Change log for policykit-1 package in Ubuntu

150 of 116 results
Published in noble-proposed
policykit-1 (124-2ubuntu1.24.04.2) noble; urgency=medium

  * debian/patches/git-action-directories.patch:
    - fix incorrect call to get instance's priv. (lp: #2089145)

Published in oracular-proposed
policykit-1 (124-2ubuntu1.24.10.2) oracular; urgency=medium

  * debian/patches/git-action-directories.patch:
    - fix incorrect call to get instance's priv. (lp: #2089145)

Superseded in oracular-proposed
policykit-1 (124-2ubuntu1.24.10.1) oracular; urgency=medium

  * debian/patches/git-action-directories.patch:
    - cherry pick an upstream change to allow alternative directories for
      the actions files (lp: #2089145)

 -- Nathan Pratta Teodosio <email address hidden>  Wed, 27 Nov 2024 15:20:27 +0100
Superseded in noble-proposed
policykit-1 (124-2ubuntu1.24.04.1) noble; urgency=medium

  * debian/patches/git-action-directories.patch:
    - cherry pick an upstream change to allow alternative directories for
      the actions files (lp: #2089145)

 -- Nathan Pratta Teodosio <email address hidden>  Wed, 27 Nov 2024 15:20:27 +0100
Published in plucky-release
Deleted in plucky-proposed (Reason: Moved to plucky)
policykit-1 (125-2ubuntu1) plucky; urgency=medium

  * debian/patches/git-action-directories.patch:
    - cherry pick an upstream change to allow alternative directories for
      the actions files (lp: #2089145)

 -- Sebastien Bacher <email address hidden>  Thu, 21 Nov 2024 13:57:28 +0100
Superseded in plucky-proposed
policykit-1 (125-2) unstable; urgency=medium

  * Mark policykit-1-doc as MA foreign
  * Add patch to gracefully skip unit tests without permission to unshare

 -- Luca Boccassi <email address hidden>  Thu, 08 Aug 2024 17:54:02 +0100
Superseded in plucky-release
Published in oracular-release
Published in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
policykit-1 (124-2ubuntu1) noble; urgency=medium

  * Merge with Debian; remaining changes:
    - polkitd.postinst: call systemd-sysusers with SYSTEMD_NSS_DYNAMIC_BYPASS=1
      This works around an upgrade bug in systemd where nss-systemd cannot
      establish a varlink connection with io.systemd.DynamicUser, hence causing
      the polkitd user/group creation to fail.

Superseded in noble-proposed
policykit-1 (124-1ubuntu2) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden>  Sun, 31 Mar 2024 08:15:10 +0000

Available diffs

Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
policykit-1 (124-1ubuntu1) noble; urgency=medium

  * polkitd.postinst: call systemd-sysusers with SYSTEMD_NSS_DYNAMIC_BYPASS=1
    This works around an upgrade bug in systemd where nss-systemd cannot
    establish a varlink connection with io.systemd.DynamicUser, hence causing
    the polkitd user/group creation to fail. (LP: #2054716)

 -- Nick Rosbrook <email address hidden>  Wed, 13 Mar 2024 14:15:18 -0400
Superseded in noble-proposed
policykit-1 (124-1build1) noble; urgency=medium

  * No-change rebuild against libglib2.0-0t64

 -- Steve Langasek <email address hidden>  Fri, 08 Mar 2024 06:42:26 +0000

Available diffs

Deleted in noble-updates (Reason: superseded by release)
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
policykit-1 (124-1) unstable; urgency=medium

  * Migrate upstream metadata and sources to Github
  * New upstream release
  * Upstream now installs pam.d snippet directly in /usr/lib, drop
    redirection
  * Upstream now ships sysusers.d, drop local copy
  * Bump copyright year ranges in d/copyright
  * Build-depend on systemd-dev and use pkg-config instead of hard-coding
    unit installation directory
  * Update symbols file for 124
  * Override Lintian warning about redundant globbing
  * Drop d/u/signing-key.asc, releases no longer signed
  * Add myself to Uploaders

 -- Luca Boccassi <email address hidden>  Sun, 21 Jan 2024 10:42:09 +0000

Available diffs

Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
policykit-1 (123-3) unstable; urgency=medium

  * d/control: Build-depend on a debhelper supporting system units in /usr/lib.
    This avoids making it too easy to backport a version that won't work
    correctly. Thanks to Michael Biebl

 -- Simon McVittie <email address hidden>  Fri, 20 Oct 2023 09:23:16 +0100

Available diffs

Superseded in noble-release
Published in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
policykit-1 (123-1) unstable; urgency=medium

