[Pkg-shadow-commits] r3152 - debian/trunk/debian

Nicolas FRANÇOIS nekral-guest at alioth.debian.org
Thu Mar 18 11:56:44 UTC 2010 

Author: nekral-guest
Date: 2010-03-18 11:56:44 +0000 (Thu, 18 Mar 2010)
New Revision: 3152

Modified:
   debian/trunk/debian/changelog
Log:
    - Added support for dates already specified as a number of days since
      Epoch in useradd, usermod and chage. Closes: #562221


Modified: debian/trunk/debian/changelog
===================================================================
--- debian/trunk/debian/changelog	2010-03-18 11:53:49 UTC (rev 3151)
+++ debian/trunk/debian/changelog	2010-03-18 11:56:44 UTC (rev 3152)
@@ -9,6 +9,8 @@
       + debian/patches/008_su_no_sanitize_env
     - Updated patches:
       + debian/patches/523_su_arguments_are_no_more_concatenated_by_default
+    - Added support for dates already specified as a number of days since
+      Epoch in useradd, usermod and chage. Closes: #562221
   * debian/securetty.kfreebsd: On GNU/kFreeBSD the serial devices have change
     from /dev/cuuaX to /dev/ttydX in kernel 6.0. Closes: #544523
   * debian/securetty.linux: Added support for embedded ARM AMBA PL011 ports
@@ -17,11 +19,14 @@
   * debian/login.defs: Improve documentation of USERGROUPS_ENAB.
     Closes: #572687
   * debian/rules: Added DEB_AUTO_UPDATE_LIBTOOL = pre. Closes: #560633
-  * debian/login.pam: return back to "requisite" for the pam_securetty
-    PAM module. It's more important to avoid root logins over insecure
-    terminals than having a very hypothetical attack based on sniffing
-    incorrect usernames, followed by a brute force attack.
-    Closes: #574082
+  * debian/login.pam: return back to mostly "requisite" for the pam_securetty
+    PAM module, but ignore PAM_USER_UNKNOWN. This will avoid root from
+    entering a password, and will also avoid user enumeration attacks.
+    Mis-typed root login are not protected, only root can be blamed for
+    mis-typing and entering a password on an insecure line. Users willing to
+    protect against mis-typed root login can use "requisite", but will be
+    vulnerable to user enumeration attacks on insecure lines, and should use
+    pam 1.1.0-4 at least. Closes: #574082, #531341
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sun, 24 Jan 2010 18:28:33 +0100

More information about the Pkg-shadow-commits mailing list