Hello community, here is the log from the commit of package pam for openSUSE:Factory checked in at 2012-03-20 17:47:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam (Old) and /work/SRC/openSUSE:Factory/.pam.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pam", Maintainer is "mc@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/pam/pam.changes 2011-10-25 16:47:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.pam.new/pam.changes 2012-03-20 17:47:42.000000000 +0100 @@ -1,0 +2,10 @@ +Sat Mar 3 15:16:42 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.1.5 +* pam_env: Fix CVE-2011-3148: correctly count leading whitespace + when parsing environment file in pam_env +* Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in + pam_env +* pam_access: Add hostname resolution cache + +------------------------------------------------------------------- Old: ---- Linux-PAM-1.1.4-docs.tar.bz2 Linux-PAM-1.1.4.tar.bz2 bug-724480_pam_env-fix-dos.patch bug-724480_pam_env-fix-overflow.patch pam_tally2-man.dif New: ---- Linux-PAM-1.1.5-docs.tar.bz2 Linux-PAM-1.1.5.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.j8Fn62/_old 2012-03-20 17:47:44.000000000 +0100 +++ /var/tmp/diff_new_pack.j8Fn62/_new 2012-03-20 17:47:44.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package pam # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,32 +15,36 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild %define enable_selinux 1 Name: pam Url: http://www.kernel.org/pub/linux/libs/pam/ -BuildRequires: bison cracklib-devel db-devel flex BuildRequires: audit-devel -BuildRequires: libtirpc-devel +BuildRequires: bison +BuildRequires: cracklib-devel +BuildRequires: db-devel +BuildRequires: flex +BuildRequires: pkgconfig(libtirpc) %if %{enable_selinux} BuildRequires: libselinux-devel %endif %define libpam_so_version 0.83.1 %define libpam_misc_so_version 0.82.0 %define libpamc_so_version 0.82.1 -License: GPL-2.0+ or BSD-3-Clause -Group: System/Libraries -AutoReqProv: on # bug437293 %ifarch ppc64 Obsoletes: pam-64bit %endif # -Version: 1.1.4 -Release: 1 +Version: 1.1.5 +Release: 0 Summary: A Security Tool that Provides Authentication for Applications +License: GPL-2.0+ or BSD-3-Clause +Group: System/Libraries + +###DL-URL: http://www.kernel.org/pub/linux/libs/pam/library/ +#DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/ Source: Linux-PAM-%{version}.tar.bz2 Source1: Linux-PAM-%{version}-docs.tar.bz2 Source2: securetty @@ -52,9 +56,6 @@ Source8: etc.environment Source9: baselibs.conf Patch0: pam_tally-deprecated.diff -Patch1: bug-724480_pam_env-fix-overflow.patch -Patch2: bug-724480_pam_env-fix-dos.patch -Patch3: pam_tally2-man.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -65,10 +66,11 @@ %package doc -License: GPL-2.0+ or BSD-3-Clause Summary: Documentation for Pluggable Authentication Modules Group: Documentation/HTML -###BuildArch: noarch +%if 0%{?suse_version} >= 1140 +BuildArch: noarch +%endif %description doc PAM (Pluggable Authentication Modules) is a system security tool that @@ -80,11 +82,9 @@ %package devel -License: GPL-2.0+ or BSD-3-Clause Summary: Include Files and Libraries for PAM-Development Group: Development/Libraries/C and C++ Requires: pam = %{version} glibc-devel -AutoReqProv: on # bug437293 %ifarch ppc64 Obsoletes: pam-devel-64bit @@ -104,15 +104,12 @@ %prep %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p0 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 %build -CFLAGS="$RPM_OPT_FLAGS -DNDEBUG" \ -./configure \ - --infodir=%{_infodir} \ - --mandir=%{_mandir} \ +export CFLAGS="%optflags -DNDEBUG" +%configure \ + --sbindir=/sbin \ + --includedir=%_includedir/security \ --docdir=%{_docdir}/pam \ --htmldir=%{_docdir}/pam/html \ --pdfdir=%{_docdir}/pam/pdf \ @@ -179,15 +176,12 @@ # Create filelist with translatins %{find_lang} Linux-PAM -%clean -rm -rf $RPM_BUILD_ROOT +%verifyscript +%verify_permissions -e /sbin/unix_chkpwd %post -p /sbin/ldconfig -%postun -/sbin/ldconfig -%verifyscript -%verify_permissions -e /sbin/unix_chkpwd +%postun -p /sbin/ldconfig %files -f Linux-PAM.lang %defattr(-,root,root) ++++++ Linux-PAM-1.1.4-docs.tar.bz2 -> Linux-PAM-1.1.5-docs.tar.bz2 ++++++ Files old/Linux-PAM-1.1.4/doc/sag/Linux-PAM_SAG.pdf and new/Linux-PAM-1.1.5/doc/sag/Linux-PAM_SAG.pdf differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.4/doc/sag/Linux-PAM_SAG.txt new/Linux-PAM-1.1.5/doc/sag/Linux-PAM_SAG.txt --- old/Linux-PAM-1.1.4/doc/sag/Linux-PAM_SAG.txt 2011-06-21 13:09:33.000000000 +0200 +++ new/Linux-PAM-1.1.5/doc/sag/Linux-PAM_SAG.txt 2011-10-25 14:18:01.000000000 +0200 @@ -313,22 +313,22 @@ requisite like required, however, in the case that such a module returns a failure, - control is directly returned to the application. The return value is that - associated with the first required or requisite module to fail. Note, this - flag can be used to protect against the