Ubuntu
php-auth-pam package

Please remove php5-auth-pam from quantal

Bug #798571 reported by Ole Wolf
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php-auth-pam (Debian)
Fix Released
Unknown
php-auth-pam (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: php5-auth-pam

According to the team working on the Horde application framework, php5-auth-pam is unmaintanied and was deprecated years ago. This means that the php5-auth-pam package should be considered a security vulnerability.

The package info at http://packages.debian.org/changelogs/pool/main/p/php-auth-pam/php-auth-pam_0.4-10/copyright refers to the author's page at http://www.math.ohio-state.edu/~ccunning/pam_auth - however, that page is a 404 not found.

The Horde team suggests a package named "pam" instead of "auth-pam".

There are quite a few dependencies on php5-auth-pam, so it cannot readily be uninstalled and replaced by the appropriate PECL module.

Tags: pam pecl php
Ole Wolf (ole.wolf)
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
Revision history for this message
Ole Wolf (ole.wolf) wrote : Re: php5-auth-pam obsolete

Work-around:

Install the PECL version using "sudo pecl install pam" without removing php5-auth-pam. The build may require some build libraries to be installed, libpam0g-dev being one of them.

Then, remove the module in /etc/php5/conf.d/pam_auth.ini by prepending it with a ';' (semicolon, without quotes). Create a new file in the same directory named "pam.ini" with the contents: "extension=pam.so" (without quotes). Restart the web server.

The above workaround may be overwritten whenever php5-pam-auth is updated, but since it appears to be unmaintained, this isn't likely to happen too often.

Revision history for this message
Ilya Barygin (randomaction) wrote :

Please remove this package from quantal:
* source: php-auth-pam
* binary: php5-auth-pam

No rdepends.

Removed from sid in March 2012, reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663694

Changed in php-auth-pam (Ubuntu):
status: New → Confirmed
Micah Gersten (micahg)
summary: - php5-auth-pam obsolete
+ Please remove php5-auth-pam from quantal
Revision history for this message
Dave Walker (davewalker) wrote :

horde3 seems to only Suggest this, so no firm rdepends. This looks fine to remove.

Thanks.

Revision history for this message
Dave Walker (davewalker) wrote :

Removing packages:
 php-auth-pam 0.4-10ubuntu1 in quantal
  php5-auth-pam 0.4-10ubuntu1 in quantal amd64
  php5-auth-pam 0.4-10ubuntu1 in quantal armel
  php5-auth-pam 0.4-10ubuntu1 in quantal armhf
  php5-auth-pam 0.4-10ubuntu1 in quantal i386
  php5-auth-pam 0.4-10ubuntu1 in quantal powerpc
Comment: LP: #798571 | Debian, RM: php-auth-pam -- RoReverseDependency; maintainer seems MIA; RC-buggy; abandoned upstream
1 package successfully removed.

Changed in php-auth-pam (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in php-auth-pam (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.