[Bug 227531] Re: pam_krb5 should use syslog with facility LOG_AUTH

Launchpad Bug Tracker 227531 at bugs.launchpad.net
Wed Mar 4 03:05:16 UTC 2009 

This bug was fixed in the package libpam-krb5 - 3.13-2ubuntu1

---------------
libpam-krb5 (3.13-2ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable, remaining changes:
    - debian/{pam-auth-update,postinst,prerm}, debian/rules, debian/dirs:
      enable pam_krb5 by default using the new pam-auth-update support.
    - debian/control: depend on libpam-runtime (>= 1.0.1-6) for the
      above.
  * Logging is now done with the LOG_AUTHPRIV facility.  LP: #227531.

libpam-krb5 (3.13-2) unstable; urgency=low

  * Upload to unstable.

libpam-krb5 (3.13-1) experimental; urgency=high

  * New upstream release.
    - SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore
      user environment variables that specify the local keytab and
      Kerberos configuration.  Protects against a privilege escalation
      vulnerability.
    - SECURITY (CVE-2009-0361): Protect against applications calling
      pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid
      context.  This API call is designed to reinitialize an existing
      Kerberos ticket cache and therefore trusts the KRB5CCNAME
      environment variable, but in a setuid context, this may allow
      overwriting arbitrary files.
  * Install the upstream NEWS file as an upstream changelog.
  * Add ${misc:Depends} to the package dependencies.
  * Improve wording for the GPL pointer.  The package may be distributed
    under any version of the GPL.

libpam-krb5 (3.12-1) experimental; urgency=low

  * New upstream release.
    - New alt_auth_map, force_alt_auth, and only_alt_auth options to map
      usernames to alternative Kerberos principals for authentication.
    - Log to authpriv, not auth.
    - Correctly log an exit status of ignore during debugging.
    - Document ssh session requirement.  (Closes: #492039)
    - Document ignore handling with [] actions.  (Closes: #492379)
  * Update to debhelper compatibility mode V7.
    - Use debhelper rule minimization except for configure.
    - Let the upstream Makefile do the installation.
  * Remove NEWS.Debian, only of interest in upgrades from sarge.

 -- Steve Langasek <steve.langasek at ubuntu.com>   Wed, 04 Mar 2009
02:54:58 +0000

** Changed in: libpam-krb5 (Ubuntu)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0360

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0361

-- 
pam_krb5 should use syslog with facility LOG_AUTH
https://bugs.launchpad.net/bugs/227531
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list