Release version 1.2.1

[linux-pam] / NEWS

Linux-PAM NEWS -- history of user-visible changes.

Release 1.2.1
* Fix CVE-2015-3238, affected PAM modules are pam_unix and pam_exec

Release 1.2.0
* Update documentation
* Update translations
* pam_unix: add quiet option
* libpam: support alternative configuration files in /usr/lib/pam.d
          as fallback
* pam_env: add support for @{HOME} and @{SHELL}
* libpam: add grantor field to audit records
* libpam: Introduce pam_modutil_sanitize_helper_fds

Release 1.1.8
* pam_unix: bug fix for compiling with SELinux, fix crash at login time


Release 1.1.7
* Update translations
* pam_exec: add stdout and type= options
* pam_tty_audit: add options to control logging of passwords
* pam_unix: Read defaults from /etc/login.defs
* pam_userdb: Allow modern password hashes
* pam_selinux/pam_tally2: Add tty and rhost to audit data
* Lot of docu and code fixes


Release 1.1.6
* Update translations
* pam_cracklib: Add more checks for weak passwords
* pam_lastlog: Never lock out root
* Lot of bug fixes and smaller enhancements


Release 1.1.5
* pam_env: Fix CVE-2011-3148 and CVE-2011-3149
* pam_access: Add hostname resolution cache
* Documentation: Improvements/fixes


Release 1.1.4

* Add vietnamese translation
* pam_namepace: Add new functionality
* pam_securetty: Honour console= kernel option, add noconsole option
* pam_limits: Add %group syntax, drop change_uid option, add set_all option
* Lot of small bug fixes
* Lot of compiler warnings fixed
* Add support for libtirpc


Release 1.1.3

* pam_namespace: Clean environment for childs (CVE-2010-3853)
* libpam: New interface to drop/regain privilegs
* Drop root privilegs in pam_env, pam_mail and pam_xauth before
  accessing user files (CVE-2010-3430, CVE-2010-3431)
* pam_unix: Add minlen option, change default from 6 to 0
* Documentation improvements
* Lot of small bug fixes

Release 1.1.2

* pam_unix: Add minlen= option
* pam_group: Add support for UNIX groups beside netgroups
* pam_tally: Document that it is deprecated
* pam_rootok: Add support for chauthtok and acct_mgmt
* Update translations

Release 1.1.1

* Update translations
* pam_access: Revert netgroup match to original behavior, add new
  syntax for adding the local hostname to netgroup match
* libpam: Add new functions pam_get_authtok_noverify() and
  pam_get_authtok_verify()
* Add sepermit.conf.5 manual page
* Lot of bug fixes

Release 1.1.0

* Update translations
* Documentation updates and fixes

Release 1.0.92

* Update translations
* pam_succeed_if: Use provided username
* pam_mkhomedir: Fix handling of options

Release 1.0.91

* Fixed CVE-2009-0579 (minimum days limit on password change is ignored).
* Fix libpam internal config/argument parser
* Add optional file locking to pam_tally2
* Update translations
* pam_access improvements
* Changes in the behavior of the password stack. Results of PRELIM_CHECK
  are not used for the final run.

Release 1.0.90

* Supply hostname of the machine to netgroup match call in pam_access
* Make pam_namespace to work safe on child directories of parent directories
  owned by users
* Redefine LOCAL keyword of pam_access configuration file
* Add support for try_first_pass and use_first_pass to pam_cracklib
* Print informative messages for rejected login and add silent and
  no_log_info options to pam_tally
* Add support for passing PAM_AUTHTOK to stdin of helpers from pam_exec
* New password quality tests in pam_cracklib
* New options for pam_lastlog to show last failed login attempt and
  to disable lastlog update
* New pam_pwhistory module to store last used passwords
* New pam_tally2 module similar to pam_tally with wordsize independent
  tally data format
* Make libpam not log missing module if its type is prepended with '-'
* New pam_timestamp module for authentication based on recent successful
  login.
* Add blowfish support to pam_unix.
* Add support for user specific environment file to pam_env.
* Add pam_get_authtok to libpam as Linux-PAM extension.
* Rename type option of pam_cracklib to authtok_type.

Release 1.0.3

* Small bug fix release


Release 1.0.2

* Regression fixed in pam_selinux
* Problem with big UIDs fixed in pam_loginuid


Release 1.0.1

* Regression fixed in pam_set_item()


Release 1.0.0

* Small bug fixes
* Translation updates


Release 0.99.10.0

* New substack directive in config file syntax.
* New module pam_tty_audit.so for enabling and disabling tty
  auditing.
* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA.
* Auditing login denials based by origin (pam_access), time (pam_time),
  and number of sessions (pam_limits) to the Linux audit subsystem.
* Support sha256 and sha512 algorithms in pam_unix when they are supported
  by crypt().
* New pam_sepermit.so module for allowing/rejecting access based on
  SELinux mode.
* Improved functionality of pam_namespace.so module (method flags,
  namespace.d configuration directory, new options).
* Finaly removed deprecated pam_rhosts_auth module.


