forked from NigelCunningham/pam-MySQL
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
173 lines (129 loc) · 7.28 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
Version 0.8 - 30 Nov 2016 - <[email protected]>
* This release is the first in a new fork of the project. Previous maintainers
seem to have ceased activity not long after the last release. This version
includes a number of patches that have been applied in the meantime.
Version 0.7-RC1 2006/1/10 <[email protected]>
* Add a option "disconnect_every_op" option that forces pam_mysql to
disconnect from the database every operation (PR #1325395). -moriyoshi
* Use geteuid() instead of getuid() to check if the current user is authorized
to change the password (PR #1338667). -moriyoshi
* Allow root (uid=0) to change the passwords of other users without their old
password. -moriyoshi
Version 0.7-pre3 2005/9/29 <[email protected]>
* Changed handling of the "where" option to not escape meta characters
(PR #1261484). -moriyoshi
* Overhauled the SQL logging facility (PR #1256243). -moriyoshi
* Added logrhostcolumn (log.rhost_column) option that enables you to log the
value of the "rhost" item specified by the application. -moriyoshi
* Fixed possible security flaw (though not considered to be severe). -moriyoshi
* Fixed memory leaks spotted when "config_file" option is used. -moriyoshi
* Fixed try_first_pass behaviour. -moriyoshi
* Changed option parsing behaviour so "=" following each option name is not
needed. -moriyoshi
Version 0.7-pre2 2005/9/18 <[email protected]>
* Changed column name handling to not escape meta characters. Now you can
specify an expression to every XXXcolumn variable like "CONCAT(a, b, c)".
-moriyoshi
* Supported SHA1 hash (PR #1117036). -moriyoshi, alexeen
* Supported use_first_pass and try_first_pass options. -moriyoshi
Version 0.7-pre1 2005/6/13 <[email protected]>
* Support for NSS-mysql style configuration file which is inspired
by the Florian's work. -moriyoshi
Version 0.6.2 2005/9/29 <[email protected]>
* Overhauled the SQL logging facility (PR #1256243). -moriyoshi
* Fixed possible security flaw (though not considered to be severe). -moriyoshi
Version 0.6.1 2005/9/18 <[email protected]>
* Added use_323_passwd option that allows you to use an encryption function
used in the old MySQL versions (3.23.x). -moriyoshi, Daniel Renaud
* Fixed account management code that wouldn't work at all :-p -moriyoshi
* Included pam_mysql.spec to the tarball by default. This enables you to
make a RPM with the following oneliner: (rpmbuild -tb pam_mysql.tar.gz).
-moriyoshi
* Fixed compile failure that occurs with the old mysql_config (< 4.0.16).
-moriyoshi
* Fixed compile failure on Solaris when --with-openssl is specified to the
configure script.
Version 0.6 2005/6/13 <[email protected]>
* Adopted autoconf / automake for build system. -moriyoshi
* Portable MD5 support by using OpenSSL / Cyrus-SASL. -moriyoshi
* MySQL library detection. -moriyoshi
* Added RPM spec file. -moriyoshi
* Tidied up the entire code for security and maintainability. -moriyoshi
* Modified log output to be more verbose. -moriyoshi
* Changed log facility type to LOG_AUTHPRIV as per the recommendation in
the PAM documentation. -moriyoshi
* Added support for unix socket and non-default ports. -moriyoshi
* Added account management and authentication token alteration code. -moriyoshi
* Remove default values for string parameters for the sake of performance.
-moriyoshi
* Enhanced SQL logging function to log session state as well. -moriyoshi
* Solaris support. -moriyoshi
Version 0.5 2002/11/20 <[email protected]>
* Added md5 support by default -ksmith
* Added a makefile that works fon FreeBSD -ksmith
* More buffer overflow related fixes -jo2y
* Added -lz flag to link against the libz library -jo2y
* Backport of sql logging into main branch -jo2y
* Fixed a memoryleak with mysql_free_result() -jo2y
* Fixed buffer overflow in parseArgs() -jo2y
* Add askForPassword() for new passwords in pam_sm_chauthtok() -ksmith
* All instances of syslog() now have a format string -ksmith
* Many fixes from B J Black
Version 0.4.7 2000/9/7 <[email protected]>
* URGENT! This release fixes a SERIOUS security hole in the authentication
mechanism and is one I am deeply to ashamed to admit was there, but must.
The SQL statement was never being escaped, so your users can effectively
'break out' of the query, add their own SQL and get authentication.
Whichever version of PAM-MYSQL you are running, you should upgrade
immediately to fix this problem. ANYONE can get authenticated on your
system without needing to know the password of the user they are
trying to be authenticated as. This means root too. And it is easy...
Specify the username as root. Specify the password as;
' and user='SomeKnownUser'
and whammo, you have root access to the machine because PAM authorised you.
UPGRADE NOW!
Thanks to Shaun Clowes at Secure Reality (http://www.securereality.com.au)
for bringing this to my attention.
Also, if you don't want users passwords displayed in your sql log, switch
off logging for select statements!
Version 0.4.6 2000/9/5 <[email protected]>
* ACK! Logfile spam from acct_mgmt() Removed it... Or rather, added it to the
#ifdef
Version 0.4.5 2000/9/5 <[email protected]>
* Applied patch from Martin "Edas" Edlman to fix PASSWORD() method and combine
crypt() into one call..
* Changed the way PAM_MYSQL logs, removed _pam_log() and now just use syslog()
instead of vsyslog() (Actually not sure why vsyslog was used anyway)
which should hopefully fix another set of SEGV problems people have
reported.
* Removed debug logging. Compile with -DDEBUG if you want it. Most people
won't though :)
Version 0.4 2000/7/27 <[email protected]>
* Added the ability to have a where clause in addition to the username='blah'.
Note though that spaces are NOT allowed in this where clause, sorry.
* Fixed a nasty (and really stupid!) bug whereby user not existing would cause
the sql string to be free'd twice, causing nastiness, lockups or
segfaults.
Version 0.3 2000/7/26 <[email protected]>
* This file started.
* Merged patches for crypt() support and local mysql support from Tamas SZERB
and Matjaz Godez.
* Fixed potential buffer overrun in sql statement (username could be big,
shouldn't be, but could be!).
* Fixed potential buffer overrun in crypt password checks. Password provided
could be long.
* Combined queries into 1 when using internal MySQL password() crypt routine.
* Changed Makefile to use staticly linked libmysqlclient, as dynamic causes a
sigsegv when being unloaded. If anyone has any idea why that might be,
please email me!
* Patch to avoid second select submitted by Gus. Implemented with mods.
* Changes to conversation function to make more generic. Hopefully its not broken anything!
* Changes to better fit PAM spec.
* Changes to explicitly close MySQL connection when finished.
* Beginnings of ability to use use_first_pass (tied in with changes to
conversation functions)
* Implementation of stub functions for acct_mgmt, credential, chauthtok and
session stuff.
* If you are Tamas, Matjaz or Gus, please email me your contact details if
you'd like to be in the CREDITS file :)
#############################################################################