possibility of a user getting the - opportunity to enter a password over an unsafe medium. It is conceivable - that such behavior might inform an attacker of valid accounts on a system. - This possibility should be weighed against the not insignificant concerns - of exposing a sensitive password in a hostile environment. + control is directly returned to the application or to the superior PAM + stack. The return value is that associated with the first required or + requisite module to fail. Note, this flag can be used to protect against + the possibility of a user getting the opportunity to enter a password over + an unsafe medium. It is conceivable that such behavior might inform an + attacker of valid accounts on a system. This possibility should be weighed + against the not insignificant concerns of exposing a sensitive password in + a hostile environment. sufficient - success of such a module is enough to satisfy the authentication - requirements of the stack of modules (if a prior required module has failed - the success of this one is ignored). A failure of this module is not deemed - as fatal to satisfying the application that this type has succeeded. If the - module succeeds the PAM framework returns success to the application - immediately without trying any other modules. + if such a module succeeds and no prior required module has failed the PAM + framework returns success to the application or to the superior PAM stack + immediately without calling any further modules in the stack. A failure of + a sufficient module is ignored and processing of the PAM module stack + continues unaffected. optional @@ -4035,10 +4035,6 @@ incremented. The sysadmin should use this for user launched services, like su, otherwise this argument should be omitted. - no_lock_time - - Do not use the .fail_locktime field in /var/log/faillog for this user. - even_deny_root Root account can become unavailable. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.4/doc/sag/html/sag-configuration-file.html new/Linux-PAM-1.1.5/doc/sag/html/sag-configuration-file.html --- old/Linux-PAM-1.1.4/doc/sag/html/sag-configuration-file.html 2011-06-21 13:09:55.000000000 +0200 +++ new/Linux-PAM-1.1.5/doc/sag/html/sag-configuration-file.html 2011-10-25 14:18:47.000000000 +0200 @@ -84,7 +84,8 @@ </p></dd><dt><span class="term">requisite</span></dt><dd><p> like <span class="emphasis"><em>required</em></span>, however, in the case that such a module returns a failure, control is directly returned - to the application. The return value is that associated with + to the application or to the superior PAM stack. + The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is @@ -93,14 +94,12 @@ the not insignificant concerns of exposing a sensitive password in a hostile environment. </p></dd><dt><span class="term">sufficient</span></dt><dd><p> - success of such a module is enough to satisfy the - authentication requirements of the stack of modules (if a - prior <span class="emphasis"><em>required</em></span> module has failed the - success of this one is <span class="emphasis"><em>ignored</em></span>). A failure - of this module is not deemed as fatal to satisfying the - application that this type has succeeded. If the module succeeds - the PAM framework returns success to the application immediately - without trying any other modules. + if such a module succeeds and no prior <span class="emphasis"><em>required</em></span> + module has failed the PAM framework returns success to + the application or to the superior PAM stack immediately without + calling any further modules in the stack. A failure of a + <span class="emphasis"><em>sufficient</em></span> module is ignored and processing + of the PAM module stack continues unaffected. </p></dd><dt><span class="term">optional</span></dt><dd><p> the success or failure of this module is only important if it is the only module in the stack associated with this diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Linux-PAM-1.1.4/doc/sag/html/sag-pam_tally2.html new/Linux-PAM-1.1.5/doc/sag/html/sag-pam_tally2.html --- old/Linux-PAM-1.1.4/doc/sag/html/sag-pam_tally2.html 2011-06-21 13:10:05.000000000 +0200 +++ new/Linux-PAM-1.1.5/doc/sag/html/sag-pam_tally2.html 2011-10-25 14:19:00.000000000 +0200 @@ -112,11 +112,6 @@ for user launched services, like <span class="command"><strong>su</strong></span>, otherwise this argument should be omitted. </p></dd><dt><span class="term"> - <code class="option">no_lock_time</code> - </span></dt><dd><p> - Do not use the .fail_locktime field in - <code class="filename">/var/log/faillog</code> for this user. - </p></dd><dt><span class="term"> <code class="option">even_deny_root</code> </span></dt><dd><p> Root account can become unavailable. ++++++ Linux-PAM-1.1.4-docs.tar.bz2 -> Linux-PAM-1.1.5.tar.bz2 ++++++ ++++ 261343 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org