Compare commits

..

17 Commits

Author SHA1 Message Date
Toni Mueller 9698b06fef elaborate on the editor selection of the programs 2024-02-29 16:38:55 +00:00
Toni Mueller 406dd68863 elaborate on the editor selection of the programs 2024-02-28 22:58:41 +00:00
Jonathan Carter 2ff04fd9b5 Merge branch '2024-02-12/1' into 'master'
(Helmut Grohne) move login and shadowconfig to /usr

See merge request debian/shadow!19
2024-02-18 12:43:59 +00:00
Serge Hallyn 97a3bc0c43 (Helmut Grohne) move login and shadowconfig to /usr
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2024-02-12 19:23:31 -06:00
Balint Reczey 485b374d09 Update changelog 2023-10-15 19:11:29 +02:00
Balint Reczey 25f0b936c0 Remove myself from uploaders 2023-09-27 10:22:26 +02:00
Balint Reczey 776d4d23ac Update changelog 2023-09-26 22:02:45 +02:00
Balint Reczey 9f285306f3 Fix valid_field() that regressed in upstream's first CVE fix
cherry-picking upstream's regression fix.

Follow-up for commit 50defcfa5d .

Gbp-Dch: Ignore
2023-09-26 12:19:29 +02:00
Balint Reczey f569ea06ff Update changelog 2023-09-25 18:18:48 +02:00
Balint Reczey 50defcfa5d Cherry-pick upstream patch to fix chfn vulnerability
(CVE-2023-29383)

Closes: #1034482
2023-09-25 18:13:40 +02:00
Balint Reczey 56c7502686 Cherry-pick upstream patch to fix gpasswd passwd leak
(CVE-2023-4641)

Closes: #1051062
2023-09-25 17:55:00 +02:00
Balint Reczey 7c66acdd2e Update changelog 2023-09-25 17:41:27 +02:00
Balint Reczey 4806645316 debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication
Also drop setting PREVENT_NO_AUTH in shipped login.defs.

Closes: #1041547
2023-09-25 17:15:46 +02:00
Balint Reczey 05a41bc4d5 Merge branch 'bprofile-nodoc' into 'master'
Support <nodoc> build profile (Closes: #1051827)

See merge request debian/shadow!18
2023-09-13 07:55:26 +00:00
Gioele Barabucci 75eb241552 Support <nodoc> build profile
`xsltproc`, `docbook` and all other XML-related packages are not needed
when the `<nodoc>` build profile is active, as long as `./configure` is
called with `--disable-man`.