  * New upstream release
  * Update directory permissions to match upstream hardening
    - /etc/polkit-1/rules.d: was 0700 polkitd:root, now 0750 root:polkitd
      so polkitd cannot modify it
    - /var/lib/polkit-1: same as /etc/polkit-1/rules.d
    - /usr/share/polkit-1/rules.d: was 0700 polkitd:root, now 0755
      root:root since everything in that directory comes from a package
      anyway
  * d/polkitd.postinst: Clean up /var/lib/polkit-1/.cache on upgrades,
    now that polkitd will not re-create it (Closes: #855083)
  * d/tests: Depend on polkitd instead of policykit-1
  * d/tests: Rename cli test to polkitd
  * d/tests: Add a test for pkexec
  * d/p/debian/Don-t-use-PrivateNetwork-yes-for-the-systemd-unit.patch:
    Disable PrivateNetwork=yes for now. This would be good to have,
    but it causes autopkgtest failures under lxc. (Mitigates: #1042880)
  * d/control: Stop recommending polkitd-pkla in policykit-1.
    This is a step towards removing the policykit-1 transitional package
    entirely: it was included in Debian 12 and Ubuntu 22.04, so it has
    served its purpose and should be removed soon.

 -- Simon McVittie <email address hidden>  Wed, 02 Aug 2023 12:49:21 +0100

Available diffs

Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic)
policykit-1 (122-4) unstable; urgency=medium

  * d/control: Remove transitional polkitd-javascript package.
    This package was released in bookworm, and nothing in Debian depends
    on it. It was only relevant for users of certain polkit releases in
    experimental.
  * d/*.install: Move gettext extensions into libpolkit-gobject-1-dev.
    These are generally only needed when building other packages.
    (Closes: #955204)

 -- Simon McVittie <email address hidden>  Mon, 12 Jun 2023 20:09:41 +0100
Superseded in mantic-proposed
policykit-1 (122-3build1) mantic; urgency=medium

  * Upload again the new version to Ubuntu

 -- Sebastien Bacher <email address hidden>  Mon, 08 May 2023 13:47:03 +0200
Deleted in lunar-proposed (Reason: blocked on MIR and needs porting work for rules)
policykit-1 (122-3) unstable; urgency=medium

  * d/polkitd.postinst: Stop polkitd before changing home directory.
    usermod will refuse to change the home directory if a polkitd process
    is running as the polkitd uid, so stop polkitd if necessary, and also
    don't fail if usermod can't change the home directory in an existing
    installation (which is non-critical anyway). (Closes: #1030154)

 -- Simon McVittie <email address hidden>  Tue, 31 Jan 2023 22:05:24 +0000

Available diffs

Superseded in lunar-proposed
policykit-1 (122-2) unstable; urgency=medium

  [ Debian Janitor ]
  * d/changelog: Trim trailing whitespace
  * d/upstream/metadata: Update URLs for Bug-Database, Bug-Submit

  [ Simon McVittie ]
  * Update how we assign root-equivalent groups
    - d/p/debian/50-default.rules-Replace-wheel-group-with-sudo-group.patch,
      d/rules:
      Set up Debian's default root-equivalent group 'sudo' in
      50-default.rules rather than in 40-debian-sudo.rules. This ensures
      that users of polkitd-pkla can override it by configuring admin
      identities the old way. Previously, because 40-debian-sudo.rules was
      earlier in the sequence than 49-polkit-pkla-compat.rules, it would
      take precedence and the admin identities from polkitd-pkla were
      ignored. (Closes: #1023393)
      By default, polkitd-pkla does not provide any admin identities,
      which means we behave as though polkitd-pkla was not installed at all,
      and fall back to the sudo group defined in 50-default.rules.
    - d/p/debian/05_revert-admin-identities-unix-group-wheel.patch:
      Drop patch, superseded by the one described above
    - d/rules: When built for Ubuntu, also install an Ubuntu-specific file
      sequenced after 49-polkit-pkla-compat.rules but before
      50-default.rules, which treats both the 'sudo' group and the legacy
      'admin' group as root-equivalent.
  * Replace /etc/pam.d/polkit-1 with /usr/lib/pam.d/polkit-1.
    /usr/lib/pam.d has been supported since at least 1.4.0 (Debian 11),
    so we can make this an ordinary packaged file instead of a conffile.
    Local sysadmin overrides can still be done via /etc/pam.d/polkit-1
    as before.
    This sidesteps dpkg's inability to keep track of a conffile when it is
    moved from one package to another (#399829, #645849, #163657, #595112).
    (Closes: #1006203)
  * postinst: Only clean up config directories if not owned.
    If we only have polkitd installed, then we want to clean up the obsolete
    directory /etc/polkit-1/localauthority.conf.d on upgrade, but if we
    have polkitd-pkla installed, then it owns that directory and we should
    not remove it. (Closes: #1026425)
  * d/policykit-1.dirs: Continue to own some legacy directory names.
    Having the transitional package continue to own these directories until
    it has had a chance to clean up obsolete conffiles will silence warnings
    from dpkg about inability to remove them. (Closes: #1027420)
  * d/polkitd.postrm: Clean up /var/lib/polkit-1 on purge.
    If /var/lib/polkit-1 was the polkitd user's home directory, then it
    might contain a .cache subdirectory; clean that up too.
  * Create polkitd user with home directory /nonexistent in new installations.
    This will prevent it from creating detritus in /var/lib/polkit-1.
  * polkitd.postinst: Change polkitd home directory to /nonexistent on upgrade
  * Remove version constraints unnecessary since buster (oldstable)
  * Update standards version to 4.6.2 (no changes needed)