Release 0.99.9.0

* misc_conv no longer blocks SIGINT; applications that don't want
  user-interruptable prompts should block SIGINT themselves
* Merge fixes from Debian
* Fix parser for pam_group and pam_time


Release 0.99.8.1

* Fix a regression in audit code introduced with last release
* Fix compiling with --disable-nls


Release 0.99.8.0

* Add translations for ar, ca, da, ru, sv and zu.
* Update hungarian translation.
* Add support for limits.d directory to pam_limits.
* Improve pam_namespace module tobe more useful
  for MLS, fixed crash with bad config files.
* Improve pam_selinux module to be more useful
  for MLS.
* Add minclass option to pam_cracklib
* Add new group syntax to pam_access


Release 0.99.7.1

* Security fix for pam_unix.so (CVE-2007-0003).


Release 0.99.7.0

* Add manual page for pam_unix.so.
* Add pam_faildelay module to set pam_fail_delay() value.
* Fix possible seg.fault in libpam/pam_set_data().
* Cleanup of configure options.
* Update hungarian translation, fix german translation.


Release 0.99.6.3

* pam_loginuid: New PAM module.
* pam_access, pam_succeed_if: Support passwd and session services.


Release 0.99.6.2

* pam_lastlog: Don't refuse login if lastlog file got lost.
* pam_cracklib: Fix a user triggerable crash.
* documentation: Regenerate with fixed docbook stylesheet.


Release 0.99.6.1

* Fix bootstrapping problems.
* Bug fixes: pam_keyinit, pam_umask


Release 0.99.6.0

* pam_namespace: Code cleanup, add init script to tar archive.
* pam_succeed_if: Add support for service match.
* Add xtests (to run after installation).
* Documentation: Convert sgml guides to XML, unify documentation
  for PAM functions and modules.


Release 0.99.5.0

* pam_tally: Fix support for large UIDs
* Fixed all problems found by Coverity
* Add support for Intel C Compiler
* Add manual page for pam_mkhomedir, pam_umask, pam_filter,
  pam_issue, pam_ftp, pam_group, pam_lastlog, pam_listfile,
  pam_localuser, pam_mail, pam_motd, pam_nologin, pam_permit,
  pam_rootok, pam_securetty, pam_shells, pam_userdb, pam_warn,
  pam_time, pam_limits, pam_debug, pam_tally
* The libpam memory debug code was removed
* pam_keyinit: New module to initialise kernel session keyring.
* pam_namespace: New module to configure private namespace for a session.
* pam_rhosts: New module which replaces pam_rhosts_auth, now IPv6 capable.
* pam_rhosts_auth: This module is now deprecated.


Release 0.99.4.0

* Add test suite
* Fix building of static variants of libpam, libpamc and libpam_misc
* pam_listfile: Add support for password and session management
* pam_exec: New PAM module to execute arbitary commands
* Fix building of a static libpam including all PAM modules
* New/updated translations for: nl, pt, pl, fi, km, tr, uk, fr
* pam_access: Add network(address) / netmask and IPv6 support
* Add manual pages for pam_cracklib, pam_deny and pam_access
* pam_pwdb: This deprecated module was removed
* Manual pages: Major rewrite/cleanup


Release 0.99.3.0

* Fix NULL pointer checks in libpam.so
* pam_succeed_if, pam_group, pam_time: Support netgroup matching
* New translations for: nb, hu, fi, de, es, fr, it, ja, pt_BR, zh_CN, zh_TW
* Audit PAM calls if Linux Audit is available
* Compile upperLOWER and unix_chkpwd as PIE binaries


Release 0.99.2.1

* Fix install of PS, PDF, TXT and HTML files
* pam_mail: Update README
* Use %m consistent
* pam_modutil_getlogin: Fix parsing of PAM_TTY variable


Release 0.99.2.0

* Fix parsing of full path tty name in various modules
* pam_xauth: Look for xauth executable in multiple places
* pam_unix: Disable user check in unix_chkpwd only if real uid
  is 0 (CVE-2005-2977). Log failed password check attempt.
* pam_env: Support /etc/environment again, but don't treat it as
  error if it is missing.
* pam_userdb: Fix memory leak.


Release 0.99.1.0

* Use autoconf/automake/libtool
* Add gettext support
* Add translations for cs, de, es, fr, hu, it, ja, nb, pa, pt_BR,
  pt, zh_CN and zh_TW
* libpam: Remove pam_authenticate_secondary stub
* libpam: Add pam_prompt,pam_vprompt,pam_error,pam_verror,pam_info
  and pam_vinfo functions for use by modules as extension
* libpam: Add pam_syslog function for unified syslog messages from
  PAM modules
* libpam: Moved functions from pammodutil to libpam
* pam_umask: New module for setting umask from GECOS field, /etc/login.defs
  or /etc/default/login
* pam_echo: New PAM module for message output
* pam_userdb: Fix regression (crash when crypt param not specified)
* pam_limits: Fix regression from RLIMIT_NICE support (wrong limit
  values for other limits are applied)
* pam_access: Support for NULL tty - matches ALL and NONE keywords
* pam_lastlog: Enable log to wtmp by default.  Add "nowtmp" option
* pam_radius: This module was removed