Version 0.7-RC1 2006/1/10 <moriyoshi@users.sourceforge.net> * Add a option "disconnect_every_op" option that forces pam_mysql to disconnect from the database every operation (PR #1325395). -moriyoshi * Use geteuid() instead of getuid() to check if the current user is authorized to change the password (PR #1338667). -moriyoshi * Allow root (uid=0) to change the passwords of other users without their old password. -moriyoshi Version 0.7-pre3 2005/9/29 <moriyoshi@users.sourceforge.net> * Changed handling of the "where" option to not escape meta characters (PR #1261484). -moriyoshi * Overhauled the SQL logging facility (PR #1256243). -moriyoshi * Added logrhostcolumn (log.rhost_column) option that enables you to log the value of the "rhost" item specified by the application. -moriyoshi * Fixed possible security flaw (though not considered to be severe). -moriyoshi * Fixed memory leaks spotted when "config_file" option is used. -moriyoshi * Fixed try_first_pass behaviour. -moriyoshi * Changed option parsing behaviour so "=" following each option name is not needed. -moriyoshi Version 0.7-pre2 2005/9/18 <moriyoshi@users.sourceforge.net> * Changed column name handling to not escape meta characters. Now you can specify an expression to every XXXcolumn variable like "CONCAT(a, b, c)". -moriyoshi * Supported SHA1 hash (PR #1117036). -moriyoshi, alexeen * Supported use_first_pass and try_first_pass options. -moriyoshi Version 0.7-pre1 2005/6/13 <moriyoshi@users.sourceforge.net> * Support for NSS-mysql style configuration file which is inspired by the Florian's work. -moriyoshi Version 0.6.2 2005/9/29 <moriyoshi@users.sourceforge.net> * Overhauled the SQL logging facility (PR #1256243). -moriyoshi * Fixed possible security flaw (though not considered to be severe). -moriyoshi Version 0.6.1 2005/9/18 <moriyoshi@users.sourceforge.net> * Added use_323_passwd option that allows you to use an encryption function used in the old MySQL versions (3.23.x). -moriyoshi, Daniel Renaud * Fixed account management code that wouldn't work at all :-p -moriyoshi * Included pam_mysql.spec to the tarball by default. This enables you to make a RPM with the following oneliner: (rpmbuild -tb pam_mysql.tar.gz). -moriyoshi * Fixed compile failure that occurs with the old mysql_config (< 4.0.16). -moriyoshi * Fixed compile failure on Solaris when --with-openssl is specified to the configure script. Version 0.6 2005/6/13 <moriyoshi@users.sourceforge.net> * Adopted autoconf / automake for build system. -moriyoshi * Portable MD5 support by using OpenSSL / Cyrus-SASL. -moriyoshi * MySQL library detection. -moriyoshi * Added RPM spec file. -moriyoshi * Tidied up the entire code for security and maintainability. -moriyoshi * Modified log output to be more verbose. -moriyoshi * Changed log facility type to LOG_AUTHPRIV as per the recommendation in the PAM documentation. -moriyoshi * Added support for unix socket and non-default ports. -moriyoshi * Added account management and authentication token alteration code. -moriyoshi * Remove default values for string parameters for the sake of performance. -moriyoshi * Enhanced SQL logging function to log session state as well. -moriyoshi * Solaris support. -moriyoshi Version 0.5 2002/11/20 <jo2y@users.sourceforge.net> * Added md5 support by default -ksmith * Added a makefile that works fon FreeBSD -ksmith * More buffer overflow related fixes -jo2y * Added -lz flag to link against the libz library -jo2y * Backport of sql logging into main branch -jo2y * Fixed a memoryleak with mysql_free_result() -jo2y * Fixed buffer overflow in parseArgs() -jo2y * Add askForPassword() for new passwords in pam_sm_chauthtok() -ksmith * All instances of syslog() now have a format string -ksmith * Many fixes from B J Black Version 0.4.7 2000/9/7 <delancie@users.sourceforge.net> * URGENT! This release fixes a SERIOUS security hole in the authentication mechanism and is one I am deeply to ashamed to admit was there, but must. The SQL statement was never being escaped, so your users can effectively 'break out' of the query, add their own SQL and get authentication. Whichever version of PAM-MYSQL you are running, you should upgrade immediately to fix this problem. ANYONE can get authenticated on your system without needing to know the password of the user they are trying to be authenticated as. This means root too. And it is easy... Specify the username as root. Specify the password as; ' and user='SomeKnownUser' and whammo, you have root access to the machine because PAM authorised you. UPGRADE NOW! Thanks to Shaun Clowes at Secure Reality (http://www.securereality.com.au) for bringing this to my attention. Also, if you don't want users passwords displayed in your sql log, switch off logging for select statements! Version 0.4.6 2000/9/5 <delancie@users.sourceforge.net> * ACK! Logfile spam from acct_mgmt() Removed it... Or rather, added it to the #ifdef Version 0.4.5 2000/9/5 <delancie@users.sourceforge.net> * Applied patch from Martin "Edas" Edlman to fix PASSWORD() method and combine crypt() into one call.. * Changed the way PAM_MYSQL logs, removed _pam_log() and now just use syslog() instead of vsyslog() (Actually not sure why vsyslog was used anyway) which should hopefully fix another set of SEGV problems people have reported. * Removed debug logging. Compile with -DDEBUG if you want it. Most people won't though :) Version 0.4 2000/7/27 <delancie@users.sourceforge.net> * Added the ability to have a where clause in addition to the username='blah'. Note though that spaces are NOT allowed in this where clause, sorry. * Fixed a nasty (and really stupid!) bug whereby user not existing would cause the sql string to be free'd twice, causing nastiness, lockups or segfaults. Version 0.3 2000/7/26 <delancie@users.sourceforge.net> * This file started. * Merged patches for crypt() support and local mysql support from Tamas SZERB and Matjaz Godez. * Fixed potential buffer overrun in sql statement (username could be big, shouldn't be, but could be!). * Fixed potential buffer overrun in crypt password checks. Password provided could be long. * Combined queries into 1 when using internal MySQL password() crypt routine. * Changed Makefile to use staticly linked libmysqlclient, as dynamic causes a sigsegv when being unloaded. If anyone has any idea why that might be, please email me! * Patch to avoid second select submitted by Gus. Implemented with mods. * Changes to conversation function to make more generic. Hopefully its not broken anything! * Changes to better fit PAM spec. * Changes to explicitly close MySQL connection when finished. * Beginnings of ability to use use_first_pass (tied in with changes to conversation functions) * Implementation of stub functions for acct_mgmt, credential, chauthtok and session stuff. * If you are Tamas, Matjaz or Gus, please email me your contact details if you'd like to be in the CREDITS file :) #############################################################################