diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2020-05-18 19:17:21 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2020-05-18 23:25:14 +0200 |
commit | ffef56590d68c334819ecf26118a257bdafccf6b (patch) | |
tree | 6681fac1801c4a0569147ba9a731f323b38dff15 /source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch | |
parent | eba2e5b781702a60ac9f9613c9b8456c1594215c (diff) | |
download | current-ffef56590d68c334819ecf26118a257bdafccf6b.tar.gz current-ffef56590d68c334819ecf26118a257bdafccf6b.tar.xz |
Mon May 18 19:17:21 UTC 202020200518191721
Greetings! After three months in /testing, the PAM merge into the main tree
is now complete. When updating, be sure to install the new pam, cracklib, and
libpwquality packages or you may find yourself locked out of your machine.
Otherwise, these changes should be completely transparent and you shouldn't
notice any obvious operational differences. Be careful if you make any changes
in /etc/pam.d/ - leaving an extra console logged in while testing PAM config
changes is a recommended standard procedure. Thanks again to Robby Workman,
Vincent Batts, Phantom X, and ivandi for help implementing this. It's not
done yet and there will be more fine-tuning of the config files, but now we
can move on to build some other updates. Enjoy!
a/cracklib-2.9.7-x86_64-1.txz: Added.
a/kernel-firmware-20200517_f8d32e4-noarch-1.txz: Upgraded.
a/libcgroup-0.41-x86_64-7.txz: Rebuilt.
Rebuilt to add PAM support.
a/libpwquality-1.4.2-x86_64-1.txz: Added.
a/lilo-24.2-x86_64-9.txz: Rebuilt.
Enable the "compact" option by default.
liloconfig: correctly set the root partition.
a/pam-1.3.1-x86_64-1.txz: Added.
a/shadow-4.8.1-x86_64-7.txz: Rebuilt.
Rebuilt to add PAM support.
a/utempter-1.2.0-x86_64-1.txz: Upgraded.
a/util-linux-2.35.1-x86_64-6.txz: Rebuilt.
Rebuilt to add PAM support.
a/xfsprogs-5.6.0-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
ap/at-3.2.1-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/cups-2.3.3-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/hplip-3.20.5-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/mariadb-10.4.13-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/screen-4.8.0-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/soma-3.3.0-noarch-1.txz: Upgraded.
Thanks to David Woodfall.
ap/sqlite-3.31.1-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
ap/sudo-1.9.0-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
ap/vim-8.2.0788-x86_64-1.txz: Upgraded.
d/bison-3.6.2-x86_64-1.txz: Upgraded.
d/meson-0.54.2-x86_64-1.txz: Upgraded.
d/python-setuptools-46.4.0-x86_64-1.txz: Upgraded.
d/vala-0.48.6-x86_64-1.txz: Upgraded.
kde/calligra-2.9.11-x86_64-36.txz: Rebuilt.
Recompiled against icu4c-67.1.
kde/kde-workspace-4.11.22-x86_64-7.txz: Rebuilt.
Rebuilt to add PAM support.
l/ConsoleKit2-1.2.1-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
l/boost-1.73.0-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/gnome-keyring-3.36.0-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
l/harfbuzz-2.6.6-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/icu4c-67.1-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
l/imagemagick-7.0.10_13-x86_64-1.txz: Upgraded.
l/libcap-2.34-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
l/libical-3.0.8-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/libuv-1.38.0-x86_64-1.txz: Upgraded.
l/libvisio-0.1.7-x86_64-3.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/polkit-0.116-x86_64-3.txz: Rebuilt.
Rebuilt to add PAM support.
l/qt-4.8.7-x86_64-16.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/qt5-5.13.2-x86_64-4.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/qt5-webkit-5.212.0_alpha4-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/raptor2-2.0.15-x86_64-9.txz: Rebuilt.
Recompiled against icu4c-67.1.
l/system-config-printer-1.5.12-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
l/vte-0.60.2-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
n/cifs-utils-6.10-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
n/cyrus-sasl-2.1.27-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
n/dovecot-2.3.10.1-x86_64-1.txz: Upgraded.
Rebuilt to add PAM support.
Compiled against icu4c-67.1.
This update fixes several denial-of-service vulnerabilities.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10967
(* Security fix *)
n/mutt-1.14.1-x86_64-1.txz: Upgraded.
n/netatalk-3.1.12-x86_64-3.txz: Rebuilt.
Rebuilt to add PAM support.
n/netkit-rsh-0.17-x86_64-3.txz: Rebuilt.
