pam (1.5.3-5ubuntu5.5) noble-security; urgency=medium
* SECURITY UPDATE: pam_access hostname confusion
- debian/patches/CVE-2024-10963.patch: add "nodns" option to disallow
resolving of tokens as hostname in
modules/pam_access/access.conf.5.xml,
modules/pam_access/pam_access.8.xml,
modules/pam_access/pam_access.c.
- CVE-2024-10963
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 15 Sep 2025 08:37:15 -0400
pam (1.5.3-5ubuntu5.4) noble-security; urgency=medium
* SECURITY UPDATE: privilege escalation via pam_namespace
- debian/patches/pam_namespace_170.patch: sync pam_namespace module to
version 1.7.0.
- debian/patches/pam_namespace_post170-*.patch: add post-1.7.0 changes
from upstream git tree.
- debian/patches/pam_namespace_revert_abi.patch: revert ABI change to
prevent unintended issues in running daemons.
- debian/patches/CVE-2025-6020-1.patch: fix potential privilege
escalation.
- debian/patches/CVE-2025-6020-2.patch: add flags to indicate path
safety.
- debian/patches/CVE-2025-6020-3.patch: secure_opendir: do not look at
the group ownership.
- debian/patches/pam_namespace_o_directory.patch: removed, included in
patch cluster above.
- CVE-2025-6020
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 12 Jun 2025 10:45:28 -0400
pam (1.5.3-5ubuntu5.2) noble; urgency=medium
* d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP: #2087827)
-- Simon Chopin <schopin@ubuntu.com> Mon, 26 May 2025 16:34:46 +0200
pam (1.5.3-5ubuntu5.1) noble; urgency=medium
[ Sam Hartman ]
* Correct Build depends for docbook5 (LP: #2064360)
* Depend on libdb-dev again, bringing back pam_userdb (LP: #2064350)
-- Dan Bungert <daniel.bungert@canonical.com> Thu, 02 May 2024 16:20:13 -0600
pam (1.5.3-5ubuntu5) noble; urgency=medium
* d/p/pam_env-remove-deprecation-notice-for-user_readenv.patch: drop
deprecation warning about user_readenv from pam_env (LP: #2059859)
-- Andreas Hasenack <andreas@canonical.com> Wed, 10 Apr 2024 16:19:22 -0300
pam (1.5.3-5ubuntu4) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 00:03:23 +0000
pam (1.5.3-5ubuntu3) noble; urgency=medium
* No-change rebuild against libdb5.3t64
-- Steve Langasek <steve.langasek@ubuntu.com> Sat, 02 Mar 2024 20:36:06 +0000
pam (1.5.3-5ubuntu2) noble; urgency=medium
* Fix FTBFS when built with -Werror=implicit-function-declaration
(LP: #2055453)
-- Dan Bungert <daniel.bungert@canonical.com> Thu, 29 Feb 2024 11:53:08 -0700
pam (1.5.3-5ubuntu1) noble; urgency=medium
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager
when there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
-- Dan Bungert <daniel.bungert@canonical.com> Thu, 29 Feb 2024 10:25:41 -0700
pam (1.5.3-5) unstable; urgency=medium
* Revert renaming libpam0g to libpam0t64 for time_t transition: apt
sometimes removes libpam0g rather than simply letting libpam0t64
replace libpam0g (and deconfiguring libpam0g), leaving a system where
essential packages are broken, Closes: #1065017
* Since libpam0t64 is going away, we do not need dpkg-diversions for it.
* As a consequence libpam_misc has an ABI break without a package name
change. We believe nothing in the archive depends on this ABI, and at
least until we come up with a better solution this is the least bad option.
* For now remove libdb-dev so that libdb-dev can undergo time_t
transition. That means this version of pam does not include
pam_userdb, which makes pam unsuitable for release.
* Replace/break libpam0t64
-- Sam Hartman <hartmans@debian.org> Thu, 29 Feb 2024 09:46:54 -0700
pam (1.5.3-4ubuntu1) noble; urgency=medium
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0t64.postinst: only ask questions during update-manager
when there are non-default services running.
- debian/libpam0t64.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
* Dropped changes, included in Debian:
- SECURITY UPDATE: pam_namespace local denial of service
- debian/patches/CVE-2024-22365.patch: use O_DIRECTORY to
prevent local DoS situations in modules/pam_namespace/pam_namespace.c.
- CVE-2024-22365
- Install into /usr/{lib,sbin} instead of /{lib,sbin}. Assumes
usrmerge aliasing symlinks are in place since bookworm to keep
compatibility with PAM modules still installing into /lib.
(DEP17 M2) (Closes: #1060160).
