On Sat, Sep 11, 2010 at 12:18:58PM +0200, Philipp Kern wrote: > Jan, > > On Fri, Sep 10, 2010 at 11:25:14PM +0200, Jan Dittberner wrote: > > I just uploaded pam-pgsql/0.7.1-3 to unstable. The new upload fixes #594721 and > > #596375. The first bug is security related, the patch is in production use by > > the bug submitter and looks sane to me. The second bug is RC because it would > > break upgrades from Lenny. > > I don't see how the "support Postgres' md5 hashes" is security related. > "I can only use this table if I do $foo" while $foo is maybe not sane > doesn't qualify as a security bug in my books. > > This is fun, too: > > +TODO (see http://dep.debian.net/deps/dep3/): > +Last-Update: 2010-08-28 > +Forwarded: <no|not-needed|url proving that it has been forwarded> > +Reviewed-By: <name and email of someone who approved the patch> I forwarded the patch to the upstream bugtracker and updated the DEP-3 information, I should have read the full patch header. > That said I wouldn't oppose it, despite it not fitting the freeze guidelines. That is great news and will make the bug submitter happy. > As for #596375: it looks RC-ish. I'm a bit stunned that there's neither a > manpage, nor it's shipped with a configuration file at the default location you > suggest. After all, you could pass config_file to the module to use a > different one, and those will still break. I'm not sure how to handle this > case properly, though, and I'd strongly suggest an entry in NEWS.Debian. I also don't have a good idea how to fix situations where a non-default config_file is used. I added debian/NEWS file. I attach a diff of my changes. Please confirm whether I should upload the changed package and whether the package would qualify for unblock with these changes. Regards, Jan Dittberner -- Jan Dittberner - Debian Developer GPG-key: 4096R/558FB8DD 2009-05-10 B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/
diff -Nru pam-pgsql-0.7.1/debian/changelog pam-pgsql-0.7.1/debian/changelog --- pam-pgsql-0.7.1/debian/changelog 2010-09-10 22:36:37.000000000 +0200 +++ pam-pgsql-0.7.1/debian/changelog 2010-09-11 21:51:51.000000000 +0200 @@ -1,3 +1,11 @@ +pam-pgsql (0.7.1-4) unstable; urgency=low + + * update DEP-3 information in + debian/patches/md5postgres_594721.patch, and fix a typo + * add debian/NEWS to notify about the change of default pw_type + + -- Jan Dittberner <jandd@debian.org> Sat, 11 Sep 2010 21:51:41 +0200 + pam-pgsql (0.7.1-3) unstable; urgency=low * add debian/patches/md5postgres_594721.patch to add support for diff -Nru pam-pgsql-0.7.1/debian/NEWS pam-pgsql-0.7.1/debian/NEWS --- pam-pgsql-0.7.1/debian/NEWS 1970-01-01 01:00:00.000000000 +0100 +++ pam-pgsql-0.7.1/debian/NEWS 2010-09-11 21:51:51.000000000 +0200 @@ -0,0 +1,12 @@ +pam-pgsql (0.7.1-4) unstable; urgency=low + + The default setting for pw_type has been changed from clear to sha1. This + change will break setups that previously used pam-pgsql < 0.7.1 where no + pw_type has been specified and another configuration file then + /etc/pam_pgsql.conf is used. The postinst script will set pw_type = clear + explicitly if you are upgrading from a version less than 0.7.1 and your + system's setup uses /etc/pam_pgsql.conf. You are encouraged to change your + setup to use a more secure mechanism (i.e. sha1) and to change your database + accordingly though. + + -- Jan Dittberner <jandd@debian.org> Sat, 11 Sep 2010 21:28:22 +0200 diff -Nru pam-pgsql-0.7.1/debian/patches/md5postgres_594721.patch pam-pgsql-0.7.1/debian/patches/md5postgres_594721.patch --- pam-pgsql-0.7.1/debian/patches/md5postgres_594721.patch 2010-09-10 22:36:37.000000000 +0200 +++ pam-pgsql-0.7.1/debian/patches/md5postgres_594721.patch 2010-09-11 21:51:51.000000000 +0200 @@ -7,11 +7,9 @@ postgresql.conf. This is requiered if you want authentication fallbacks within postgresql. See README file for full example. - -TODO (see http://dep.debian.net/deps/dep3/): -Last-Update: 2010-08-28 -Forwarded: <no|not-needed|url proving that it has been forwarded> -Reviewed-By: <name and email of someone who approved the patch> +Last-Update: 2010-09-11 +Forwarded: https://sourceforge.net/tracker/download.php?group_id=62198&atid=499729&file_id=386358&aid=3064421 +Reviewed-By: Jan Dittberner <jandd@debian.org> Index: pam-pgsql-0.7.1/src/backend_pgsql.c =================================================================== @@ -148,7 +146,7 @@ - hashing instead of DES. if one of 'crypt' or - 'crypt_md5' is specified, passwords always are + of 'clear', 'md5', 'sha1', 'crypt', 'crypt_md5', or -+ 'md5_postgres'. The ifference between 'md5' and ++ 'md5_postgres'. The difference between 'md5' and + 'crypt_md5' is that 'md5' uses libmhash for hashing + while 'crypt_md5' uses crypt() with a special salt to + select md5 hashing instead of DES. if one of 'crypt'
Attachment:
signature.asc
Description: Digital signature