File pam_yubico.changes of Package pam_yubico
-------------------------------------------------------------------
Fri Apr 20 11:58:00 UTC 2018 - kbabioch@suse.com
- Version 2.26 (released 2018-04-20)
- Make sure to close authfile (CVE-2018-9275 bsc#1088027).
- Fix compiler warnings.
- Open file descriptors with O_CLOEXEC.
- Use mkostemp() instead of mkstemp().
- Dropped patches that are included upstream:
- cloexec.patch
- compiler-warnings-format-strings.patch
- compiler-warnings-pointer.patch
- leaking-file-descriptor.patch
- util_test-mkdtemp.patch
-------------------------------------------------------------------
Fri Apr 13 14:06:59 UTC 2018 - kbabioch@suse.com
- Added patches:
- cloexec.patch: Harden file descriptor handling (boo#1089517)
- compiler-warnings-pointer.patch: Fix compiler warnings due to wrong pointer
casts (boo#1089518)
- compiler-warnings-format-strings.patch: Fix compiler warnings due to wrong
format string specifiers (boo#1089519)
- util_test-mkdtemp.patch: Use mkdtemp() instead of tempnam() (boo#1089520)
-------------------------------------------------------------------
Wed Apr 4 08:32:10 UTC 2018 - kbabioch@suse.com
- leaking-file-descriptor.patch: Close the authfile before returning
to make sure no file descriptors are leaked (bsc#1088027).
-------------------------------------------------------------------
Tue Mar 27 11:27:03 UTC 2018 - kbabioch@suse.com
- Version 2.25 (released 2018-03-27):
- Security: Storage of challenges in path with restricted permissions
- Perform OTP validation only if token is authorized
- Return early if the user has no authorized tokens
- Compare OTP IDs against `yubi_attr` only
- Add nullok support to challenge-response mode
- Several improvements to the documentation
- Improved debugging output and test cases
-------------------------------------------------------------------
Mon Nov 27 17:00:01 UTC 2017 - meissner@suse.com
- Version 2.24 (released 2016-11-25) (bsc#1067191)
- Debug mode changed, allows file output with debug_file.
- Fixup returning user-unknown correctly.
- Version 2.23 (released 2016-06-15)
- Fix an issue where a failure to set permissions was wrongly outputted.
-------------------------------------------------------------------
Thu Jun 9 07:34:20 UTC 2016 - t.gruner@katodev.de
- Version 2.22 (released 2016-05-23)
- Documentation improvements.
- Retain ownership and permission of challenge files (issue #92).
- Make dependency on yubico-c-client 2.15 clearer.
-------------------------------------------------------------------
Mon Apr 25 20:18:57 UTC 2016 - t.gruner@katodev.de
- Version 2.21 (released 2016-02-19)
- Add proxy support for yubico-c-client.
- Check that conv is set before trying to use it fixes a crash bug with the osx loginwindow.
- Add building of a mac installer.
-------------------------------------------------------------------
Mon Oct 5 12:50:06 UTC 2015 - t.gruner@katodev.de
- Version 2.20 (released 2015-09-22)
- Add cainfo option to allow usage of a cabundle instead of path.
- Support comments in authfile.
- For challenge response with system-wide directory, write the files as root instead of the user.
- add baselib.conf
-------------------------------------------------------------------
Thu Mar 26 12:56:50 UTC 2015 - t.gruner@katodev.de
- Version 2.19 (released 2015-03-23)
- Add new ldap functionality ldap_bind_user and ldap_bind_password
for authenticated binds ldap_filter for using subtree search and
a filter ldap_cacertfile to use a specific cacert for ldaps
-------------------------------------------------------------------
Mon Feb 16 14:36:32 UTC 2015 - t.gruner@katodev.de
- Version 2.18 (released 2015-02-12)
- Fix a memory leak of the pam response data.
- Add more tests.
- Add version flag to ykpamcfg.
- Remove "make check" in spec-file. ( BuildRequires: perl(Net::LDAP::Server) )
-------------------------------------------------------------------
Wed Jan 21 09:09:06 UTC 2015 - t.gruner@katodev.de
- Move ykpamcfg from /usr/sbin to /usr/bin
-------------------------------------------------------------------
Wed Jan 7 20:55:40 UTC 2015 - mrueckert@suse.de
- Version 2.17 (released 2014-08-26)
- Fix a bug with the 'urllist' parameter where urls would be
forgotten.
- Manpages converted to asciidoc.
- Version 2.16 (released 2014-06-10)
- Fix a crashbug with the new parameter 'urllist'
- Version 2.15 (released 2014-04-30)
- Added new parameter 'urllist'
- Added pam_yubico(8) man page.
- Fix memory leak.
- Bump yubico-c-client version requirement to 2.12.