 -- Simon McVittie <email address hidden>  Fri, 20 Jan 2023 13:22:24 +0000

Available diffs

Superseded in lunar-proposed
policykit-1 (122-1) unstable; urgency=medium

  * d/watch: Fix handling of polkit-pkla-compat
  * d/watch: Monitor Gitlab releases instead of fd.o web server
  * New upstream release
  * Drop patches that were included in the new upstream release

 -- Simon McVittie <email address hidden>  Fri, 28 Oct 2022 18:36:30 +0100
Superseded in mantic-release
Published in lunar-release
Obsolete in kinetic-release
Published in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
policykit-1 (0.105-33) unstable; urgency=medium

  * d/p/0.121/CVE-2021-4115-GHSL-2021-077-fix.patch:
    Attribute CVE-2021-4115 patch to its author.
    Move it into debian/patches/0.121 to indicate that it is a backport from
    upstream git, expected to be included in 0.121.
  * d/p/Fix-a-crash-when-authorization-is-implied.patch:
    Add patch to fix a crash when one authorization implies another

 -- Simon McVittie <email address hidden>  Sat, 26 Feb 2022 11:11:57 +0000

Available diffs

Obsolete in impish-updates
Obsolete in impish-security
policykit-1 (0.105-31ubuntu0.2) impish-security; urgency=medium

  * SECURITY UPDATE: DoS via file descriptor leak
    - debian/patches/CVE-2021-4115.patch: wait for both calls in
      src/polkit/polkitsystembusname.c.
    - CVE-2021-4115
  * debian/patches/CVE-2021-4034.patch: replaced with final upstream
    version.

 -- Marc Deslauriers <email address hidden>  Mon, 21 Feb 2022 07:58:33 -0500
Published in focal-updates
Published in focal-security
policykit-1 (0.105-26ubuntu1.3) focal-security; urgency=medium

  * SECURITY UPDATE: DoS via file descriptor leak
    - debian/patches/CVE-2021-4115.patch: wait for both calls in
      src/polkit/polkitsystembusname.c.
    - CVE-2021-4115
  * debian/patches/CVE-2021-4034.patch: replaced with final upstream
    version.

 -- Marc Deslauriers <email address hidden>  Mon, 21 Feb 2022 07:58:33 -0500
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
policykit-1 (0.105-32) unstable; urgency=medium

