From 9ada0093e92388590c7368600ca4e9e3e376f0d0 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:22:51 +0200 Subject: Adding upstream version 1.5.2. Signed-off-by: Daniel Baumann --- NEWS | 433 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 433 insertions(+) create mode 100644 NEWS (limited to 'NEWS') diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..ca436ba --- /dev/null +++ b/NEWS @@ -0,0 +1,433 @@ +Linux-PAM NEWS -- history of user-visible changes. + +Release 1.5.2 +* pam_exec: implemented quiet_log option. +* pam_mkhomedir: added support of HOME_MODE and UMASK from /etc/login.defs. +* pam_timestamp: changed hmac algorithm to call openssl instead of the bundled + sha1 implementation if selected, added option to select + the hash algorithm to use with HMAC. +* Added pkgconfig files for provided libraries. +* Added --with-systemdunitdir configure option to specify systemd unit + directory. +* Added --with-misc-conv-bufsize configure option to specify the buffer size + in libpam_misc's misc_conv() function, raised the default value for this + parameter from 512 to 4096. +* Multiple minor bug fixes, portability fixes, documentation improvements, + and translation updates. + +Release 1.5.1 +* pam_unix: fixed CVE-2020-27780 - authentication bypass when a user + doesn't exist and root password is blank +* pam_faillock: added nodelay option to not set pam_fail_delay +* pam_wheel: use pam_modutil_user_in_group to check for the group membership + with getgrouplist where it is available + +Release 1.5.0 +* Multiple minor bug fixes, portability fixes, and documentation improvements. +* Extended libpam API with pam_modutil_check_user_in_passwd function. +* configure: added --disable-unix option to disable build of pam_unix module. +* pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660. +* pam_limits: added support for nonewprivs item. +* pam_motd: read motd files with target user credentials skipping unreadable ones. +* pam_pwhistory: added a SELinux helper executable. +* pam_unix, pam_usertype: implemented avoidance of certain timing attacks. +* pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails. +* Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project) + or pam_pwquality (from libpwquality project) instead. +* Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead. +* pam_env: Reading of the user environment is deprecated and will be removed + at some point in the future. +* libpam: pam_modutil_drop_priv() now correctly sets the target user's + supplementary groups, allowing pam_motd to filter messages accordingly + +Release 1.4.0 +* Multiple minor bug fixes and documentation improvements +* Fixed grammar of messages printed via pam_prompt +* Added support for a vendor directory and libeconf +* configure: Added --enable-Werror option to enable -Werror build +* configure: Allowed disabling documentation through --disable-doc +* pam_get_authtok_verify: Avoid duplicate password verification +* pam_cracklib: Fixed parsing of options without arguments +* pam_env: Changed the default to not read the user .pam_environment file +* pam_exec: Require a user name to be specified before the command is executed +* pam_faillock: New module for locking after multiple auth failures +* pam_group, pam_time: Fixed logical error with multiple ! operators +* pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session +* pam_lastlog: Do not log info about failed login if the session was opened + with PAM_SILENT flag +* pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs +* pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize' + limit +* pam_mkhomedir: Fixed return value when the user is unknown +* pam_motd: Export MOTD_SHOWN=pam after showing MOTD +* pam_motd: Support multiple motd paths specified, with filename overrides +* pam_namespace: Added a systemd service, which creates the namespaced + instance parent directories during boot +* pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts +* pam_selinux: Check unknown object classes or permissions in current policy +* pam_selinux: Fall back to log to syslog if audit logging fails +* pam_setquota: New module to set or modify