[Bug 227531] Re: pam_krb5 should use syslog with facility LOG_AUTH
Launchpad Bug Tracker
227531 at bugs.launchpad.net
Wed Mar 4 03:05:16 UTC 2009
This bug was fixed in the package libpam-krb5 - 3.13-2ubuntu1
---------------
libpam-krb5 (3.13-2ubuntu1) jaunty; urgency=low
* Merge from Debian unstable, remaining changes:
- debian/{pam-auth-update,postinst,prerm}, debian/rules, debian/dirs:
enable pam_krb5 by default using the new pam-auth-update support.
- debian/control: depend on libpam-runtime (>= 1.0.1-6) for the
above.
* Logging is now done with the LOG_AUTHPRIV facility. LP: #227531.
libpam-krb5 (3.13-2) unstable; urgency=low
* Upload to unstable.
libpam-krb5 (3.13-1) experimental; urgency=high
* New upstream release.
- SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore
user environment variables that specify the local keytab and
Kerberos configuration. Protects against a privilege escalation
vulnerability.
- SECURITY (CVE-2009-0361): Protect against applications calling
pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid
context. This API call is designed to reinitialize an existing
Kerberos ticket cache and therefore trusts the KRB5CCNAME
environment variable, but in a setuid context, this may allow
overwriting arbitrary files.
* Install the upstream NEWS file as an upstream changelog.
* Add ${misc:Depends} to the package dependencies.
* Improve wording for the GPL pointer. The package may be distributed
under any version of the GPL.
libpam-krb5 (3.12-1) experimental; urgency=low
* New upstream release.
- New alt_auth_map, force_alt_auth, and only_alt_auth options to map
usernames to alternative Kerberos principals for authentication.
- Log to authpriv, not auth.
- Correctly log an exit status of ignore during debugging.
- Document ssh session requirement. (Closes: #492039)
- Document ignore handling with [] actions. (Closes: #492379)
* Update to debhelper compatibility mode V7.
- Use debhelper rule minimization except for configure.
- Let the upstream Makefile do the installation.
* Remove NEWS.Debian, only of interest in upgrades from sarge.
-- Steve Langasek <steve.langasek at ubuntu.com> Wed, 04 Mar 2009
02:54:58 +0000
** Changed in: libpam-krb5 (Ubuntu)
Status: New => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0360
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0361
--
pam_krb5 should use syslog with facility LOG_AUTH
https://bugs.launchpad.net/bugs/227531
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list