  * Use upstream patch for CVE-2021-3560.
    This patch was included in 0.119, so move it into the 0.119/ directory
    in the patch series.
  * d/patches: Use upstream's finalized patch for CVE-2021-4034.
    The patch that was provided to distributors under embargo was not the
    final version: it used a different exit status, and made an attempt to
    show help. The version that was actually committed after the embargo
    period ended interprets argc == 0 as an attack rather than a mistake,
    and does not attempt to show the help message.
  * Move some Debian-specific patches into d/p/debian/.
    This makes it more obvious that they are not intended to go upstream.
  * d/control: Split the package.
    pkexec is a setuid program, which makes it a higher security risk than
    the more typical IPC-based uses of polkit. If we separate out pkexec
    into its own package, then only packages that rely on being able to run
    pkexec will have to depend on it, reducing attack surface for users
    who are able to remove the pkexec package.
  * d/control: policykit-1 Provides polkitd-pkla.
    This will give us a migration path to the separate per-backend packages
    currently available in experimental.
  * Add patch from Fedora to fix denial of service via fd exhaustion.
    CVE-2021-4115 (Closes: #1005784)
  * Standards-Version: 4.6.0 (no changes required)
  * Build-depend on dbus-daemon instead of dbus.
    We only need dbus-run-session at build time; we don't need a
    fully-working system bus.
  * Use d/watch format version 4
  * d/rules: Create localauthority configuration with install(1), not
    echo(1). This aligns the packaging a bit more closely with experimental.
  * Always configure the sudo group as root-equivalent.
    This avoids Debian derivatives getting an unexpected change in behaviour
    when they switch from inheriting Debian's policykit-1 package to
    building their own policykit-1 package, perhaps as a result of wanting
    to apply an unrelated patch.
    The sudo group is defined to be root-equivalent in base-passwd, so this
    should be equally true for all Debian derivatives.
    Thanks to Arnaud Rebillout.
  * d/polkitd.links: Create more polkit-agent-helper-1 symlinks.
    This executable has moved several times, and its path gets compiled
    into the libpolkit-agent-1-0 shared library. Making the executable
    available in all the locations it has previously had is helpful when
    swapping between versions during testing.
  * Acknowledge CVE-2021-4034 NMU. Thanks to Salvatore Bonaccorso.

 -- Simon McVittie <email address hidden>  Fri, 18 Feb 2022 12:45:14 +0000

Available diffs

Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
policykit-1 (0.105-31.1) unstable; urgency=high

  * Non-maintainer upload.
  * Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

 -- Salvatore Bonaccorso <email address hidden>  Thu, 13 Jan 2022 06:34:44 +0100
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
policykit-1 (0.105-31ubuntu1) jammy; urgency=medium

  * SECURITY UPDATE: Local Privilege Escalation in pkexec
    - debian/patches/CVE-2021-4034.patch: properly handle command-line
      arguments in src/programs/pkcheck.c, src/programs/pkexec.c.
    - CVE-2021-4034

 -- Marc Deslauriers <email address hidden>  Tue, 25 Jan 2022 14:18:21 -0500
Published in bionic-updates
Published in bionic-security
policykit-1 (0.105-20ubuntu0.18.04.6) bionic-security; urgency=medium

  * SECURITY UPDATE: Local Privilege Escalation in pkexec
    - debian/patches/CVE-2021-4034.patch: properly handle command-line
      arguments in src/programs/pkcheck.c, src/programs/pkexec.c.
    - CVE-2021-4034

 -- Marc Deslauriers <email address hidden>  Wed, 12 Jan 2022 07:34:00 -0500
Superseded in focal-updates
Superseded in focal-security
policykit-1 (0.105-26ubuntu1.2) focal-security; urgency=medium

  * SECURITY UPDATE: Local Privilege Escalation in pkexec
    - debian/patches/CVE-2021-4034.patch: properly handle command-line
      arguments in src/programs/pkcheck.c, src/programs/pkexec.c.
    - CVE-2021-4034

 -- Marc Deslauriers <email address hidden>  Wed, 12 Jan 2022 07:33:38 -0500
Superseded in impish-updates
Superseded in impish-security
policykit-1 (0.105-31ubuntu0.1) impish-security; urgency=medium

  * SECURITY UPDATE: Local Privilege Escalation in pkexec
    - debian/patches/CVE-2021-4034.patch: properly handle command-line
      arguments in src/programs/pkcheck.c, src/programs/pkexec.c.
    - CVE-2021-4034

 -- Marc Deslauriers <email address hidden>  Wed, 12 Jan 2022 07:30:52 -0500
Superseded in jammy-release
Obsolete in impish-release
Deleted in impish-proposed (Reason: Moved to impish)
policykit-1 (0.105-31) unstable; urgency=medium

  [ Salvatore Bonaccorso ]
  * d/p/CVE-2021-3560.patch:
    Fix local privilege escalation involving
    polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
    (Closes: #989429)

 -- Simon McVittie <email address hidden>  Thu, 03 Jun 2021 17:06:34 +0100

Available diffs

Obsolete in hirsute-updates
Obsolete in hirsute-security
policykit-1 (0.105-30ubuntu0.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: local privilege escalation using
    polkit_system_bus_name_get_creds_sync()
    - debian/patches/CVE-2021-3560.patch: use proper return code in
      src/polkit/polkitsystembusname.c.
    - CVE-2021-3560

