~ubuntu-branches/ubuntu/precise/nss-pam-ldapd/precise-security

« back to all changes in this revision

Viewing changes to debian/changelog

Committer: Package Import Robot
Author(s): Arthur de Jong
Date: 2011-09-04 21:00:00 UTC
mfrom: (14.1.4 experimental)
Revision ID: package-import@ubuntu.com-20110904210000-pe3u91iga88vtr16

Tags: 0.8.4

http://bugs.debian.org/638872

http://bugs.debian.org/637132

http://bugs.debian.org/637863

http://bugs.debian.org/640185

http://bugs.debian.org/637751

http://bugs.debian.org/637756

http://bugs.debian.org/637759

http://bugs.debian.org/638195

http://bugs.debian.org/639026

http://bugs.debian.org/639107

http://bugs.debian.org/639236

* Upload to unstable
* switch to using the member attribute by default instead of
  uniqueMember (backwards incompatible change)
* only return "x" as a password hash when the object has the shadowAccount
  objectClass and nsswitch.conf is configured to do shadow lookups using
  LDAP (this avoids some problems with pam_unix)
* fix problem with partial attribute name matches in DN (thanks Timothy
  White)
* fix a problem with objectSid mappings with recent versions of OpenLDAP
  (patch by Wesley Mason)
* set the socket timeout in a connection callback to avoid timeout
  issues during the SSL handshake (patch by Stefan Völkel)
* check for unknown variables in pam_authz_search
* only check password expiration when authenticating, only check account
  expiration when doing authorisation
* make buffer sizes consistent and grow all buffers holding string
  representations of numbers to be able to hold 64-bit numbers
* update AX_PTHREAD from autoconf-archive
* support querying DNS SRV records from a different domain than the current
  one (based on a patch by James M. Leddy)
* fix a problem with uninitialised memory while parsing the tls_ciphers
  option (closes: #638872) (but doesn't work yet due to #640384)
* implement bounds checking of numeric values read from LDAP (patch by
  Jakub Hrozek)
* correctly support large uid and gid values from LDAP (patch by Jakub
  Hrozek)
* improvements to the configure script (patch by Jakub Hrozek)
* switch to dh for debian/rules and bump debhelper compatibility to 8
* build Debian packages with multiarch support
* ship shlibs (but still no symbol files) for libnss-ldapd since that was
  the easiest way to support multiarch
* fix output in init script when restarting nslcd (closes: #637132)
* correctly handle leading and trailing spaces in preseeded debconf uri
  option (patch by Andreas B. Mundt) (closes: #637863)
* support spaces around database names in /etc/nsswitch.conf while
  configuring package (closes: #640185)
* updated Russian debconf translation by Yuri Kozlov (closes: #637751)
* updated French debconf translation by Christian Perrier (closes: #637756)
* added Slovak debconf translation by Slavko (closes: #637759)
* updated Danish debconf translation by Joe Hansen (closes :#637763)
* updated Brazilian Portuguese debconf translation by Denis Doria
* updated Portuguese debconf translation by Américo Monteiro
* updated Japanese debconf translation by Kenshi Muto (closes: #638195)
* updated Czech debconf translation by Miroslav Kure (closes: #639026)
* updated German debconf translation by Chris Leick (closes: #639107)
* updated Spanish debconf translation by Francisco Javier Cuadrado
  (closes: #639236)
* updated Dutch debconf translation by Arthur de Jong with help from Paul
  Gevers and Jeroen Schot

