[ubuntu/noble-proposed] pam 1.5.3-4ubuntu1 (Accepted)

Dan Bungert daniel.bungert at canonical.com
Thu Feb 29 04:16:12 UTC 2024 

pam (1.5.3-4ubuntu1) noble; urgency=medium

  * Merge from Debian unstable, remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
      Debian).
    - debian/libpam0t64.postinst: only ask questions during update-manager
      when there are non-default services running.
    - debian/libpam0t64.postinst: check if gdm is actually running before
      trying to reload it.
    - debian/patches/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches/pam_umask_usergroups_from_login.defs.patch:
      Deprecate pam_unix's explicit "usergroups" option and instead read it
      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
      there. This restores compatibility with the pre-PAM behaviour of login.
    - debian/patches/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)
    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
      default, now that the umask setting is gone from /etc/profile.
    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
    - debian/patches/extrausers.patch: Add a pam_extrausers module
      that is basically just a copy of pam_unix but looks at
      /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
    - debian/libpam-modules-bin.install: install the helper binaries for
      pam_extrausers to /sbin
    - debian/rules: Make pam_extrausers_chkpwd sguid shadow
    - Add lintian override for pam_extrausers_chkpwd
    - Disable custom daemon restart detection code if needrestart is available
  * Dropped changes, included in Debian:
    - SECURITY UPDATE: pam_namespace local denial of service
      - debian/patches/CVE-2024-22365.patch: use O_DIRECTORY to
        prevent local DoS situations in modules/pam_namespace/pam_namespace.c.
      - CVE-2024-22365
    - Install into /usr/{lib,sbin} instead of /{lib,sbin}. Assumes
      usrmerge aliasing symlinks are in place since bookworm to keep
      compatibility with PAM modules still installing into /lib.
      (DEP17 M2) (Closes: #1060160).
    - Mitigate /usr-move file loss. (Closes: #1062802)
    - Update lintian override for setgid binary.

Date: Wed, 28 Feb 2024 21:07:18 -0700
Changed-By: Dan Bungert <daniel.bungert at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/pam/1.5.3-4ubuntu1
-------------- next part --------------
Format: 1.8
Date: Wed, 28 Feb 2024 21:07:18 -0700
Source: pam
Built-For-Profiles: noudeb
Architecture: source
Version: 1.5.3-4ubuntu1
Distribution: noble
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Dan Bungert <daniel.bungert at canonical.com>
Closes: 1060160 1062802
Changes:
 pam (1.5.3-4ubuntu1) noble; urgency=medium
 .
   * Merge from Debian unstable, remaining changes:
     - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
       not present there or in /etc/security/pam_env.conf. (should send to
       Debian).
     - debian/libpam0t64.postinst: only ask questions during update-manager
       when there are non-default services running.
     - debian/libpam0t64.postinst: check if gdm is actually running before
       trying to reload it.
     - debian/patches/ubuntu-rlimit_nice_correction: Explicitly
       initialise RLIMIT_NICE rather than relying on the kernel limits.
     - debian/patches/pam_umask_usergroups_from_login.defs.patch:
       Deprecate pam_unix's explicit "usergroups" option and instead read it
       from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
       there. This restores compatibility with the pre-PAM behaviour of login.
     - debian/patches/pam_motd-legal-notice: display the contents of
       /etc/legal once, then set a flag in the user's homedir to prevent
       showing it again.
     - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
       for update-motd, with some best practices and notes of explanation.
     - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
       to update-motd(5)
     - debian/local/common-session{,-noninteractive}: Enable pam_umask by
       default, now that the umask setting is gone from /etc/profile.
     - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
     - debian/patches/extrausers.patch: Add a pam_extrausers module
       that is basically just a copy of pam_unix but looks at
       /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
     - debian/libpam-modules-bin.install: install the helper binaries for
       pam_extrausers to /sbin
     - debian/rules: Make pam_extrausers_chkpwd sguid shadow
     - Add lintian override for pam_extrausers_chkpwd
     - Disable custom daemon restart detection code if needrestart is available
   * Dropped changes, included in Debian:
     - SECURITY UPDATE: pam_namespace local denial of service
       - debian/patches/CVE-2024-22365.patch: use O_DIRECTORY to
         prevent local DoS situations in modules/pam_namespace/pam_namespace.c.
       - CVE-2024-22365
     - Install into /usr/{lib,sbin} instead of /{lib,sbin}. Assumes
       usrmerge aliasing symlinks are in place since bookworm to keep
       compatibility with PAM modules still installing into /lib.
       (DEP17 M2) (Closes: #1060160).
     - Mitigate /usr-move file loss. (Closes: #1062802)
     - Update lintian override for setgid binary.
Checksums-Sha1:
 5f8a0d94f4e7e3a7e467be2359fdceff7f9dd15e 2961 pam_1.5.3-4ubuntu1.dsc
 b27ea4def098bf3e4f277d6c78d42067e912cc1f 1020076 pam_1.5.3.orig.tar.xz
 b9d37e6107be020660f7bb65b1b14d0cc591d36f 801 pam_1.5.3.orig.tar.xz.asc
 9e0582a4095fd883a8fd15e5ea7dbf99d4971845 186044 pam_1.5.3-4ubuntu1.debian.tar.xz
 5477285d4318147025c26d02db53d0e0a79cced9 8162 pam_1.5.3-4ubuntu1_source.buildinfo
Checksums-Sha256:
 7e9825274ceed2d8aa35c3df3f3c0cf180e58a21d20bcbe55d247a7cfec6f9a9 2961 pam_1.5.3-4ubuntu1.dsc
 7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283 1020076 pam_1.5.3.orig.tar.xz
 ce5690766060d60a8f0fba447f480d8d49988821740698cbdf2ecfd84dc8895c 801 pam_1.5.3.orig.tar.xz.asc
 fb75d7ecc3c4b0ffe469c10c68098a6910e5706f70299f6dd7e868457a2a34dd 186044 pam_1.5.3-4ubuntu1.debian.tar.xz
 db75862bc982d29df260140a8216ef7ab81a562d3ba2ad818b6fb14ba4df415f 8162 pam_1.5.3-4ubuntu1_source.buildinfo
Files:
 c83a0cae2c24c1123a78e34c3254a799 2961 libs optional pam_1.5.3-4ubuntu1.dsc
 a913bd5fbf9edeafaacf3eb1eb86fd83 1020076 libs optional pam_1.5.3.orig.tar.xz
 97d5a43bc7ea97d3a2782962ded545b4 801 libs optional pam_1.5.3.orig.tar.xz.asc
 5bbc7974336b8fdebb70586ab50da4bc 186044 libs optional pam_1.5.3-4ubuntu1.debian.tar.xz
 915423338b8de09269e33f32c0b83fd6 8162 libs optional pam_1.5.3-4ubuntu1_source.buildinfo
Original-Maintainer: Sam Hartman <hartmans at debian.org>

More information about the noble-changes mailing list