 -- Marc Deslauriers <email address hidden>  Wed, 26 May 2021 07:46:51 -0400
Superseded in focal-updates
Superseded in focal-security
policykit-1 (0.105-26ubuntu1.1) focal-security; urgency=medium

  * SECURITY UPDATE: local privilege escalation using
    polkit_system_bus_name_get_creds_sync()
    - debian/patches/CVE-2021-3560.patch: use proper return code in
      src/polkit/polkitsystembusname.c.
    - CVE-2021-3560

 -- Marc Deslauriers <email address hidden>  Wed, 26 May 2021 07:50:16 -0400
Obsolete in groovy-updates
Obsolete in groovy-security
policykit-1 (0.105-29ubuntu0.1) groovy-security; urgency=medium

  * SECURITY UPDATE: local privilege escalation using
    polkit_system_bus_name_get_creds_sync()
    - debian/patches/CVE-2021-3560.patch: use proper return code in
      src/polkit/polkitsystembusname.c.
    - CVE-2021-3560

 -- Marc Deslauriers <email address hidden>  Wed, 26 May 2021 07:49:40 -0400
Superseded in impish-release
Obsolete in hirsute-release
Deleted in hirsute-proposed (Reason: moved to Release)
policykit-1 (0.105-30) unstable; urgency=medium

  [ Helmut Grohne ]
  * Annotate Build-Depends: dbus <!nocheck> (Closes: #980998)

 -- Simon McVittie <email address hidden>  Thu, 04 Feb 2021 13:56:09 +0000

Available diffs

Superseded in hirsute-release
Obsolete in groovy-release
Deleted in groovy-proposed (Reason: moved to Release)
policykit-1 (0.105-29) unstable; urgency=medium

  * Add symlink for polkit-agent-helper-1 after the move to /usr/libexec.
    If a process still has an old copy of libpolkit-agent-1.so.0 loaded, it
    will fail to find the binary at the new location. So create a symlink to
    prevent authentication failures on upgrades. (Closes: #965210)

 -- Michael Biebl <email address hidden>  Mon, 03 Aug 2020 11:05:29 +0200
Published in precise-updates
Published in precise-security
policykit-1 (0.104-1ubuntu1.5) precise-security; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: start time protection mechanism bypass
    - debian/patches/CVE-2019-6133.patch: Compare PolkitUnixProcess uids
      for temporary authorizations in src/polkit/polkitsubject.c,
      src/polkit/polkitunixprocess.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - CVE-2019-6133

 -- <email address hidden> (Leonidas S. Barbosa)  Thu, 29 Aug 2019 15:18:39 -0300
Superseded in groovy-release
Published in focal-release
Obsolete in eoan-release
Deleted in eoan-proposed (Reason: moved to release)
policykit-1 (0.105-26ubuntu1) eoan; urgency=medium

  * Revert "Depend on new virtual packages default-logind and logind". We
    don't yet have a systemd which provides these virtual packages, rendering
    policykit-1 uninstallable. This change can be reverted once we do.

 -- Iain Lane <email address hidden>  Fri, 16 Aug 2019 13:37:39 +0100
Superseded in eoan-proposed
policykit-1 (0.105-26) unstable; urgency=medium

  [ Mark Hindley ]
  * Depend on new virtual packages default-logind and logind
    (Closes: #923240)