Closes: #1051827
2023-09-13 08:52:53 +02:00
Balint Reczey d7ce68863e debian/login.pam: Drop reference to Debian Etch
Closes: #1040064
2023-07-02 20:59:28 +02:00
Balint Reczey 095f9d48ef debian/gitlab-ci.yml: Use sudo to fix reprotest test 2022-11-11 21:18:06 +01:00
10 changed files with 76 additions and 31 deletions
Vendored
+8
View File
@@ -1,3 +1,11 @@
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
The previous entry falsely states that PREVENT_NO_AUTH in /etc/login.defs
affects authentication. The historical default of letting all users with
empty password field in without authentication is still in effect.
-- Balint Reczey <balint@balintreczey.hu> Mon, 25 Sep 2023 17:04:09 +0200
shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
Login now prevents an empty password field to be interpreted as
+37 -9
View File
@@ -1,16 +1,44 @@
shadow (1:4.13+dfsg1-1+deb12u1) bookworm; urgency=medium
shadow (1:4.13+dfsg1-4.1) unstable; urgency=medium
* Enhance the manpage for vipw (closes #1064940).
-- Toni Mueller <toni@debian.org> Thu, 29 Feb 2024 16:37:32 +0000
shadow (1:4.13+dfsg1-4) unstable; urgency=medium
[ Helmut Grohne ]
* DEP17: Move login and shadowconfig to /usr. (Closes: #1059915)
-- Serge Hallyn <serge@hallyn.com> Sun, 04 Feb 2024 20:28:27 +0000
shadow (1:4.13+dfsg1-3) unstable; urgency=medium
* Team upload
* Remove myself from uploaders
-- Balint Reczey <balint@balintreczey.hu> Sun, 15 Oct 2023 19:10:52 +0200
shadow (1:4.13+dfsg1-2) unstable; urgency=medium
[ Balint Reczey ]
* Cherry-pick upstream patch to fix gpasswd passwd leak (Closes: #1051062)
CVE-2023-4641
* Cherry-pick upstream patch to fix chfn vulnerability (Closes: #1034482)
CVE-2023-29383
* Fix valid_field() that regressed in upstream's chfn fix
* debian/gitlab-ci.yml: Use sudo to fix reprotest test
* debian/login.pam: Drop reference to Debian Etch (Closes: #1040064)
* debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication.
Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547)
* Cherry-pick upstream patch to fix gpasswd passwd leak
(CVE-2023-4641) (Closes: #1051062)
* Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
control characters into some /etc/passwd fields.
(CVE-2023-29383) (Closes: #1034482)
[ Chris Hofstaedtler ]
* Update Uploaders: field from unstable
[ Gioele Barabucci ]
* Support <nodoc> build profile
`xsltproc`, `docbook` and all other XML-related packages are not needed
when the `<nodoc>` build profile is active, as long as `./configure` is
called with `--disable-man`. (Closes: #1051827)
-- Chris Hofstaedtler <zeha@debian.org> Mon, 07 Apr 2025 12:38:46 +0200
-- Balint Reczey <balint@balintreczey.hu> Tue, 26 Sep 2023 22:01:52 +0200
shadow (1:4.13+dfsg1-1) unstable; urgency=medium
+6 -8
View File
@@ -1,8 +1,6 @@
Source: shadow
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Uploaders:
Serge Hallyn <serge@hallyn.com>,
Chris Hofstaedtler <zeha@debian.org>
Uploaders: Serge Hallyn <serge@hallyn.com>
Section: admin
Priority: required
Build-Depends: debhelper-compat (= 13),
@@ -10,13 +8,13 @@ Build-Depends: debhelper-compat (= 13),
libcrypt-dev,
libpam0g-dev,
quilt,
xsltproc,
docbook-xsl,
docbook-xml,
libxml2-utils,
xsltproc <!nodoc>,
docbook-xsl <!nodoc>,
docbook-xml <!nodoc>,
libxml2-utils <!nodoc>,
libselinux1-dev [linux-any],
libsemanage-dev [linux-any],
itstool,
itstool <!nodoc>,
bison,
libaudit-dev [linux-any]
Standards-Version: 4.6.1
+3 -1
View File
@@ -1,5 +1,7 @@
variables:
RELEASE: 'unstable'
RELEASE: 'unstable'
# workaround for https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/259
SALSA_CI_REPROTEST_ARGS: --vary=domain_host.use_sudo=1
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-8
View File
@@ -337,14 +337,6 @@ NONEXISTENT /nonexistent
#
#GRANT_AUX_GROUP_SUBIDS yes
#
# Prevents an empty password field to be interpreted as "no authentication
# required".
# Set to "yes" to prevent for all accounts
# Set to "superuser" to prevent for UID 0 / root (default)
# Set to "no" to not prevent for any account (dangerous, historical default)
PREVENT_NO_AUTH superuser
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
+1 -1
View File
@@ -4,4 +4,4 @@ sbin/nologin usr/sbin
usr/bin/faillog
usr/bin/lastlog
usr/bin/newgrp
bin/login
bin/login usr/bin
+1 -1
View File
@@ -49,7 +49,7 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# locale variables can also be set in /etc/default/locale
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
+1 -1
View File
@@ -1,5 +1,5 @@
debian/default/useradd etc/default
debian/shadowconfig sbin
debian/shadowconfig usr/sbin
usr/bin/chage
usr/bin/chfn
usr/bin/chsh
+5 -1
View File
@@ -21,6 +21,10 @@ DEB_CONFIGURE_EXTRA_FLAGS := --without-libcrack \
--without-tcb \
SHELL=/bin/sh
ifneq ($(filter nodoc,$(DEB_BUILD_PROFILES)),)
DEB_CONFIGURE_EXTRA_FLAGS += --disable-man
endif
# Set the default editor for vipw/vigr
CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
@@ -38,7 +42,7 @@ endif
dh_install -a
ifeq ($(DEB_HOST_ARCH_OS),hurd)
# /bin/login is provided by the hurd package.
rm -f debian/login/bin/login
rm -f debian/login/usr/bin/login
endif
override_dh_installpam:
+14 -1
View File
@@ -73,10 +73,20 @@
the appropriate locks to prevent file corruption. When looking for an
editor, the programs will first try the environment variable
<envar>$VISUAL</envar>, then the environment variable
<envar>$EDITOR</envar>, and finally the default editor,
<envar>$EDITOR</envar>, then the editor from
<filename>~/.selected_editor</filename>, and finally
<command>nano</command>.
<citerefentry><refentrytitle>vi</refentrytitle>
<manvolnum>1</manvolnum></citerefentry>.
</para>
<para>
On the first run, if the environment variables <envar>$VISUAL</envar>
and <envar>$EDITOR</envar> are both unset, this program asks you for
an editor and stores your selection in
<filename>~/.selected_editor</filename>. If the editor mentioned
therein does not exist on your system, the program will fall back
to using <command>nano</command>.
</para>
</refsect1>
<refsect1 id='options'>
@@ -210,6 +220,9 @@
<citerefentry>
<refentrytitle>gshadow</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>
<citerefentry>
<refentrytitle>~/.selected_editor</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>
<citerefentry condition="tcb">
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,