Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pam for openSUSE:Factory checked in at 2023-08-09 17:23:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam (Old) and /work/SRC/openSUSE:Factory/.pam.new.11712 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam" Wed Aug 9 17:23:52 2023 rev:132 rq:1102711 version:1.5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/pam/pam.changes 2023-05-13 17:16:52.646117423 +0200 +++ /work/SRC/openSUSE:Factory/.pam.new.11712/pam.changes 2023-08-09 17:23:58.708904069 +0200 @@ -1,0 +2,14 @@ +Mon Aug 7 09:41:27 UTC 2023 - Thorsten Kukuk <ku...@suse.com> + +- pam_access backports from upstream: + - pam_access-doc-IPv6-link-local.patch: + Document only partial supported IPv6 link local addresses + - pam_access-hostname-debug.patch: + Don't print error if we cannot resolve a hostname, does not + need to be a hostname + - pam_shells-fix-econf-memory-leak.patch: + Free econf keys variable + - disable-examples.patch: + Don't build examples + +------------------------------------------------------------------- New: ---- disable-examples.patch pam_access-doc-IPv6-link-local.patch pam_access-hostname-debug.patch pam_shells-fix-econf-memory-leak.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.TQbOed/_old 2023-08-09 17:23:59.572909449 +0200 +++ /var/tmp/diff_new_pack.TQbOed/_new 2023-08-09 17:23:59.576909473 +0200 @@ -96,6 +96,14 @@ Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch +# https://github.com/linux-pam/linux-pam/pull/594 +Patch2: pam_access-doc-IPv6-link-local.patch +# https://github.com/linux-pam/linux-pam/pull/596 +Patch3: pam_access-hostname-debug.patch +# https://github.com/linux-pam/linux-pam/pull/581 +Patch4: pam_shells-fix-econf-memory-leak.patch +# https://github.com/linux-pam/linux-pam/pull/574 +Patch5: disable-examples.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex @@ -206,6 +214,10 @@ %setup -q -n Linux-PAM-%{version} cp -a %{SOURCE12} . %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build bash ./pam-login_defs-check.sh @@ -216,6 +228,7 @@ %if %{livepatchable} CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" %endif +autoreconf %configure \ --includedir=%{_includedir}/security \ --docdir=%{_docdir}/pam \ @@ -225,6 +238,7 @@ --enable-securedir=%{_pam_moduledir} \ --enable-vendordir=%{_prefix}/etc \ --enable-logind \ + --disable-examples \ --disable-nis \ %if %{with debug} --enable-debug ++++++ disable-examples.patch ++++++ >From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001 From: Pino Toscano <toscano.p...@tiscali.it> Date: Mon, 8 May 2023 18:39:36 +0200 Subject: [PATCH] configure.ac: add --enable-examples option Allow the user to not build the examples through --disable-examples (enabled by default); this can be useful: - when cross-compiling, as the examples are not useful - in distribution builds, not building stuff that is not used in any way --- Makefile.am | 5 ++++- configure.ac | 5 +++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index deb252680..2e8fede7b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,11 +4,14 @@ AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news -SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests +SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests if HAVE_DOC SUBDIRS += doc endif +if HAVE_EXAMPLES +SUBDIRS += examples +endif CLEANFILES = *~ diff --git a/configure.ac b/configure.ac index b9b0f8392..6666b1b26 100644 --- a/configure.ac +++ b/configure.ac @@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc], WITH_DOC=$enableval, WITH_DOC=yes) AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"]) +AC_ARG_ENABLE([examples], + AS_HELP_STRING([--disable-examples],[Do not build the examples]), + WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes) +AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"]) + AC_ARG_ENABLE([prelude], AS_HELP_STRING([--disable-prelude],[do not use prelude]), WITH_PRELUDE=$enableval, WITH_PRELUDE=yes) ++++++ pam_access-doc-IPv6-link-local.patch ++++++ >From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk <ku...@suse.com> Date: Thu, 3 Aug 2023 17:11:32 +0200 Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582) * modules/pam_access/access.conf.5.xml: Add example and note for IPv6 link-local addresses * modules/pam_access/access.conf: Add example for IPv6 link-local addresses --- modules/pam_access/access.conf | 3 +++ modules/pam_access/access.conf.5.xml | 12 +++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf index 47b6b84c1..9c8e21716 100644 --- a/modules/pam_access/access.conf +++ b/modules/pam_access/access.conf @@ -115,6 +115,9 @@ # User "john" should get access from ipv6 host address (same as above) #+:john:2001:4ca0:0:101:0:0:0:1 # +# User "john" should get access from ipv6 local link host address +#+:john:fe80::de95:818c:1b55:7e42%eth0 +# # User "john" should get access from ipv6 net/mask #+:john:2001:4ca0:0:101::/64 # diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index ff1cb2237..2dc5d477c 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -188,6 +188,12 @@ </para> <para>+:john foo:2001:db8:0:101::1</para> + <para> + User <emphasis>john</emphasis> and <emphasis>foo</emphasis> + should get access from IPv6 link local host address. + </para> + <para>+:john foo:fe80::de95:818c:1b55:7e42%eth1</para> + <para> User <emphasis>john</emphasis> should get access from IPv6 net/mask. </para> @@ -222,6 +228,10 @@ item and the line will be most probably ignored. For this reason, it is not recommended to put spaces around the ':' characters. </para> + <para> + An IPv6 link local host address must contain the interface + identifier. IPv6 link local network/netmask is not supported. + </para> </refsect1> <refsect1 xml:id="access.conf-see_also"> @@ -246,4 +256,4 @@ introduced by Mike Becher <mike.bec...@lrz-muenchen.de>. </para> </refsect1> -</refentry> \ No newline at end of file +</refentry> ++++++ pam_access-hostname-debug.patch ++++++ >From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk <ku...@suse.com> Date: Fri, 4 Aug 2023 15:46:16 +0200 Subject: [PATCH] pam_access: make non-resolveable hostname a debug output (#590) * modules/pam_access/pam_access.c (network_netmask_match): Don't print an error if a string is not resolveable, only a debug message in debug mode. We even don't know if that entry is for remote logins or not. --- modules/pam_access/pam_access.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index f70b7e495..985dc7de2 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh, */ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) { - pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); + if (item->debug) + pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok); return NO; } ++++++ pam_shells-fix-econf-memory-leak.patch ++++++ >From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann <tob...@stoeckmann.org> Date: Thu, 18 May 2023 17:55:21 +0200 Subject: [PATCH] pam_shells: Plug econf memory leak Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> --- modules/pam_shells/pam_shells.c | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index 05c09c656..276a56dd5 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh) if (!retval) break; } + econf_free (keys); econf_free (key_file); #else char shellFileLine[256];