disk quotas on session start +* pam_shells: Recognize /bin/sh as the default shell +* pam_succeed_if: Fixed potential override of the default prompt +* pam_succeed_if: Support lists in group membership checks +* pam_time: Added conffile= option to specify an alternative configuration file +* pam_tty_audit: If kernel audit is disabled return PAM_IGNORE +* pam_umask: Added new 'nousergroups' module argument and allowed specifying + the default for usergroups at build-time +* pam_unix: Added 'nullresetok' option to allow resetting blank passwords +* pam_unix: Report unusable hashes found by checksalt to syslog +* pam_unix: Return PAM_AUTHINFO_UNAVAIL when shadow entry is unavailable +* pam_unix: Support for (gost-)yescrypt hashing methods +* pam_unix: Use bcrypt b-variant when it bcrypt is chosen +* pam_usertype: New module to tell if uid is in login.defs ranges +* Fixed and documented possible values returned by pam_get_user() +* Added new API call pam_start_confdir() for special applications that + cannot use the system-default PAM configuration paths and need to + explicitly specify another path +* Deprecated pam_cracklib: this module is no longer built by default and will + be removed in the next release, use pam_passwdqc (from passwdqc project) + or pam_pwquality (from libpwquality project) instead +* Deprecated pam_tally and pam_tally2: these modules are no longer built + by default and will be removed in the next release, use pam_faillock instead + +Release 1.3.1 +* pam_motd: add support for a motd.d directory +* pam_umask: Fix documentation to align with order of loading umask +* pam_get_user.3: Fix missing word in documentation +* pam_tally2 --reset: avoid creating a missing tallylog file +* pam_mkhomedir: Allow creating parent of homedir under / +* access.conf.5: Add note about spaces around ':' +* pam.8: Workaround formatting problem +* pam_unix: Check return value of malloc used for setcred data +* pam_cracklib: Drop unused prompt macros +* pam_tty_audit: Support matching users by uid range +* pam_access: support parsing files in /etc/security/access.d/*.conf +* pam_localuser: Correct documentation +* pam_issue: Fix no prompting in parse escape codes mode +* Unification and cleanup of syslog log levels + + +Release 1.3.0 +* Remove of static modules support +* pam_unix: pass_not_set was removed +* Lot of documentation fixes +* Use TI-RPC function calls if we build against libtirpc +* Add support for new, IPv6 enabled libnsl +* Lot of bug fixes +* Use fedora.zanata.org for translations + + +Release 1.2.1 +* Fix CVE-2015-3238, affected PAM modules are pam_unix and pam_exec + + +Release 1.2.0 +* Update documentation +* Update translations +* pam_unix: add quiet option +* libpam: support alternative configuration files in /usr/lib/pam.d + as fallback +* pam_env: add support for @{HOME} and @{SHELL} +* libpam: add grantor field to audit records +* libpam: Introduce pam_modutil_sanitize_helper_fds + + +Release 1.1.8 +* pam_unix: bug fix for compiling with SELinux, fix crash at login time + + +Release 1.1.7 +* Update translations +* pam_exec: add stdout and type= options +* pam_tty_audit: add options to control logging of passwords +* pam_unix: Read defaults from /etc/login.defs +* pam_userdb: Allow modern password hashes +* pam_selinux/pam_tally2: Add tty and rhost to audit data +* Lot of docu and code fixes + + +Release 1.1.6 +* Update translations +* pam_cracklib: Add more checks for weak passwords +* pam_lastlog: Never lock out root +* Lot of bug fixes and smaller enhancements + + +Release 1.1.5 +* pam_env: Fix CVE-2011-3148 and CVE-2011-3149 +* pam_access: Add hostname resolution cache +* Documentation: Improvements/fixes + + +Release 1.1.4 + +* Add vietnamese translation +* pam_namepace: Add new functionality +* pam_securetty: Honour console= kernel option, add noconsole option +* pam_limits: Add %group syntax, drop change_uid option, add set_all option +* Lot of small bug fixes +* Lot of compiler warnings fixed +* Add support for libtirpc + + +Release 1.1.3 + +* pam_namespace: Clean environment for child processes (CVE-2010-3853) +* libpam: New interface to drop/regain privileges +* Drop