mirror of
git://slackware.nl/current.git
synced 2024-12-28 09:59:53 +01:00
ffef56590d
Greetings! After three months in /testing, the PAM merge into the main tree
is now complete. When updating, be sure to install the new pam, cracklib, and
libpwquality packages or you may find yourself locked out of your machine.
Otherwise, these changes should be completely transparent and you shouldn't
notice any obvious operational differences. Be careful if you make any changes
in /etc/pam.d/ - leaving an extra console logged in while testing PAM config
changes is a recommended standard procedure. Thanks again to Robby Workman,
Vincent Batts, Phantom X, and ivandi for help implementing this. It's not
done yet and there will be more fine-tuning of the config files, but now we
can move on to build some other updates. Enjoy!
a/cracklib-2.9.7-x86_64-1.txz: Added.
a/kernel-firmware-20200517_f8d32e4-noarch-1.txz: Upgraded.
a/libcgroup-0.41-x86_64-7.txz: Rebuilt.
Rebuilt to add PAM support.
a/libpwquality-1.4.2-x86_64-1.txz: Added.
a/lilo-24.2-x86_64-9.txz: Rebuilt.
Enable the "compact" option by default.
liloconfig: correctly set the root partition.
a/pam-1.3.1-x86_64-1.txz: Added.
a/shadow-4.8.1-x86_64-7.txz: Rebuilt.
Rebuilt to add PAM support.
a/utempter-1.2.0-x86_64-1.txz: Upgraded.
a/util-linux-2.35.1-x86_64-6.txz: Rebuilt.
Rebuilt to add PAM support.
a/xfsprogs-5.6.0-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
ap/at-3.2.1-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/cups-2.3.3-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/hplip-3.20.5-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/mariadb-10.4.13-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/screen-4.8.0-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/soma-3.3.0-noarch-1.txz: Upgraded.
Thanks to David Woodfall.
ap/sqlite-3.31.1-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
ap/sudo-1.9.0-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/vim-8.2.0788-x86_64-1.txz: Upgraded.
d/bison-3.6.2-x86_64-1.txz: Upgraded.
d/meson-0.54.2-x86_64-1.txz: Upgraded.
d/python-setuptools-46.4.0-x86_64-1.txz: Upgraded.
d/vala-0.48.6-x86_64-1.txz: Upgraded.
kde/calligra-2.9.11-x86_64-36.txz: Rebuilt.
Recompiled against icu4c-67.1.
kde/kde-workspace-4.11.22-x86_64-7.txz: Rebuilt.
Rebuilt to add PAM support.
l/ConsoleKit2-1.2.1-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
l/boost-1.73.0-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/gnome-keyring-3.36.0-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
l/harfbuzz-2.6.6-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/icu4c-67.1-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
l/imagemagick-7.0.10_13-x86_64-1.txz: Upgraded.
l/libcap-2.34-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
l/libical-3.0.8-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/libuv-1.38.0-x86_64-1.txz: Upgraded.
l/libvisio-0.1.7-x86_64-3.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/polkit-0.116-x86_64-3.txz: Rebuilt.
Rebuilt to add PAM support.
l/qt-4.8.7-x86_64-16.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/qt5-5.13.2-x86_64-4.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/qt5-webkit-5.212.0_alpha4-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/raptor2-2.0.15-x86_64-9.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/system-config-printer-1.5.12-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
l/vte-0.60.2-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
n/cifs-utils-6.10-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
n/cyrus-sasl-2.1.27-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
n/dovecot-2.3.10.1-x86_64-1.txz: Upgraded.
Rebuilt to add PAM support.
Compiled against icu4c-67.1.
This update fixes several denial-of-service vulnerabilities.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967
(* Security fix *)
n/mutt-1.14.1-x86_64-1.txz: Upgraded.
n/netatalk-3.1.12-x86_64-3.txz: Rebuilt.
Rebuilt to add PAM support.
n/netkit-rsh-0.17-x86_64-3.txz: Rebuilt.
Rebuilt to add PAM support.
n/nss-pam-ldapd-0.9.11-x86_64-1.txz: Added.
n/openssh-8.2p1-x86_64-3.txz: Rebuilt.