- Version 2.14 (released 2013-09-27)
- Don't install internal header files.
- Don't print debug info when the "debug" parameter is not given.
- Use PBKDF2 to process expected reply for challenge-response
mode.
- Fixup memory leaks and leaks of privilege.
- Let return values reflect whether the user wasn't found or
other error.
- Version 2.13 (released 2013-03-01)
- Fix a bug in the version check to support major version > 2
(neo). Patch from https://github.com/wwest4
- Give ykpamcfg an option for specifying path.
- Version 2.12 (released 2012-06-15)
- Only use libyubikey when --with-cr is used.
- Set correct permissions on tempfile.
- YubiKey 2.2 contains a bug in challenge-response that makes it
output the same response to all challenges unless HMAC_LT64 is
set. Add warnings to ykpamcfg and a warning through conversate
in the pam module. Keys programmed like this should be
reprogrammed with the HMAC_LT64 flag set.
- Version 2.11 (released 2012-02-10)
- Fix crash-bug with challenge-response mode when button press is
required, but button is never pressed. Reported and fixed by
Lingzhu Xiang <xianglingzhu@gmail.com>.
- Fix a memset() with wrong size as reported by clang, as well as
some other problems/warnings when building on Mac OS X, thanks
to Clemens Lang <neverpanic@gmail.com>.
- Add prefix-matching of LDAP fetched values, so you can store
the token-to-user mapping in a multi-value attribute with
values like "yubikey:publicid", "other-token:something" etc.
Patch by Remi Mollon <remi.mollon@cern.ch>.
- Version 2.10 (released 2011-12-14)
- Drop permissions (to the user that is trying to authenticate)
before accessing files in the users home directory. Largely
based on a patch by Ricky Zhou <ricky@fedoraproject.org>.
Thanks!
- Restore challenge-response support - version 2.7 was supposed
to make the dependency on libykpers optional, but in reality
accidentally disabled challenge-response for all
configurations. As before, use --without-cr to compile
pam_yubico without the ykpers dependency.
- Version 2.9 (released 2011-11-17)
- Security: Explicitly request ykclient to verify server
signature. ykclient <= 2.5 strangely enough defaults to
signing requests, but not verifying signatures in responses
when it is supplied with a client key. Reported and patched by
Dominic Rutherford <dominic@rutherfordfamily.co.uk>.
- Version 2.8 (released 2011-08-26)
- Fix big security hole: Authentication succeeded when no
password was given, unless use_first_pass was being used. This
is fatal if pam_yubico is considered 'sufficient' in the PAM
configuration. Reported and patched by Nanakos Chrysostomos
<nanakos@wired-net.gr>.
- Version 2.7 (released 2011-06-07)
- Make dependency on libykpers optional. Use --without-cr to
force it. Reported by Jussi Sallinen <jussi@jus.si>.
- Version 2.6 (released 2011-04-11)
- This release includes lots of patches by members of our open
source community. Thank you all!
- Add Challenge-Response mode for offline validation (requires
YubiKey 2.2). Patch by Tollef Fog Heen.
- Eliminate all problems with pam_get_data by simply getting rid
of that code completely. This seems to have caused problems for
a lot of people.
- Numerous LDAP bug fixes and improvements, including community
patches by judas.iscariote and maxsanna81@gmail.com. Change to
LDAPv3, since v2 has been declared historic for a looong time.
- Support passing capath parameter to Yubico validation client.
Patch by Remi Mollon.
- Support public id's longer/shorter than 6 bytes. Patch by
fraser.scott@gmail.com.
- Convert documentation to Asciidoc format used in Github wiki.
- Try to never log passwords in debug logs.
- new build requires:
pkg-config
libyubikey-devel
libykpers-devel
- use correct license string: BSD-2-Clause
- remove autoreconf call: no longer needed with release tarball
- package more documentation
-------------------------------------------------------------------
Thu Mar 17 15:40:54 UTC 2011 - crrodriguez@opensuse.org
- Update GIT snapshot
-------------------------------------------------------------------
Sat Mar 12 14:12:28 UTC 2011 - crrodriguez@opensuse.org
- Update git snapshot
-------------------------------------------------------------------
Thu Mar 3 21:02:33 UTC 2011 - crrodriguez@opensuse.org
- Use an slightly newer git snapshot
-------------------------------------------------------------------
Sun Jan 30 21:39:14 UTC 2011 - cristian.rodriguez@opensuse.org
- run make check
-------------------------------------------------------------------
Sun Jan 30 18:19:29 UTC 2011 - cristian.rodriguez@opensuse.org
- fix some wrong ldap calls
-------------------------------------------------------------------
Sun Jan 30 16:25:26 UTC 2011 - cristian.rodriguez@opensuse.org
- Initial version