  [ Simon McVittie ]
  * Apply most changes from upstream release 0.116
    - d/p/0.116/Elaborate-message-printed-by-polkit-when-disconnecting-fr.patch,
      d/p/0.116/Error-message-raised-on-every-systemctl-start-in-emergenc.patch:
      Reduce messages to stderr from polkit agents, in particular when using
      "systemctl reboot" on a ssh connection or when using "systemctl start"
      in systemd emergency mode
    - d/p/0.116/Fix-a-critical-warning-on-calling-polkit_permission_new_s.patch:
      Fix critical warnings when calling polkit_permission_new_sync() with
      no D-Bus system bus
    - d/p/0.116/Possible-resource-leak-found-by-static-analyzer.patch:
      Fix a potential use-after-free in polkit agents
    - d/p/0.116/pkttyagent-PolkitAgentTextListener-leaves-echo-tty-disabl.patch:
      Re-enable echo if the tty agent is killed by SIGINT or SIGTERM
      or suspended with SIGTSTP
  * Add more bug fixes backported from earlier upstream releases
    - d/p/0.108/PolkitAgent-Avoid-crashing-if-initializing-the-server-obj.patch:
      Fix a segfault when a library user like flatpak attempts to register
      a polkit agent with no system bus available (Closes: #923046)
    - d/p/0.111/Add-a-FIXME-to-polkitprivate.h.patch:
      Make it more obvious that polkitprivate.h was never intended to be API
    - d/p/0.114/polkitpermission-Fix-a-memory-leak-on-authority-changes.patch:
      Fix a memory leak
    - d/p/0.113/PolkitSystemBusName-Retrieve-both-pid-and-uid.patch:
      Avoid a use of the deprecated polkit_unix_process_new()
  * d/*.symbols: Add Build-Depends-Package metadata
  * d/policykit-1.lintian-overrides: Override systemd unit false positives.
    The systemd unit is only for on-demand D-Bus activation, and is not
    intended to be started during boot, so an [Install] section and a
    parallel LSB init script are not necessary.
  * Stop building libpolkit-backend as a shared library.
    Its API was never declared stable before upstream removed it in
    0.106. Nothing in Debian depended on it, except for polkitd itself,
    which now links the same code statically.
    This is a step towards being able to use the current upstream release of
    polkit and patch in the old localauthority backend as an alternative to
    the JavaScript backend, instead of using the old 0.105 codebase and
    patching in essentially every change except the JavaScript backend,
    which is becoming unmanageable.
    - Remove the example null backend, which is pointless now that we've
      removed the ability to extend polkit.
    - Remove obsolete conffile 50-nullbackend.conf on upgrade
    - Remove the directory that previously contained 50-nullbackend.conf
      after upgrading or removing policykit-1
    - Remove obsolete dh_makeshlibs override for the null backend
  * d/policykit-1.bug-control: Add systemd, elogind versions to bug reports.
    reportbug doesn't currently seem to interpret
    "Depends: default-logind | logind" as implying that it should include
    the version number of the package that Provides logind in bug reports.
    Workaround for #934472.
  * Change the policykit-1 package from Architecture: any to
    Architecture: linux-any, and remove the consolekit [!linux-any]
    dependency. consolekit is no longer available in any Debian or
    debian-ports architecture, even those for non-Linux kernels.
    (Closes: #918446)
  * Standards-Version: 4.4.0 (no changes required)
  * Switch to debhelper-compat 12
    - d/control: Add ${misc:Pre-Depends}
  * Switch to dh_missing and abort on uninstalled files
    (patch taken from experimental, thanks to Michael Biebl)

 -- Simon McVittie <email address hidden>  Sun, 11 Aug 2019 19:09:35 +0100
Published in xenial-updates
Published in xenial-security
policykit-1 (0.105-14.1ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: start time protection mechanism bypass
    - debian/patches/CVE-2019-6133.patch: Compare PolkitUnixProcess uids
      for temporary authorizations in src/polkit/polkitsubject.c,
      src/polkit/polkitunixprocess.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - CVE-2019-6133

 -- Marc Deslauriers <email address hidden>  Wed, 27 Mar 2019 09:57:28 -0400
Obsolete in cosmic-updates
Obsolete in cosmic-security
policykit-1 (0.105-21ubuntu0.4) cosmic-security; urgency=medium

  * SECURITY UPDATE: start time protection mechanism bypass
    - debian/patches/CVE-2019-6133.patch: Compare PolkitUnixProcess uids
      for temporary authorizations in src/polkit/polkitsubject.c,
      src/polkit/polkitunixprocess.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - CVE-2019-6133

 -- Marc Deslauriers <email address hidden>  Wed, 27 Mar 2019 09:51:01 -0400
Superseded in bionic-updates
Superseded in bionic-security
policykit-1 (0.105-20ubuntu0.18.04.5) bionic-security; urgency=medium

  * SECURITY UPDATE: start time protection mechanism bypass
    - debian/patches/CVE-2019-6133.patch: Compare PolkitUnixProcess uids
      for temporary authorizations in src/polkit/polkitsubject.c,
      src/polkit/polkitunixprocess.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - CVE-2019-6133

 -- Marc Deslauriers <email address hidden>  Wed, 27 Mar 2019 09:57:02 -0400
Published in trusty-updates
Published in trusty-security
policykit-1 (0.105-4ubuntu3.14.04.6) trusty-security; urgency=medium

  * SECURITY UPDATE: start time protection mechanism bypass
    - debian/patches/CVE-2019-6133.patch: Compare PolkitUnixProcess uids
      for temporary authorizations in src/polkit/polkitsubject.c,
      src/polkit/polkitunixprocess.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - CVE-2019-6133