Rebuilt to add PAM support.
n/openvpn-2.4.9-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
n/pam-krb5-4.9-x86_64-1.txz: Added.
n/php-7.4.6-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
n/popa3d-1.0.3-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
n/postfix-3.5.2-x86_64-1.txz: Upgraded.
Compiled against icu4c-67.1.
n/ppp-2.4.8-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
n/proftpd-1.3.6c-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
n/samba-4.12.2-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
Recompiled against icu4c-67.1.
n/tin-2.4.4-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
n/vsftpd-3.0.3-x86_64-6.txz: Rebuilt.
Rebuilt to add PAM support.
t/texlive-2019.190626-x86_64-4.txz: Rebuilt.
Recompiled against icu4c-67.1.
x/vulkan-sdk-1.2.135.0-x86_64-1.txz: Upgraded.
x/xdm-1.1.11-x86_64-10.txz: Rebuilt.
Rebuilt to add PAM support.
x/xisxwayland-1-x86_64-1.txz: Added.
xap/sane-1.0.30-x86_64-1.txz: Upgraded.
This update fixes several security issues.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864
(* Security fix *)
xap/vim-gvim-8.2.0788-x86_64-1.txz: Upgraded.
xap/xlockmore-5.63-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
xap/xscreensaver-5.44-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
extra/brltty/brltty-6.1-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
extra/pure-alsa-system/qt5-5.13.2-x86_64-4_alsa.txz: Rebuilt.
Recompiled against icu4c-67.1.
isolinux/initrd.img: Rebuilt.
Added PAM libraries, security modules, and config files.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Added PAM libraries, security modules, and config files.
49 lines
1.9 KiB
Diff
49 lines
1.9 KiB
Diff
From fea0f5ed287b04406afca0835b1a333bd1fe617b Mon Sep 17 00:00:00 2001
|
|
From: Arthur de Jong <arthur@arthurdejong.org>
|
|
Date: Sun, 13 Oct 2019 17:24:36 +0200
|
|
Subject: [PATCH] Add pam_authc_ppolicy support in pynslcd
|
|
|
|
See https://bugs.debian.org/900253
|
|
---
|
|
pynslcd/cfg.py | 3 ++-
|
|
pynslcd/pam.py | 6 ++++--
|
|
2 files changed, 6 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py
|
|
index 877d4427..b970b5a7 100644
|
|
--- a/pynslcd/cfg.py
|
|
+++ b/pynslcd/cfg.py
|
|
@@ -87,6 +87,7 @@
|
|
nss_getgrent_skipmembers = False
|
|
nss_disable_enumeration = False
|
|
validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$ \\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE)
|
|
+pam_authc_ppolicy = True
|
|
pam_authz_searches = []
|
|
pam_password_prohibit_message = None
|
|
reconnect_invalidate = set()
|
|
@@ -184,7 +185,7 @@ def read(filename): # noqa: C901 (many simple branches)
|
|
# parse options with a single boolean argument
|
|
m = re.match(
|
|
r'(?P<keyword>referrals|nss_nested_groups|nss_getgrent_skipmembers|'
|
|
- r'nss_disable_enumeration)\s+(?P<value>%s)' % (
|
|
+ r'nss_disable_enumeration|pam_authc_ppolicy)\s+(?P<value>%s)' % (
|
|
'|'.join(_boolean_options.keys())),
|
|
line, re.IGNORECASE)
|
|
if m:
|
|
diff --git a/pynslcd/pam.py b/pynslcd/pam.py
|
|
index b372cdda..5f5486b3 100644
|
|
--- a/pynslcd/pam.py
|
|
+++ b/pynslcd/pam.py
|
|
@@ -42,8 +42,10 @@ def authenticate(binddn, password):
|
|
# open a new connection
|
|
conn = search.Connection()
|
|
# bind using the specified credentials
|
|
- pwctrl = PasswordPolicyControl()
|
|
- res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=[pwctrl])
|
|
+ serverctrls = []
|
|
+ if cfg.pam_authc_ppolicy:
|
|
+ serverctrls.append(PasswordPolicyControl())
|
|
+ res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=serverctrls)
|
|
# go over bind result server controls
|
|
for ctrl in ctrls:
|
|
if ctrl.controlType == PasswordPolicyControl.controlType:
|