pam (0.99.7.1-4ubuntu1~ppa1) gutsy; urgency=low * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes: - debian/control, debian/local/common-session{,md5sums}: use libpam-foreground for session management. - debian/rules: install unix_chkpwd setgid shadow instead of setuid root. The nis package handles overriding this as necessary. - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not present there or in /etc/security/pam_env.conf. - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t type rather than __u8. - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly initialise RLIMIT_NICE rather than relying on the kernel limits. Bound RLIMIT_NICE from below as well as from above. Fix off-by-one error when converting RLIMIT_NICE to the range of values used by the kernel. (Originally patch 101; converted to quilt.) * Dropped: - debian/rules: bashism fixes (merged upstream). - debian/control: Conflict on ancient nis (expired with Breezy). - debian/libpam-runtime.postinst: check for ancient pam (expired with Breezy). - debian/patches-applied/ubuntu-user_defined_environment: Look at ~/.pam_environment too, with the same format as /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.) Left out of "series" for now (LP: #113586). pam (0.99.7.1-4) unstable; urgency=low * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted to fix the library skew, only reloaded; special-case this daemon in the postinst and remove the mention of it from the debconf template, also tightening the language of the debconf template in the process. Closes: #440074. * Add courier-authdaemon to the list of services that need to be restarted; thanks to Micah Anderson for reporting. * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over garbage lines in /etc/environment and log an error, instead of failing with an obscure error; and ignore any PAM_BAD_ITEM values returned by pam_putenv(), since this is the expected error return when trying to delete a non-existent var. Closes: #439984. * Yet another thinko in hurd_no_setfsuid and in 029_pam_limits_capabilities; this code should really be Hurd-safe at last... * getline() returns -1 on EOF, not 0; check this appropriately, to fix an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl for the fix. Closes: #440019. * Use ${misc:Depends} for libpam0g, so we get a proper dependency on debconf. * 019_pam_listfile_quiet: per discussion with upstream, don't suppress errors about missing files or files with wrong permissions; these are real errors that should not be buried. * Drop the remainder of 061_pam_issue_double_free, not required for the original bugfix. * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that we define CRACKLIB_DICTS in debian/rules. * Drop patch 063_paswd_segv, superseded by a different upstream fix * Split 047_pam_limits_chroot_string_value up between 008_modules_pam_limits_chroot and 029_pam_limits_capabilites * Updates to patch 007_modules_pam_unix: restore the same built-in min password len of 6 that upstream uses; fix a typo panlindrome -> palindrome. * The 'max=' option was never intended to be used to limit maximum password length for users, only to declare what the number of significant characters /is/ for a password. But we don't need a config option to tell us that, we know the answer based on which crypt type we're using, so drop this as a config file option. Closes: #389197. * Debconf translations: - Spanish, thanks to Javier Fernández-Sanguino Peña - Vietnamese, thanks to Clytie Siddall - German, thanks to Sven Joachim (closes: #440355) - Czech, thanks to Miroslav Kure (closes: #440362) - Portuguese, thanks to Américo Monteiro (closes: #440368) pam (0.99.7.1-3) unstable; urgency=low * New patch limits_wrong_strncpy: fix unnecessary manipulations of string buffers, including an illegal use of strncpy(). Thanks to Paul Hampson for reporting. Closes: #331278. * New patch misc_conv_allow_sigint.patch: allow SIGINT to be handled by the application, instead of blocking it when misc_conv is in use and preventing users from being able to ^C at any PAM prompt. Closes: #1708. * 024_debian_cracklib_dict_path: default to NULL instead of a specific dictionary path when none is defined for consistency with the new upstream version of cracklib, and define our path in debian/rules. * 055_pam_unix_nullok_secure: document the pam_unix "nullok_secure" option, a prereq for forwarding this patch upstream. Closes: #325974. * Create /etc/security/opasswd on new installs or on upgrades from 0.99.7.1-2 or below, so that users that enable the remember= option to pam_unix aren't left unable to change passwords. Closes: #95324. * Fix a couple of thinkos in hurd_no_setfsuid, that were preventing the code from compiling on the Hurd still. Thanks to Michael Banck for the catch. * Fix a memory leak in the pam_limits capabilities patch: always cap_free() the cap_t before returning from pam_sm_open_session(). Closes: #153157. * libpam0g.postinst, libpam0g.templates: on upgrades from versions prior to 0.99.7.1-3, restart known PAM-using services so that they get the new libpam symbols, since otherwise the newer PAM modules will fail to load. Postinst taken from libssl0.9.8; thanks to Christoph Martin for the fine example! Closes: #439835. * Build-depend on po-debconf to support l10n of the debconf questions from the above. pam (0.99.7.1-2) unstable; urgency=low * New upstream release; thanks to Roger Leigh and Jan Christoph Nordholz for their extensive work in helping to prepare for this update in Debian. Closes: #360460. - now uses autoconf for library detection, so SELinux should not be unconditionally enabled on non-Linux archs. Closes: #333141. - pam_mail notice handling has been completely reworked, so there should no longer be missing spaces in the messages. Closes: #119689. - with libtool and autoconf, now behaves "sensibly" on unknown platforms. Closes: #165067. - the source now builds without warnings. Closes: #212165. - uses automake instead of hand-rolled makefiles with indentation bugs. Closes: #241661, #328084. - pam_mkhomedir now creates directories recursively as needed. Closes: #178225. - pam_listfile now supports being used as a session module too. Closes: #416665. - misspelled pam_userdb log message has been corrected. Closes: #305058. - the current pam_strerror manpage no longer mentions "Unknown Linux-PAM error". Closes: #220157. - the text documentation no longer uses ANSI bold sequences. Closes: #181451. - pam_localuser now supports being used as a session module. Closes: #412484. - package no longer fails to build with dash as /bin/sh. Closes: #331208. - All modules should now be documented in the system administrator guide. Closes: #350620. - pam_userdb now logs an error instead of segfaulting when no db= option is provided. Closes: #436005. - pam_time now warns on a missing tty instead of erroring out, making it possible to use the module with non-console services. Closes: #127931. - upstream changelog is now 'ChangeLog' instead of 'CHANGELOG'; install accordingly - bump the shlibs - the 'test.c' example no longer exists - add /usr/share/locale to libpam-runtime. - CVE-2005-2977: only uid=0 is allowed to invoke unix_chkpwd with an arbitrary username, and then only when SELinux is active. Closes: #336344. * Mark myself as primary maintainer as previously discussed with Sam, and add Roger as an uploader. * Refactor to use quilt. * Update to Standards-Version 3.7.2. * Drop unnecessary build-dependency on patch, which is build-essential (and no longer invoked directly). * Drop patches 002_debian_no_ldconfig_call, 010_pam_cplusplus, 018_man_fixes, 030_makefile_link_against_libpam, 037_pam_issue_ttyname_can_be_null, 044_configure_supports_bsd, 050_configure_in_gnu and 052_pam_unix_no_openlog, which have been superseded upstream. * Drop patches 005_pam_limits_099_6, 012_pam_group_less_restrictive_charset, 023_pam_env_limits_miscfixes, 048_pam_group_colon_valid_char, 058_pam_env_enable, 059_pam_userdb_segv, 060_pam_tally_segv and 062_c++_safe_headers, which have been integrated upstream. * Patch 057: SELinux support is merged upstream, leaving only an unrelated OOM check for pam_unix_passwd. Rename as 057_pam_unix_passwd_OOM_check. * Patches 006, 008, 036: update for the switch from SGML to XML. * Patch 007: update for the switch from SGML to XML; drop some log messages that were already added upstream; update for the pam_modutil changes; tighten the flag handling of the 'obscure' option; drop bogus check in unix_chkpwd for null passwords. Also fix a grammar error along the way. Closes: #362855. * Patch 024: CRACKLIB_DICTPATH is no longer set in configure.in, so patch pam_cracklib.c instead to use the default dictpath already available from crack.h; and patch configure.in to use AC_CHECK_HEADERS instead of AC_CHECK_HEADER, so crack.h is actually included. Also remove unnecessary string copies, which break on the Hurd due to PATH_MAX. * Patch 038: partially merged/superseded upstream; also add new Hurd fix for pam_xauth. * Patch 061: partially merged upstream * Use ${binary:Version} instead of ${Source-Version} in debian/control. * Remove empty maintainer scripts debian/libpam0g-dev.