files added:
ChangeLog-2009

ChangeLog-2010

compat/strndup.c

compat/strndup.h

debian/pam-configs

debian/pam-configs/ldap

debian/po/sk.po

debian/source/lintian-overrides

nslcd/nsswitch.c

nss/bsdnss.c

nss/exports.freebsd

nss/exports.glibc

nss/exports.solaris

nss/solnss.c

py-compile

pynslcd

pynslcd/Makefile.am

pynslcd/Makefile.in

pynslcd/alias.py

pynslcd/cfg.py

pynslcd/common.py

pynslcd/config.py.in

pynslcd/ether.py

pynslcd/group.py

pynslcd/host.py

pynslcd/mypidfile.py

pynslcd/netgroup.py

pynslcd/network.py

pynslcd/pam.py

pynslcd/passwd.py

pynslcd/pynslcd.py

pynslcd/shadow.py

pynslcd/tio.py

tests/common.h

tests/in_testenv.sh

tests/test_pamcmds.expect

tests/test_pamcmds.sh

files removed:
debian/libpam-ldapd.pam-auth-update

nss/nss_ldap.map

tests/test_aliases.c

tests/test_ethers.c

tests/test_group.c

tests/test_hosts.c

tests/test_netgroup.c

tests/test_networks.c

tests/test_nslcd_group.c

tests/test_passwd.c

tests/test_protocols.c

tests/test_rpc.c

tests/test_services.c

tests/test_shadow.c

files modified:
AUTHORS

ChangeLog

HACKING

Makefile.am

Makefile.in

NEWS

README

TODO

aclocal.m4

common/Makefile.in

common/dict.c

common/dict.h

common/expr.c

common/expr.h

common/nslcd-prot.c

common/set.c

common/set.h

common/tio.c

compat/Makefile.am

compat/Makefile.in

compat/daemon.h

compat/ether.c

compat/ether.h

compat/getpeercred.c

compat/ldap_compat.h

compat/ldap_passwd_s.c

compat/nss_compat.h

compat/pam_compat.h

compat/pam_get_authtok.c

config.guess

config.h.in

config.sub

configure

configure.ac

debian/changelog

debian/compat

debian/control

debian/copyright

debian/libnss-ldapd.config

debian/libnss-ldapd.install

debian/libnss-ldapd.lintian-overrides

debian/libnss-ldapd.postinst

debian/libnss-ldapd.postrm

debian/libpam-ldapd.install

debian/libpam-ldapd.postinst

debian/nslcd.config

debian/nslcd.init

debian/nslcd.install

debian/nslcd.postinst

debian/nslcd.templates

debian/po/ca.po

debian/po/cs.po

debian/po/da.po

debian/po/de.po

debian/po/es.po

debian/po/fi.po

debian/po/fr.po

debian/po/gl.po

debian/po/it.po

debian/po/ja.po

debian/po/nb.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/ru.po

debian/po/sv.po

debian/po/templates.pot

debian/po/vi.po

debian/po/zh_CN.po

debian/rules

m4/ax_pthread.m4

man/Makefile.am

man/Makefile.in

man/nslcd.8

man/nslcd.8.xml

man/nslcd.conf.5

man/nslcd.conf.5.xml

man/pam_ldap.8

man/pam_ldap.8.xml

nslcd.conf

nslcd.h

nslcd/Makefile.am

nslcd/Makefile.in

nslcd/alias.c

nslcd/attmap.c

nslcd/attmap.h

nslcd/cfg.c

nslcd/cfg.h

nslcd/common.c

nslcd/common.h

nslcd/ether.c

nslcd/group.c

nslcd/host.c

nslcd/log.c

nslcd/log.h

nslcd/myldap.c

nslcd/myldap.h

nslcd/netgroup.c

nslcd/network.c

nslcd/nslcd.c

nslcd/pam.c

nslcd/passwd.c

nslcd/protocol.c

nslcd/rpc.c

nslcd/service.c

nslcd/shadow.c

nss/Makefile.am

nss/Makefile.in

nss/aliases.c

nss/common.h

nss/ethers.c

nss/group.c

nss/hosts.c

nss/netgroup.c

nss/networks.c

nss/passwd.c

nss/protocols.c

nss/prototypes.h

nss/rpc.c

nss/services.c

nss/shadow.c

pam/Makefile.am

pam/Makefile.in

pam/common.h

pam/pam.c

tests/Makefile.am

tests/Makefile.in

tests/README

tests/nslcd-test.conf

tests/test_cfg.c

tests/test_common.c

tests/test_dict.c

tests/test_expr.c

tests/test_getpeercred.c

tests/test_myldap.c

tests/test_nsscmds.sh

tests/test_set.c

tests/test_tio.c

Show diffs side-by-side

added added

removed removed

debian/changelog

nss-pam-ldapd (0.8.4) unstable; urgency=low

* Upload to unstable

* switch to using the member attribute by default instead of

uniqueMember (backwards incompatible change)