Rebuilt to add PAM support.
n/nss-pam-ldapd-0.9.11-x86_64-1.txz: Added.
n/openssh-8.2p1-x86_64-3.txz: Rebuilt.
Rebuilt to add PAM support.
n/openvpn-2.4.9-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
n/pam-krb5-4.9-x86_64-1.txz: Added.
n/php-7.4.6-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
n/popa3d-1.0.3-x86_64-4.txz: Rebuilt.
Rebuilt to add PAM support.
n/postfix-3.5.2-x86_64-1.txz: Upgraded.
Compiled against icu4c-67.1.
n/ppp-2.4.8-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
n/proftpd-1.3.6c-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
n/samba-4.12.2-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
Recompiled against icu4c-67.1.
n/tin-2.4.4-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
n/vsftpd-3.0.3-x86_64-6.txz: Rebuilt.
Rebuilt to add PAM support.
t/texlive-2019.190626-x86_64-4.txz: Rebuilt.
Recompiled against icu4c-67.1.
x/vulkan-sdk-1.2.135.0-x86_64-1.txz: Upgraded.
x/xdm-1.1.11-x86_64-10.txz: Rebuilt.
Rebuilt to add PAM support.
x/xisxwayland-1-x86_64-1.txz: Added.
xap/sane-1.0.30-x86_64-1.txz: Upgraded.
This update fixes several security issues.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864
(* Security fix *)
xap/vim-gvim-8.2.0788-x86_64-1.txz: Upgraded.
xap/xlockmore-5.63-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
xap/xscreensaver-5.44-x86_64-2.txz: Rebuilt.
Rebuilt to add PAM support.
extra/brltty/brltty-6.1-x86_64-2.txz: Rebuilt.
Recompiled against icu4c-67.1.
extra/pure-alsa-system/qt5-5.13.2-x86_64-4_alsa.txz: Rebuilt.
Recompiled against icu4c-67.1.
isolinux/initrd.img: Rebuilt.
Added PAM libraries, security modules, and config files.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Added PAM libraries, security modules, and config files.
Diffstat (limited to 'source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch')
-rw-r--r-- | source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch new file mode 100644 index 000000000..5cbc35b03 --- /dev/null +++ b/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch @@ -0,0 +1,73 @@ +From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org> +Date: Mon, 26 Nov 2018 22:33:17 +0100 +Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to + syslog. + +libxcrypt can be build-time configured to support (or not support) +various hashing methods. Future versions will also have support for +runtime configuration by the system's vendor and/or administrator. + +For that reason adminstrator should be notified by pam if users cannot +log into their account anymore because of such a change in the system's +configuration of libxcrypt. + +Also check for malformed hashes, like descrypt hashes starting with +"$2...", which might have been generated by unsafe base64 encoding +functions as used in glibc <= 2.16. +Such hashes are likely to be rejected by many recent implementations +of libcrypt. + +* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable +hashes found by checksalt to syslog. +--- + modules/pam_unix/passverify.c | 36 +++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index eb2444bb..2c808eb5 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) + * Ok, we don't know the crypt algorithm, but maybe + * libcrypt knows about it? We should try it. + */ ++#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE ++ /* Get the status of the hash from checksalt */ ++ int retval_checksalt = crypt_checksalt(hash); ++ ++ /* ++ * Check for hashing methods that are disabled by ++ * libcrypt configuration and/or system preset. ++ */ ++ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) { ++ /* ++ * pam_syslog() needs a pam handle, ++ * but that's not available here. ++ */ ++ helper_log_err(LOG_ERR, ++ "pam_unix(verify_pwd_hash): The method " ++ "for computing the hash \"%.6s\" has been " ++ "disabled in libcrypt by the preset from " ++ "the system's vendor and/or administrator.", ++ hash); ++ } ++ /* ++ * Check for malformed hashes, like descrypt hashes ++ * starting with "$2...", which might have been ++ * generated by unsafe base64 encoding functions ++ * as used in glibc <= 2.16. ++ * Such hashes are likely to be rejected by many ++ * recent implementations of libcrypt. ++ */ ++ if (retval_checksalt == CRYPT_SALT_INVALID) { ++ helper_log_err(LOG_ERR, ++ "pam_unix(verify_pwd_hash): The hash \"%.6s\"" ++ "does not use a method known by the version " ++ "of libcrypt this system is supplied with.", ++ hash); ++ } ++#endif + #ifdef HAVE_CRYPT_R + struct crypt_data *cdata; + cdata = malloc(sizeof(*cdata)); |