root privilegs in pam_env, pam_mail and pam_xauth before + accessing user files (CVE-2010-3430, CVE-2010-3431) +* pam_unix: Add minlen option, change default from 6 to 0 +* Documentation improvements +* Lot of small bug fixes + +Release 1.1.2 + +* pam_unix: Add minlen= option +* pam_group: Add support for UNIX groups beside netgroups +* pam_tally: Document that it is deprecated +* pam_rootok: Add support for chauthtok and acct_mgmt +* Update translations + +Release 1.1.1 + +* Update translations +* pam_access: Revert netgroup match to original behavior, add new + syntax for adding the local hostname to netgroup match +* libpam: Add new functions pam_get_authtok_noverify() and + pam_get_authtok_verify() +* Add sepermit.conf.5 manual page +* Lot of bug fixes + +Release 1.1.0 + +* Update translations +* Documentation updates and fixes + +Release 1.0.92 + +* Update translations +* pam_succeed_if: Use provided username +* pam_mkhomedir: Fix handling of options + +Release 1.0.91 + +* Fixed CVE-2009-0579 (minimum days limit on password change is ignored). +* Fix libpam internal config/argument parser +* Add optional file locking to pam_tally2 +* Update translations +* pam_access improvements +* Changes in the behavior of the password stack. Results of PRELIM_CHECK + are not used for the final run. + +Release 1.0.90 + +* Supply hostname of the machine to netgroup match call in pam_access +* Make pam_namespace to work safe on child directories of parent directories + owned by users +* Redefine LOCAL keyword of pam_access configuration file +* Add support for try_first_pass and use_first_pass to pam_cracklib +* Print informative messages for rejected login and add silent and + no_log_info options to pam_tally +* Add support for passing PAM_AUTHTOK to stdin of helpers from pam_exec +* New password quality tests in pam_cracklib +* New options for pam_lastlog to show last failed login attempt and + to disable lastlog update +* New pam_pwhistory module to store last used passwords +* New pam_tally2 module similar to pam_tally with wordsize independent + tally data format +* Make libpam not log missing module if its type is prepended with '-' +* New pam_timestamp module for authentication based on recent successful + login. +* Add blowfish support to pam_unix. +* Add support for user specific environment file to pam_env. +* Add pam_get_authtok to libpam as Linux-PAM extension. +* Rename type option of pam_cracklib to authtok_type. + +Release 1.0.3 + +* Small bug fix release + + +Release 1.0.2 + +* Regression fixed in pam_selinux +* Problem with big UIDs fixed in pam_loginuid + + +Release 1.0.1 + +* Regression fixed in pam_set_item() + + +Release 1.0.0 + +* Small bug fixes +* Translation updates + + +Release 0.99.10.0 + +* New substack directive in config file syntax. +* New module pam_tty_audit.so for enabling and disabling tty + auditing. +* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA. +* Auditing login denials based by origin (pam_access), time (pam_time), + and number of sessions (pam_limits) to the Linux audit subsystem. +* Support sha256 and sha512 algorithms in pam_unix when they are supported + by crypt(). +* New pam_sepermit.so module for allowing/rejecting access based on + SELinux mode. +* Improved functionality of pam_namespace.so module (method flags, + namespace.d configuration directory, new options). +* Finally removed deprecated pam_rhosts_auth module. + + +Release 0.99.9.0 + +* misc_conv no longer blocks SIGINT; applications that don't want + user-interruptable prompts should block SIGINT themselves +* Merge fixes from Debian +* Fix parser for pam_group and pam_time + + +Release 0.99.8.1 + +* Fix a regression in audit code introduced with last release +* Fix compiling with --disable-nls + + +Release 0.99.8.0 + +* Add translations for ar, ca, da, ru, sv and zu. +* Update hungarian translation. +* Add support for limits.d directory to pam_limits. +* Improve pam_namespace module tobe more useful + for MLS, fixed crash with bad config files. +* Improve pam_selinux module to be more useful + for MLS. +* Add minclass option to pam_cracklib +* Add new group syntax to pam_access + + +Release 