 -- Marc Deslauriers <email address hidden>  Wed, 27 Mar 2019 09:57:59 -0400
Superseded in eoan-release
Obsolete in disco-release
Deleted in disco-proposed (Reason: moved to release)
policykit-1 (0.105-25) unstable; urgency=medium

  * Team upload
  * Add tests-add-tests-for-high-uids.patch
    - Patch from upstream modified by Ubuntu to test high UID fix
  * Compare PolkitUnixProcess uids for temporary authorizations.
    - Fix temporary auth hijacking via PID reuse and non-atomic fork
      (CVE-2019-6133) (Closes: #918985)

 -- Jeremy Bicha <email address hidden>  Tue, 15 Jan 2019 11:11:58 -0500
Superseded in xenial-updates
Superseded in xenial-security
policykit-1 (0.105-14.1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: authorization bypass with large uid
    - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in
      PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c,
      src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c.
    - debian/patches/CVE-2018-19788-2.patch: add tests to
      test/data/etc/group, test/data/etc/passwd,
      test/data/etc/polkit-1/localauthority/10-test/com.example.pkla,
      test/polkitbackend/polkitbackendlocalauthoritytest.c.
    - debian/patches/CVE-2018-19788-3.patch: allow uid of -1 for a
      PolkitUnixProcess in src/polkit/polkitunixprocess.c.
    - CVE-2018-19788

 -- Marc Deslauriers <email address hidden>  Tue, 15 Jan 2019 08:19:19 -0500
Superseded in trusty-updates
Superseded in trusty-security
policykit-1 (0.105-4ubuntu3.14.04.5) trusty-security; urgency=medium

  * SECURITY UPDATE: authorization bypass with large uid
    - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in
      PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c,
      src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c.
    - debian/patches/CVE-2018-19788-2.patch: add tests to
      test/data/etc/group, test/data/etc/passwd,
      test/data/etc/polkit-1/localauthority/10-test/com.example.pkla,
      test/polkitbackend/polkitbackendlocalauthoritytest.c.
    - debian/patches/CVE-2018-19788-3.patch: allow uid of -1 for a
      PolkitUnixProcess in src/polkit/polkitunixprocess.c.
    - CVE-2018-19788

 -- Marc Deslauriers <email address hidden>  Tue, 15 Jan 2019 08:20:15 -0500
Superseded in bionic-updates
Superseded in bionic-security
policykit-1 (0.105-20ubuntu0.18.04.4) bionic-security; urgency=medium

  * SECURITY UPDATE: authorization bypass with large uid
    - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in
      PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c,
      src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c.
    - debian/patches/CVE-2018-19788-2.patch: add tests to
      test/data/etc/group, test/data/etc/passwd,
      test/data/etc/polkit-1/localauthority/10-test/com.example.pkla,
      test/polkitbackend/polkitbackendlocalauthoritytest.c.
    - debian/patches/CVE-2018-19788-3.patch: allow uid of -1 for a
      PolkitUnixProcess in src/polkit/polkitunixprocess.c.
    - CVE-2018-19788

 -- Marc Deslauriers <email address hidden>  Tue, 15 Jan 2019 08:18:22 -0500
Superseded in cosmic-updates
Superseded in cosmic-security
policykit-1 (0.105-21ubuntu0.3) cosmic-security; urgency=medium

  * SECURITY UPDATE: authorization bypass with large uid
    - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in
      PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c,
      src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c.
    - debian/patches/CVE-2018-19788-2.patch: add tests to
      test/data/etc/group, test/data/etc/passwd,
      test/data/etc/polkit-1/localauthority/10-test/com.example.pkla,
      test/polkitbackend/polkitbackendlocalauthoritytest.c.
    - debian/patches/CVE-2018-19788-3.patch: allow uid of -1 for a
      PolkitUnixProcess in src/polkit/polkitunixprocess.c.
    - CVE-2018-19788

 -- Marc Deslauriers <email address hidden>  Tue, 15 Jan 2019 08:15:13 -0500
Superseded in disco-proposed
policykit-1 (0.105-22ubuntu3) disco; urgency=medium

  * Re-enable security patches
    - debian/patches/CVE-2018-19788-1.patch
    - debian/patches/CVE-2018-19788-2.patch
  * Fix regression causing autopkgtest failures:
    - debian/patches/CVE-2018-19788-3.patch: allow uid of -1 for a
      PolkitUnixProcess in src/polkit/polkitunixprocess.c.