* only return "x" as a password hash when the object has the shadowAccount

objectClass and nsswitch.conf is configured to do shadow lookups using

LDAP (this avoids some problems with pam_unix)

* fix problem with partial attribute name matches in DN (thanks Timothy

White)

* fix a problem with objectSid mappings with recent versions of OpenLDAP

(patch by Wesley Mason)

* set the socket timeout in a connection callback to avoid timeout

issues during the SSL handshake (patch by Stefan Völkel)

* check for unknown variables in pam_authz_search

* only check password expiration when authenticating, only check account

expiration when doing authorisation

* make buffer sizes consistent and grow all buffers holding string

representations of numbers to be able to hold 64-bit numbers

* update AX_PTHREAD from autoconf-archive

* support querying DNS SRV records from a different domain than the current

one (based on a patch by James M. Leddy)

* fix a problem with uninitialised memory while parsing the tls_ciphers

option (closes: #638872) (but doesn't work yet due to #640384)

* implement bounds checking of numeric values read from LDAP (patch by

Jakub Hrozek)

* correctly support large uid and gid values from LDAP (patch by Jakub

Hrozek)

* improvements to the configure script (patch by Jakub Hrozek)

* switch to dh for debian/rules and bump debhelper compatibility to 8

* build Debian packages with multiarch support

* ship shlibs (but still no symbol files) for libnss-ldapd since that was

the easiest way to support multiarch

* fix output in init script when restarting nslcd (closes: #637132)

* correctly handle leading and trailing spaces in preseeded debconf uri

option (patch by Andreas B. Mundt) (closes: #637863)

* support spaces around database names in /etc/nsswitch.conf while

configuring package (closes: #640185)

* updated Russian debconf translation by Yuri Kozlov (closes: #637751)

* updated French debconf translation by Christian Perrier (closes: #637756)

* added Slovak debconf translation by Slavko (closes: #637759)

* updated Danish debconf translation by Joe Hansen (closes :#637763)

* updated Brazilian Portuguese debconf translation by Denis Doria

* updated Portuguese debconf translation by Américo Monteiro

* updated Japanese debconf translation by Kenshi Muto (closes: #638195)

* updated Czech debconf translation by Miroslav Kure (closes: #639026)

* updated German debconf translation by Chris Leick (closes: #639107)

* updated Spanish debconf translation by Francisco Javier Cuadrado

(closes: #639236)

* updated Dutch debconf translation by Arthur de Jong with help from Paul

Gevers and Jeroen Schot

-- Arthur de Jong <adejong@debian.org> Sun, 04 Sep 2011 21:00:00 +0200

nss-pam-ldapd (0.8.3) experimental; urgency=low

* support using the objectSid attribute to provide numeric user and group

ids, based on a patch by Wesley Mason

* check shadow account and password expiry properties (similarly to what

pam_unix does) in the PAM handling code

* implement attribute mapping functionality in pynslcd

* relax default for validnames option to allow user names of only two

characters (closes: #620235)

* make user and group name validation errors a little more informative

* small portability improvements

* general code improvements and refactoring in pynslcd

* some simplifications in the protocol between the PAM module and nslcd

(without actual protocol changes so far)

* fix debconf LDAP search base suggestion when domain has more than two

parts (patch by Per Carlson) (closes: #626571)

* search for LDAP server by looking for SRV _ldap._tcp DNS records and

try to query LDAP server for base DN during package configuration

(based on work by Petter Reinholdtsen for the sssd package)

* upgrade to standards-version 3.9.2 (no changes needed)