0.99.7.1 + +* Security fix for pam_unix.so (CVE-2007-0003). + + +Release 0.99.7.0 + +* Add manual page for pam_unix.so. +* Add pam_faildelay module to set pam_fail_delay() value. +* Fix possible seg.fault in libpam/pam_set_data(). +* Cleanup of configure options. +* Update hungarian translation, fix german translation. + + +Release 0.99.6.3 + +* pam_loginuid: New PAM module. +* pam_access, pam_succeed_if: Support passwd and session services. + + +Release 0.99.6.2 + +* pam_lastlog: Don't refuse login if lastlog file got lost. +* pam_cracklib: Fix a user triggerable crash. +* documentation: Regenerate with fixed docbook stylesheet. + + +Release 0.99.6.1 + +* Fix bootstrapping problems. +* Bug fixes: pam_keyinit, pam_umask + + +Release 0.99.6.0 + +* pam_namespace: Code cleanup, add init script to tar archive. +* pam_succeed_if: Add support for service match. +* Add xtests (to run after installation). +* Documentation: Convert sgml guides to XML, unify documentation + for PAM functions and modules. + + +Release 0.99.5.0 + +* pam_tally: Fix support for large UIDs +* Fixed all problems found by Coverity +* Add support for Intel C Compiler +* Add manual page for pam_mkhomedir, pam_umask, pam_filter, + pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile, + pam_localuser, pam_mail, pam_motd, pam_nologin, pam_permit, + pam_rootok, pam_securetty, pam_shells, pam_userdb, pam_warn, + pam_time, pam_limits, pam_debug, pam_tally +* The libpam memory debug code was removed +* pam_keyinit: New module to initialise kernel session keyring. +* pam_namespace: New module to configure private namespace for a session. +* pam_rhosts: New module which replaces pam_rhosts_auth, now IPv6 capable. +* pam_rhosts_auth: This module is now deprecated. + + +Release 0.99.4.0 + +* Add test suite +* Fix building of static variants of libpam, libpamc and libpam_misc +* pam_listfile: Add support for password and session management +* pam_exec: New PAM module to execute arbitrary commands +* Fix building of a static libpam including all PAM modules +* New/updated translations for: nl, pt, pl, fi, km, tr, uk, fr +* pam_access: Add network(address) / netmask and IPv6 support +* Add manual pages for pam_cracklib, pam_deny and pam_access +* pam_pwdb: This deprecated module was removed +* Manual pages: Major rewrite/cleanup + + +Release 0.99.3.0 + +* Fix NULL pointer checks in libpam.so +* pam_succeed_if, pam_group, pam_time: Support netgroup matching +* New translations for: nb, hu, fi, de, es, fr, it, ja, pt_BR, zh_CN, zh_TW +* Audit PAM calls if Linux Audit is available +* Compile upperLOWER and unix_chkpwd as PIE binaries + + +Release 0.99.2.1 + +* Fix install of PS, PDF, TXT and HTML files +* pam_mail: Update README +* Use %m consistent +* pam_modutil_getlogin: Fix parsing of PAM_TTY variable + + +Release 0.99.2.0 + +* Fix parsing of full path tty name in various modules +* pam_xauth: Look for xauth executable in multiple places +* pam_unix: Disable user check in unix_chkpwd only if real uid + is 0 (CVE-2005-2977). Log failed password check attempt. +* pam_env: Support /etc/environment again, but don't treat it as + error if it is missing. +* pam_userdb: Fix memory leak. + + +Release 0.99.1.0 + +* Use autoconf/automake/libtool +* Add gettext support +* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR, + pt, zh_CN and zh_TW +* libpam: Remove pam_authenticate_secondary stub +* libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info + and pam_vinfo functions for use by modules as extension +* libpam: Add pam_syslog function for unified syslog messages from + PAM modules +* libpam: Moved functions from pammodutil to libpam +* pam_umask: New module for setting umask from GECOS field, /etc/login.defs + or /etc/default/login +* pam_echo: New PAM module for message output +* pam_userdb: Fix regression (crash when crypt param not specified) +* pam_limits: Fix regression from RLIMIT_NICE support (wrong limit + values for other limits are applied) +* pam_access: Support for NULL tty - matches ALL and NONE keywords +* pam_lastlog: Enable log to wtmp by default. Add "nowtmp" option +* pam_radius: This module was removed -- cgit v1.2.3