 -- Marc Deslauriers <email address hidden>  Tue, 15 Jan 2019 08:12:09 -0500
Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release)
policykit-1 (0.105-22ubuntu2) disco; urgency=medium

  * Disable security patches until autopkgtest regression fix is available.
    (See Debian bug 916075)
    - debian/patches/CVE-2018-19788-1.patch
    - debian/patches/CVE-2018-19788-2.patch

 -- Marc Deslauriers <email address hidden>  Tue, 11 Dec 2018 07:15:16 -0500
Superseded in disco-proposed
policykit-1 (0.105-22ubuntu1) disco; urgency=medium

  * SECURITY UPDATE: authorization bypass with large uid
    - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in
      PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c,
      src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c.
    - debian/patches/CVE-2018-19788-2.patch: add tests to
      test/data/etc/group, test/data/etc/passwd,
      test/data/etc/polkit-1/localauthority/10-test/com.example.pkla,
      test/polkitbackend/polkitbackendlocalauthoritytest.c.
    - CVE-2018-19788

 -- Marc Deslauriers <email address hidden>  Fri, 07 Dec 2018 08:18:07 -0500
Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release)
policykit-1 (0.105-22) unstable; urgency=medium

  * Move D-Bus policy file to /usr/share/dbus-1/system.d/
    To better support stateless systems with an empty /etc, the old location
    in /etc/dbus-1/system.d/ should only be used for local admin changes.
    Package provided D-Bus policy files are supposed to be installed in
    /usr/share/dbus-1/system.d/.
    This is supported since dbus 1.9.18.
  * Remove obsolete conffile
    /etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf on upgrades
  * Bump Standards-Version to 4.2.1
  * Remove Breaks for versions older than oldstable
  * Stop masking polkit.service during the upgrade process.
    This is no longer necessary with the D-Bus policy file being installed
    in /usr/share/dbus-1/system.d/. (Closes: #902474)
  * Use dh_installsystemd to restart polkit.service after an upgrade.
    This replaces a good deal of hand-written maintscript code.

 -- Michael Biebl <email address hidden>  Tue, 27 Nov 2018 20:17:44 +0100

Available diffs

Superseded in trusty-updates
Superseded in trusty-security
policykit-1 (0.105-4ubuntu3.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via invalid object path
    - debian/patches/CVE-2015-3218.patch: handle invalid object paths in
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - CVE-2015-3218
  * SECURITY UPDATE: privilege escalation via duplicate action IDs
    - debian/patches/CVE-2015-3255.patch: fix GHashTable usage in
      src/polkitbackend/polkitbackendactionpool.c.
    - CVE-2015-3255
  * SECURITY UPDATE: privilege escalation via duplicate cookie values
    - debian/patches/CVE-2015-4625-1.patch: use unpredictable cookie values
      in configure.ac, src/polkitagent/polkitagenthelper-pam.c,
      src/polkitagent/polkitagenthelper-shadow.c,
      src/polkitagent/polkitagenthelperprivate.c,
      src/polkitagent/polkitagenthelperprivate.h,
      src/polkitagent/polkitagentsession.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - debian/patches/CVE-2015-4625-2.patch: bind use of cookies to specific
      uids in data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml,
      data/org.freedesktop.PolicyKit1.Authority.xml,
      docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml,
      docs/polkit/overview.xml, src/polkit/polkitauthority.c,
      src/polkitbackend/polkitbackendauthority.c,
      src/polkitbackend/polkitbackendauthority.h,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - debian/patches/CVE-2015-4625-3.patch: update docs in
      data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml,
      data/org.freedesktop.PolicyKit1.Authority.xml,
      docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml,
      docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml,
      docs/polkit/overview.xml, src/polkit/polkitauthority.c,
      src/polkitagent/polkitagentlistener.c,
      src/polkitbackend/polkitbackendauthority.c.
    - CVE-2015-4625
  * SECURITY UPDATE: DoS and information disclosure
    - debian/patches/CVE-2018-1116.patch: properly check UID in
      src/polkit/polkitprivate.h, src/polkit/polkitunixprocess.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c,
      src/polkitbackend/polkitbackendsessionmonitor-systemd.c,
      src/polkitbackend/polkitbackendsessionmonitor.c,
      src/polkitbackend/polkitbackendsessionmonitor.h.
    - debian/libpolkit-gobject-1-0.symbols: updated for new private symbol.
    - CVE-2018-1116

 -- Marc Deslauriers <email address hidden>  Fri, 13 Jul 2018 07:53:14 -0400
150 of 116 results