-- Arthur de Jong <adejong@debian.org> Fri, 13 May 2011 15:00:00 +0200

nss-pam-ldapd (0.8.2) experimental; urgency=low

* fix problem with endless loop on incorrect password

* fix definition of HOST_NAME_MAX (closes: #618795) and fall back to

_POSIX_HOST_NAME_MAX

* ignore password change requests for users not in LDAP (closes: #617452)

* many clean-ups to the tests and added some new tests including some

integration tests for the PAM functionality

* some smaller code clean-ups and improvements

* improvements to pynslcd, including implementations for service, protocol

and rpc lookups

* implement a validnames option that can be used to filter valid user and

group names using a regular expression

* integrate patch by Daniel Dehennin to not loose debconf values of

previously set options with dpkg-reconfigure (closes: #610117)

* improvements to the way nslcd shuts down with hanging worker threads

-- Arthur de Jong <adejong@debian.org> Sat, 26 Mar 2011 19:00:00 +0100

nss-pam-ldapd (0.8.1) experimental; urgency=low

* SECURITY FIX: the PAM module will allow authentication for users that do

100

not exist in LDAP, this allows login to local users with an

101

incorrect password (CVE-2011-0438)

102

the exploitability of the problem depends on the details of

103

the PAM stack and the use of the minimum_uid PAM option

104

* add FreeBSD support, partially imported from the FreeBSD port (thanks to

105

Jacques Vidrine, Artem Kazakov and Alexander V. Chernikov)

106

* document how to replace name pam_check_service_attr and

107

pam_check_host_attr options in PADL's pam_ldap with with pam_authz_search

108

in nss-pam-ldapd (closes: #610925)

109

* implement a fqdn variable that can be used in pam_authz_search filters

110

* create the directory to hold the socket and pidfile on startup

111

* implement host, network and netgroup support in pynslcd

112

113

-- Arthur de Jong <adejong@debian.org> Thu, 10 Mar 2011 22:00:00 +0100

114

115

nss-pam-ldapd (0.8.0) experimental; urgency=low

116

117

* include Solaris support developed by Ted C. Cheng of Symas Corporation

118

* include an experimental partial implementation of nslcd in Python

119

(disabled by default, see --enable-pynslcd configure option)

120

* implement a nss_min_uid option to filter user entries returned by LDAP

121

* implement a rootpwmodpw option that allows the root user to change a

122

user's password without a password prompt

123

* try to update the shadowLastChange attribute on password change

124

* all log messages now include a description of the request to more easily

125

track problems when not running in debug mode

126

* allow attribute mapping expressions for the userPassword attribute for

127

passwd, group and shadow entries and by default map it to the unmatchable

128

password ("*") to avoid accidentally leaking password information

129

* numerous compatibility improvements

130

* add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to

131

allow more control of hot to install the PAM module

132

* add --with-nss-flavour and --with-nss-maps configure options to support

133

other C libraries and limit which NSS modules to install

134

* allow tilde (~) in user and group names (closes: #607640)

135

* improvements to the timeout mechanism (connections are now actively timed

136

out using the idle_timelimit option)

137

* set socket timeouts on the LDAP connection to disconnect regardless of

138

LDAP and possibly TLS handling of connection

139

* better disconnect/reconnect handling of error conditions

140

* some code improvements and cleanups and several smaller bug fixes

141

* all internal string comparisons are now also case sensitive (e.g. for

142

providing DN to username lookups, etc)

143

* signal handling in the daemon was changed to behave more reliable across

144

different threading implementations

145

* nslcd will now always return a positive authorisation result during

146

authentication to avoid confusing the PAM module when it is only used for

147

authorisation (closes: #604147)

148

* implement configuring SASL authentication using Debconf, based on a patch

149

by Daniel Dehennin (closes: #586532) (not called for translations yet

150

because the English text is likely to change)

151

152

-- Arthur de Jong <adejong@debian.org> Thu, 30 Dec 2010 20:00:00 +0100

153

154

nss-pam-ldapd (0.7.13) unstable; urgency=low

155

156

* fix handling of idle_timelimit option

Older »