* Fixed CVE-2009-0579 (minimum days limit on password change is ignored).
+* Fix libpam internal config/argument parser
+* Add optional file locking to pam_tally2
+* Update translations
+* pam_access improvements
+* Changes in the behavior of the password stack. Results of PRELIM_CHECK
+ are not used for the final run.
+
+Release 1.0.90
+
+* Supply hostname of the machine to netgroup match call in pam_access
+* Make pam_namespace to work safe on child directories of parent directories
+ owned by users
+* Redefine LOCAL keyword of pam_access configuration file
+* Add support for try_first_pass and use_first_pass to pam_cracklib
+* Print informative messages for rejected login and add silent and
+ no_log_info options to pam_tally
+* Add support for passing PAM_AUTHTOK to stdin of helpers from pam_exec
+* New password quality tests in pam_cracklib
+* New options for pam_lastlog to show last failed login attempt and
+ to disable lastlog update
+* New pam_pwhistory module to store last used passwords
+* New pam_tally2 module similar to pam_tally with wordsize independent
+ tally data format
+* Make libpam not log missing module if its type is prepended with '-'
+* New pam_timestamp module for authentication based on recent successful
+ login.
+* Add blowfish support to pam_unix.
+* Add support for user specific environment file to pam_env.
+* Add pam_get_authtok to libpam as Linux-PAM extension.
+* Rename type option of pam_cracklib to authtok_type.
+
+Release 1.0.3
+
+* Small bug fix release
+
+
+Release 1.0.2
+
+* Regression fixed in pam_selinux
+* Problem with big UIDs fixed in pam_loginuid
+
+
+Release 1.0.1
+
+* Regression fixed in pam_set_item()
+
+
+Release 1.0.0
+
+* Small bug fixes
+* Translation updates
+
+
+Release 0.99.10.0
+
+* New substack directive in config file syntax.
+* New module pam_tty_audit.so for enabling and disabling tty
+ auditing.
+* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA.
+* Auditing login denials based by origin (pam_access), time (pam_time),
+ and number of sessions (pam_limits) to the Linux audit subsystem.
+* Support sha256 and sha512 algorithms in pam_unix when they are supported
+ by crypt().
+* New pam_sepermit.so module for allowing/rejecting access based on
+ SELinux mode.
+* Improved functionality of pam_namespace.so module (method flags,
+ namespace.d configuration directory, new options).
+* Finally removed deprecated pam_rhosts_auth module.
+
+
+Release 0.99.9.0
+
+* misc_conv no longer blocks SIGINT; applications that don't want
+ user-interruptable prompts should block SIGINT themselves
+* Merge fixes from Debian
+* Fix parser for pam_group and pam_time
+
+
+Release 0.99.8.1
+
+* Fix a regression in audit code introduced with last release
+* Fix compiling with --disable-nls
+
+
+Release 0.99.8.0
+
+* Add translations for ar, ca, da, ru, sv and zu.
+* Update hungarian translation.
+* Add support for limits.d directory to pam_limits.
+* Improve pam_namespace module tobe more useful
+ for MLS, fixed crash with bad config files.
+* Improve pam_selinux module to be more useful
+ for MLS.
+* Add minclass option to pam_cracklib
+* Add new group syntax to pam_access
+
+
+Release 0.99.7.1
+
+* Security fix for pam_unix.so (CVE-2007-0003).
+
+
+Release 0.99.7.0
+
+* Add manual page for pam_unix.so.
+* Add pam_faildelay module to set pam_fail_delay() value.
+* Fix possible seg.fault in libpam/pam_set_data().
+* Cleanup of configure options.
+* Update hungarian translation, fix german translation.
+
+
+Release 0.99.6.3
+
+* pam_loginuid: New PAM module.
+* pam_access, pam_succeed_if: Support passwd and session services.
+
+
+Release 0.99.6.2
+
+* pam_lastlog: Don't refuse login if lastlog file got lost.
+* pam_cracklib: Fix a user triggerable crash.
