File pam_yubico.changes of Package pam_yubico

-------------------------------------------------------------------
Fri Apr 20 11:58:00 UTC 2018 - kbabioch@suse.com

- Version 2.26 (released 2018-04-20)
  - Make sure to close authfile (CVE-2018-9275 bsc#1088027).
  - Fix compiler warnings.
  - Open file descriptors with O_CLOEXEC.
  - Use mkostemp() instead of mkstemp().
- Dropped patches that are included upstream:
  - cloexec.patch
  - compiler-warnings-format-strings.patch
  - compiler-warnings-pointer.patch
  - leaking-file-descriptor.patch
  - util_test-mkdtemp.patch

-------------------------------------------------------------------
Fri Apr 13 14:06:59 UTC 2018 - kbabioch@suse.com

- Added patches:
  - cloexec.patch: Harden file descriptor handling (boo#1089517)
  - compiler-warnings-pointer.patch: Fix compiler warnings due to wrong pointer
    casts (boo#1089518)
  - compiler-warnings-format-strings.patch: Fix compiler warnings due to wrong
    format string specifiers (boo#1089519)
  - util_test-mkdtemp.patch: Use mkdtemp() instead of tempnam() (boo#1089520)

-------------------------------------------------------------------
Wed Apr  4 08:32:10 UTC 2018 - kbabioch@suse.com

- leaking-file-descriptor.patch: Close the authfile before returning
  to make sure no file descriptors are leaked (bsc#1088027).

-------------------------------------------------------------------
Tue Mar 27 11:27:03 UTC 2018 - kbabioch@suse.com

- Version 2.25 (released 2018-03-27):
  - Security: Storage of challenges in path with restricted permissions
  - Perform OTP validation only if token is authorized
  - Return early if the user has no authorized tokens
  - Compare OTP IDs against `yubi_attr` only
  - Add nullok support to challenge-response mode
  - Several improvements to the documentation
  - Improved debugging output and test cases

-------------------------------------------------------------------
Mon Nov 27 17:00:01 UTC 2017 - meissner@suse.com

- Version 2.24 (released 2016-11-25) (bsc#1067191)
  - Debug mode changed, allows file output with debug_file.
  - Fixup returning user-unknown correctly.
- Version 2.23 (released 2016-06-15)
  - Fix an issue where a failure to set permissions was wrongly outputted.

-------------------------------------------------------------------
Thu Jun  9 07:34:20 UTC 2016 - t.gruner@katodev.de

- Version 2.22 (released 2016-05-23)
  - Documentation improvements.
  - Retain ownership and permission of challenge files (issue #92).
  - Make dependency on yubico-c-client 2.15 clearer.

-------------------------------------------------------------------
Mon Apr 25 20:18:57 UTC 2016 - t.gruner@katodev.de

- Version 2.21 (released 2016-02-19)
  - Add proxy support for yubico-c-client.
  - Check that conv is set before trying to use it fixes a crash bug with the osx loginwindow.
  - Add building of a mac installer.

-------------------------------------------------------------------
Mon Oct  5 12:50:06 UTC 2015 - t.gruner@katodev.de

- Version 2.20 (released 2015-09-22)
  - Add cainfo option to allow usage of a cabundle instead of path.
  - Support comments in authfile.
  - For challenge response with system-wide directory, write the files as root instead of the user.
- add baselib.conf

-------------------------------------------------------------------
Thu Mar 26 12:56:50 UTC 2015 - t.gruner@katodev.de

- Version 2.19 (released 2015-03-23)
  - Add new ldap functionality ldap_bind_user and ldap_bind_password
    for authenticated binds ldap_filter for using subtree search and
    a filter ldap_cacertfile to use a specific cacert for ldaps

-------------------------------------------------------------------
Mon Feb 16 14:36:32 UTC 2015 - t.gruner@katodev.de

- Version 2.18 (released 2015-02-12)
  - Fix a memory leak of the pam response data.
  - Add more tests.
  - Add version flag to ykpamcfg.
- Remove "make check" in spec-file. ( BuildRequires: perl(Net::LDAP::Server) )

-------------------------------------------------------------------
Wed Jan 21 09:09:06 UTC 2015 - t.gruner@katodev.de

- Move ykpamcfg from /usr/sbin to /usr/bin

-------------------------------------------------------------------
Wed Jan  7 20:55:40 UTC 2015 - mrueckert@suse.de

