Wed, 28 Sep 2005

pam-mysql 0.6.2 and 0.7pre3 are released.

The new releases include some crucial security fixes and the users are strongly urged to upgrade their installation.

Addressed security concerns:

  • Possible segmentation fault in the SQL logging facility, which can cause Denial-of-Service (DoS).

  • Flaws in the authentication and authentication token alteration code where incorrect treatment of the pointer returned by pam_get_item() were spotted. They can most likely induce DoS or possibly lead to more severe problems.


  • Changed handling of the "where" option to not escape meta characters (PR #1261484). (0.7pre3)

  • Overhauled the SQL logging facility (PR #1256243). (0.6.2, 0.7pre3)

  • Added logrhostcolumn (log.rhost_column) option that enables you to log the value of the "rhost" item specified by the application. (0.7pre3)

  • Fixed possible security flaw (0.7pre3)

  • Fixed memory leaks spotted when "config_file" option is used. (0.7pre3)

  • Fixed try_first_pass behaviour. (0.7pre3) ,

  • Changed option parsing behaviour so "=" following each option name is not needed. (0.7pre3)

You can download either one from the following URL: