-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-8664 2010-05-17 17:45:41 --------------------------------------------------------------------------------
Name : pam_mount Product : Fedora 13 Version : 2.4 Release : 2.fc13 URL : http://pam-mount.sourceforge.net/ Summary : A PAM module that can mount volumes for a user session Description : This module is aimed at environments with central file servers that a user wishes to mount on login and unmount on logout, such as (semi-)diskless stations where many users can logon. The module also supports mounting local filesystems of any kind the normal mount utility supports, with extra code to make sure certain volumes are set up properly because often they need more than just a mount call, such as encrypted volumes. This includes SMB/CIFS, NCP, davfs2, FUSE, losetup crypto, dm-crypt/cryptsetup and truecrypt. If you intend to use pam_mount to protect volumes on your computer using an encrypted filesystem system, please know that there are many other issues you need to consider in order to protect your data. For example, you probably want to disable or encrypt your swap partition. Don't assume a system is secure without carefully considering potential threats. -------------------------------------------------------------------------------- Update Information: For pam_mount: Notes: - see doc/bugs.txt for cryptsetup behavior that impacts pam_mount users since version 2.0 Fixes: - umount.crypt: fix use of a wrong field for smtab/cmtab staleness check - umount.crypt had erroneously mounted instead of umounted - mount.crypt: fix memory scribble crash when crypto device could not be initialized - mount.crypt: do not fail when unlocking key slot other than #0 - fusermount is now called with supplementary groups initialized - rdconf: do not warn about missing fskeyhash when no fskey specified - mount: prefer sysv mount API over bsd - pmt-ehd: reword help text for -k option - pmt-ehd: apply default value for -k option - pmt-ehd: fix fskey generation which was pegged at 256 bits - pmt-ehd: avoid needless overtruncation/sparsifying - pmt-ehd: zero LUKS header to avoid setup failure of PLAIN volume Changes: - pmt-ehd: speed up writing random data - pmt-ehd: reword help text for -k option - mount.crypt: ignore cmtab update errors - mount.crypt: add support for keyfile passthru using -ofsk_cipher=none - doc: document mount.crypt's -o hash option - mount.crypt: warn on ignored options Fixes: - config: rdconf1 static data had unclosed %(if) tags - config: rdconf1 static data had extraneous %(OPTIONS) parameter Changes: - mount.crypt: make use of libcryptsetup - cmtab is now stored below localstatedir (usually /var/run) - use HXformat2. This invalidates old constructs like %(before=\"-o\"...), which need to be replaced with the new syntax. (See below.) In general, the old syntax was only used by commands Note to updaters: As the old syntax %(after=...) %(before=...) %(ifempty=...) %(ifnempty=...) %(lower=...) %(upper=...) only appeared in commands, and commands are not part of the default config file anymore since v1.0~15^2~15, there should be little worry. The configuration options in question are <cifsmount>, <cryptmount>, <cryptumount>, <fd0ssh>, <fsck>, <fusemount>, <fuseumount>, <lclmount>, <nfsmount>, <ncpmount>, <ncpumount>, <pmvarrun>, <smbmount>, <smbumount> <umount> and should normally not be needed in pam_mount.conf.xml. Changes: - cope better with cryptsetup's assumption that keysize=256 - augment doc/bugs.txt about caveats with cryptsetup create Fixes: - avoid a mlock(NULL) when there is no auth token Changes: - print error code when mkmountpoint failed - print warning when cmtab is not creatable Changes: - update for libHX 3.4 Fixes: - do decrease the login refcount on logout when no volumes are defined Fixes: - avoid multi-free of auth token when pam_mount is rerun in a PAM stack - avoid NULL dereference when there is an empty line in mtab For cryptsetup: - Fix device alignment ioctl calls parameters. - Fix activate_by_* API calls to handle NULL device name as documented. - Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile. - Support --key-file/-d option for luksFormat. - Fix description of --key-file and add --verbose and --debug options to man page. - Add verbose log level and move unlocking message there. - Remove device even if underlying device disappeared. - Fix (deprecated) reload device command to accept new device argument. - Fix luksClose operation for stacked DM devices. - Fix automatic dm-crypt module loading. - Escape hyphens in man page. - Try to use pkgconfig for device mapper library. - Detect old dm-crypt module and disable LUKS suspend/resume. - Fix apitest to work on older systems. - Allow no hash specification in plain device constructor. - Fix luksOpen reading of passphrase on stdin (if "-" keyfile specified). - Fix isLuks to initialise crypto backend (blkid instead is suggested anyway). - Fix package config to use proper package version. - Avoid class C++ keyword in library header. - Detect and use devmapper udev support if available (disable by --disable-udev). - Prefer some device paths in status display. - Support device topology detectionfor data alignment. - Do not verify unlocking passphrase in luksAddKey command. - Properly initialise crypto backend in header backup/restore commands. - Fix udev support for old libdevmapper with not compatible definition. -------------------------------------------------------------------------------- ChangeLog: * Sat Jul 3 2010 Till Maas <[email protected]> - 2.4-2 - Add cryptsetup-luks-libs Requires - list all manpages explicitly * Fri Jul 2 2010 Till Maas <[email protected]> - 2.4-1 - Update to new release - add patch to keep cmtab at /etc - add patch to use mount -t crypt instead of mount.crypt for crypto volumes - BR cryptsetup-luks-devel >= 1.1.2 - add man-db BR for Fedora >= 14 for pam_mount.8 to pam_mount.txt conversion - add Patch to remove man-db BR for Fedora < 14 * Wed May 19 2010 Till Maas <[email protected]> - 2.3-1 - Update to new release * Sun May 16 2010 Till Maas <[email protected]> - 2.2-1 - Update to new release * Sun May 16 2010 Till Maas <[email protected]> - 2.1-1 - Update to new release - Add BuildRequires: cryptsetup-luks-devel - Cleanup BRs - Add Requires: /bin/readlink - Update libHX dependency * Mon Jan 4 2010 Till Maas <[email protected]> - 1.32-2 - Do not package compatibility symlinks anymore -------------------------------------------------------------------------------- References: [ 1 ] Bug #608400 - pam_mount-2.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=608400 [ 2 ] Bug #599609 - use mount -t crypt instead of mount.crypt for pam_mount crypt volumes for selinux support https://bugzilla.redhat.com/show_bug.cgi?id=599609 [ 3 ] Bug #610885 - update cryptsetup-luks to 1.1.2 for pam_mount https://bugzilla.redhat.com/show_bug.cgi?id=610885 [ 4 ] Bug #570315 - pmt-ehd has problems has problems creating large loopback containers https://bugzilla.redhat.com/show_bug.cgi?id=570315 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update pam_mount' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