- Version 2.17 (released 2014-08-26)
  - Fix a bug with the 'urllist' parameter where urls would be
    forgotten.
  - Manpages converted to asciidoc.
- Version 2.16 (released 2014-06-10)
  - Fix a crashbug with the new parameter 'urllist'
- Version 2.15 (released 2014-04-30)
  - Added new parameter 'urllist'
  - Added pam_yubico(8) man page.
  - Fix memory leak.
  - Bump yubico-c-client version requirement to 2.12.
- Version 2.14 (released 2013-09-27)
  - Don't install internal header files.
  - Don't print debug info when the "debug" parameter is not given.
  - Use PBKDF2 to process expected reply for challenge-response
    mode.
  - Fixup memory leaks and leaks of privilege.
  - Let return values reflect whether the user wasn't found or
    other error.
- Version 2.13 (released 2013-03-01)
  - Fix a bug in the version check to support major version > 2
    (neo).  Patch from https://github.com/wwest4
  - Give ykpamcfg an option for specifying path.
- Version 2.12 (released 2012-06-15)
  - Only use libyubikey when --with-cr is used.
  - Set correct permissions on tempfile.
  - YubiKey 2.2 contains a bug in challenge-response that makes it
    output the same response to all challenges unless HMAC_LT64 is
    set. Add warnings to ykpamcfg and a warning through conversate
    in the pam module. Keys programmed like this should be
    reprogrammed with the HMAC_LT64 flag set.
- Version 2.11 (released 2012-02-10)
  - Fix crash-bug with challenge-response mode when button press is
    required, but button is never pressed. Reported and fixed by
    Lingzhu Xiang <xianglingzhu@gmail.com>.
  - Fix a memset() with wrong size as reported by clang, as well as
    some other problems/warnings when building on Mac OS X, thanks
    to Clemens Lang <neverpanic@gmail.com>.
  - Add prefix-matching of LDAP fetched values, so you can store
    the token-to-user mapping in a multi-value attribute with
    values like "yubikey:publicid", "other-token:something" etc.
    Patch by Remi Mollon <remi.mollon@cern.ch>.
- Version 2.10 (released 2011-12-14)
  - Drop permissions (to the user that is trying to authenticate)
    before accessing files in the users home directory. Largely
    based on a patch by Ricky Zhou <ricky@fedoraproject.org>.
    Thanks!
  - Restore challenge-response support - version 2.7 was supposed
    to make the dependency on libykpers optional, but in reality
    accidentally disabled challenge-response for all
    configurations. As before, use --without-cr to compile
    pam_yubico without the ykpers dependency.
- Version 2.9 (released 2011-11-17)
  - Security: Explicitly request ykclient to verify server
    signature.  ykclient <= 2.5 strangely enough defaults to
    signing requests, but not verifying signatures in responses
    when it is supplied with a client key.  Reported and patched by
    Dominic Rutherford <dominic@rutherfordfamily.co.uk>.
- Version 2.8 (released 2011-08-26)
  - Fix big security hole: Authentication succeeded when no
    password was given, unless use_first_pass was being used.  This
    is fatal if pam_yubico is considered 'sufficient' in the PAM
    configuration.  Reported and patched by Nanakos Chrysostomos
    <nanakos@wired-net.gr>.
- Version 2.7 (released 2011-06-07)
  - Make dependency on libykpers optional.  Use --without-cr to
    force it.  Reported by Jussi Sallinen <jussi@jus.si>.
- Version 2.6 (released 2011-04-11)
  - This release includes lots of patches by members of our open
    source community. Thank you all!
  - Add Challenge-Response mode for offline validation (requires
    YubiKey 2.2). Patch by Tollef Fog Heen.
  - Eliminate all problems with pam_get_data by simply getting rid
    of that code completely. This seems to have caused problems for
    a lot of people.
  - Numerous LDAP bug fixes and improvements, including community
    patches by judas.iscariote and maxsanna81@gmail.com. Change to
    LDAPv3, since v2 has been declared historic for a looong time.
  - Support passing capath parameter to Yubico validation client.
    Patch by Remi Mollon.
  - Support public id's longer/shorter than 6 bytes. Patch by
    fraser.scott@gmail.com.
  - Convert documentation to Asciidoc format used in Github wiki.
  - Try to never log passwords in debug logs.
- new build requires:
  pkg-config
  libyubikey-devel
  libykpers-devel
- use correct license string: BSD-2-Clause
- remove autoreconf call: no longer needed with release tarball
- package more documentation

-------------------------------------------------------------------
Thu Mar 17 15:40:54 UTC 2011 - crrodriguez@opensuse.org

- Update GIT snapshot 

-------------------------------------------------------------------
Sat Mar 12 14:12:28 UTC 2011 - crrodriguez@opensuse.org

- Update git snapshot 

-------------------------------------------------------------------
Thu Mar  3 21:02:33 UTC 2011 - crrodriguez@opensuse.org

- Use an slightly newer git snapshot 

-------------------------------------------------------------------
Sun Jan 30 21:39:14 UTC 2011 - cristian.rodriguez@opensuse.org

- run make check 

-------------------------------------------------------------------
Sun Jan 30 18:19:29 UTC 2011 - cristian.rodriguez@opensuse.org

- fix some wrong ldap calls 

-------------------------------------------------------------------
Sun Jan 30 16:25:26 UTC 2011 - cristian.rodriguez@opensuse.org

- Initial version