+* documentation: Regenerate with fixed docbook stylesheet.
+
+
+Release 0.99.6.1
+
+* Fix bootstrapping problems.
+* Bug fixes: pam_keyinit, pam_umask
+
+
+Release 0.99.6.0
+
+* pam_namespace: Code cleanup, add init script to tar archive.
+* pam_succeed_if: Add support for service match.
+* Add xtests (to run after installation).
+* Documentation: Convert sgml guides to XML, unify documentation
+ for PAM functions and modules.
+
+
+Release 0.99.5.0
+
+* pam_tally: Fix support for large UIDs
+* Fixed all problems found by Coverity
+* Add support for Intel C Compiler
+* Add manual page for pam_mkhomedir, pam_umask, pam_filter,
+ pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile,
+ pam_localuser, pam_mail, pam_motd, pam_nologin, pam_permit,
+ pam_rootok, pam_securetty, pam_shells, pam_userdb, pam_warn,
+ pam_time, pam_limits, pam_debug, pam_tally
+* The libpam memory debug code was removed
+* pam_keyinit: New module to initialise kernel session keyring.
+* pam_namespace: New module to configure private namespace for a session.
+* pam_rhosts: New module which replaces pam_rhosts_auth, now IPv6 capable.
+* pam_rhosts_auth: This module is now deprecated.
+
+
+Release 0.99.4.0
+
+* Add test suite
+* Fix building of static variants of libpam, libpamc and libpam_misc
+* pam_listfile: Add support for password and session management
+* pam_exec: New PAM module to execute arbitrary commands
+* Fix building of a static libpam including all PAM modules
+* New/updated translations for: nl, pt, pl, fi, km, tr, uk, fr
+* pam_access: Add network(address) / netmask and IPv6 support
+* Add manual pages for pam_cracklib, pam_deny and pam_access
+* pam_pwdb: This deprecated module was removed
+* Manual pages: Major rewrite/cleanup
+
+
+Release 0.99.3.0
+
+* Fix NULL pointer checks in libpam.so
+* pam_succeed_if, pam_group, pam_time: Support netgroup matching
+* New translations for: nb, hu, fi, de, es, fr, it, ja, pt_BR, zh_CN, zh_TW
+* Audit PAM calls if Linux Audit is available
+* Compile upperLOWER and unix_chkpwd as PIE binaries
+
+
+Release 0.99.2.1
+
+* Fix install of PS, PDF, TXT and HTML files
+* pam_mail: Update README
+* Use %m consistent
+* pam_modutil_getlogin: Fix parsing of PAM_TTY variable
+
+
+Release 0.99.2.0
+
+* Fix parsing of full path tty name in various modules
+* pam_xauth: Look for xauth executable in multiple places
+* pam_unix: Disable user check in unix_chkpwd only if real uid
+ is 0 (CVE-2005-2977). Log failed password check attempt.
+* pam_env: Support /etc/environment again, but don't treat it as
+ error if it is missing.
+* pam_userdb: Fix memory leak.
+
+
+Release 0.99.1.0
+
+* Use autoconf/automake/libtool
+* Add gettext support
+* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR,
+ pt, zh_CN and zh_TW
+* libpam: Remove pam_authenticate_secondary stub
+* libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info
+ and pam_vinfo functions for use by modules as extension
+* libpam: Add pam_syslog function for unified syslog messages from
+ PAM modules
+* libpam: Moved functions from pammodutil to libpam
+* pam_umask: New module for setting umask from GECOS field, /etc/login.defs
+ or /etc/default/login
+* pam_echo: New PAM module for message output
+* pam_userdb: Fix regression (crash when crypt param not specified)
+* pam_limits: Fix regression from RLIMIT_NICE support (wrong limit
+ values for other limits are applied)
+* pam_access: Support for NULL tty - matches ALL and NONE keywords
+* pam_lastlog: Enable log to wtmp by default. Add "nowtmp" option
+* pam_radius: This module was removed