{postinst,prerm}, debian/libpam0g.{postinst,prerm}, and debian/libpam-modules.{postinst,prerm}; debhelper can autogenerate these just fine without our help. * Build-Depend on xsltproc, libxml2-utils, docbook-xml, docbook-xsl and w3m instead of on linuxdoc-tools, linuxdoc-tools-latex, tetex-extra, groff, and opensp. * Also build-depend on flex for libfl.a. * Updates for documentation handling: - move debian/local/pam-*-guide to debian/libpam-doc.doc-base.foo-guide, and invoke dh_installdocs instead of installing these by hand. - drop libpam-doc.{postinst,prerm}, which are no longer needed. - add an install target to debian/rules, and have binary-indep depend on it instead of trying to install doc files individually from the source tree - consequently, drop libpam-doc.dirs as well which is no longer needed and no longer accurate - add debian/libpam-doc.install for moving the docs to the right place, and also replace libpam-runtime.files with libpam-runtime.install; for the moment this means we're using both dh_movefiles and dh_install... - libpam0g.docs: install the Debian-PAM-MiniPolicy from here, further cleaning up debian/rules * Drop debian/libpam0g.links, no longer needed because upstream now has a working install target which creates the library symlinks * Add libpam-modules.links: create pam_unix_{acct,auth,passwd,session}.so symlinks by hand, no longer provided upstream. * debian/patches-applied/PAM-manpage-section: "PAM" is not a daemon, manpage belongs in section 7, not in section 8. * Actually ship the pam, pam.conf, and pam.d manpages in libpam-runtime. * debian/patches-applied/autoconf.patch: move all changes to autotools generated files into a single patch at the end of the stack. - don't touch configure in debian/rules, the quilt patch takes care of this for us. * New patch 064_pam_unix_cracklib_dictpath: correctly define CRACKLIB_DICTS, since this is not defined by configure. Thanks to Jan Christoph Nordholz. * New patch 065_pam_unix_cracklib_disable: Debian-specific patch to disable cracklib support in pam_unix. Thanks to Christoph Nordholz. * debian/rules: - Rename OS_CFLAGS to CFLAGS. - kill off references to unused variables - make binary-arch also depend on the install target, and streamline the rules - fix up the clean target to not ignore errors; thanks to Roger Leigh - drop the local module_check target in favor of using -Wl,-z,defs in LDFLAGS to enforce correct linkage of all objects at build time * Drop debian/local/unix_chkpwd.8 in favor of the upstream manpage. * libpam-modules.files: /usr/sbin/pam_tally has moved to /sbin/pam_tally for consistency. * Update to debhelper V5. * Don't ship Makefiles as part of the libpam0g-dev examples. * libpam-modules.manpages, libpam-runtime.manpages, libpam0g-dev.manpages: put all the manpages in the correct packages. Closes: #411812, #62193, #313486, #300773, #330545, #184270. * Drop libpam{0g,0g-dev,-modules,-runtime}.dirs, not needed for anything because we aren't trying to ship empty directories in the packages * Build-Conflict with fop, to avoid unreproducible builds of pdf documentation from a tool in contrib. * libpam-cracklib should depend on a real wordlist package, per policy; use wamerican as the default. * Drop local/pam-undocumented.7 from the package, since we no longer have a reason to ship it * Add lintian overrides for known false-positives * Conflicts/Replaces/Provides libpam-umask, now included upstream. Closes: #436222. * Upstream no longer marks unix_chkpwd suid-root for us, so set the perms by hand in debian/rules. In the process, unix_chkpwd is now writable by the owner, as expected by policy. Closes: #368100. * Migrate from db4.3 to db4.6; once again, no administrator action should be needed for upgrading on-disk database formats. Closes: #354309. * Add XS-Vcs-Svn and XS-Vcs-Browser fields to debian/control; thanks to Laurent Bigonville for the hint. Closes: #439038. * Add a watch file for use with uscan; thanks to Laurent Bigonville for this patch as well. Closes: #439040. * Rewrite of 031_pam_include, fixing a memory leak and letting us drop patch 056_no_label_at_end; thanks to Jan Christoph Nordholz