- Mitigate /usr-move file loss. (Closes: #1062802)
- Update lintian override for setgid binary.
-- Dan Bungert <daniel.bungert@canonical.com> Wed, 28 Feb 2024 21:07:18 -0700
pam (1.5.3-4) unstable; urgency=medium
* Upload to unstable
* Revert 1.5.2-9.1 changes to debian/rules now that we use
debian/patches properly.
-- Sam Hartman <hartmans@debian.org> Tue, 27 Feb 2024 21:30:52 -0700
pam (1.5.3-3) experimental; urgency=medium
[ Helmut Grohne ]
* Mitigate /usr-move file loss. (Closes: #1062802)
-- Helmut Grohne <helmut@subdivi.de> Sat, 03 Feb 2024 12:18:52 +0100
pam (1.5.3-2) experimental; urgency=medium
* Rename libpam0g to libpamt64 for time_t transition
* New Swedish Translations, Thanks Martin Bagge / brother, Closes: #1057775
* pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
situations (CVE-2024-22365) (Closes: #1061097)
-- Sam Hartman <hartmans@debian.org> Fri, 02 Feb 2024 11:27:45 -0700
pam (1.5.3-1) experimental; urgency=medium
[ Sam Hartman ]
* New upstream version
* Since we no longer build with NIS support, drop Debian patches related
to NIS
[ Debian Janitor]
* Update lintian override info to new format:
+ debian/libpam-runtime.lintian-overrides: line 5, 7, 9-13
+ debian/libpam-modules.lintian-overrides: line 5-10, 14
* Trim trailing whitespace.
* Move source package lintian overrides to debian/source.
* Update renamed lintian tag names in lintian overrides.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse.
* Drop unnecessary dependency on dh-autoreconf.
* Update standards version to 4.6.2, no changes needed.
[ Andreas Henriksson ]
* debian/rules: use --enable-usergroups configure flag (Closes: #583958)
* Use pam_umask.so in common-session{-noninteractive} (Closes: #711104)
[ Debian Janitor ]
* Apply multi-arch hints. + libpam-doc: Add Multi-Arch: foreign.
[ Sam Hartman ]
* Drop NIS patches and rearrange other patches.
* Update patch to move pam manpage to section 7: docbook tools now take
the man page output name from the xml so we need to update the
Makefile.
* Now PAM.7 is actually installed as pam.7 so update packaging
* pam-auth-update: Session-Interactive-Only set to anything other than
yes counts as undefined/no, thanks Lucas Nussbaum, Closes: #982309
* Use logind instead of utmp in pam_issue and pam_timestamp; utmp is not
y2038-safe.
[ Sam Hartman ]
* Add new common-session-* templates to pam-auth-update.
[ Chris Hofstaedtler ]
* Install into /usr/{lib,sbin} instead of /{lib,sbin}. Assumes
usrmerge aliasing symlinks are in place since bookworm to keep
compatibility with PAM modules still installing into /lib.
(DEP17 M2) (Closes: #1060160).
* Update lintian override for setgid binary.
-- Sam Hartman <hartmans@debian.org> Mon, 15 Jan 2024 15:45:50 -0700
pam (1.5.2-9.1ubuntu3) noble; urgency=medium
[ Chris Hofstaedtler ]
* Install into /usr/{lib,sbin} instead of /{lib,sbin}. Assumes
usrmerge aliasing symlinks are in place since bookworm to keep
compatibility with PAM modules still installing into /lib.
(DEP17 M2) (Closes: #1060160).
* Update lintian override for setgid binary.
[ Helmut Grohne ]
* Mitigate /usr-move file loss. (Closes: #1062802)
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 22 Feb 2024 13:24:31 +0100
pam (1.5.2-9.1ubuntu2) noble; urgency=medium
* SECURITY UPDATE: pam_namespace local denial of service
- debian/patches-applied/CVE-2024-22365.patch: use O_DIRECTORY to
prevent local DoS situations in modules/pam_namespace/pam_namespace.c.
- CVE-2024-22365
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 17 Jan 2024 12:28:44 -0500
pam (1.5.2-9.1ubuntu1) noble; urgency=medium
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
* debian/update-motd.5: fix a typo; thanks to David
Collantes <david@collantes.us>.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 20 Nov 2023 06:39:20 -0800
pam (1.5.2-9.1) unstable; urgency=medium
* Non-maintainer upload acked by Sam Hartman.
* Really fix quilt-related FTBFS: (Closes: #1054505)
pam is a 3.0 (quilt) source package and has a .pc directory after unpack
despite having no debian/patches. Even when setting QUILT_PATCH_DIR or
QUILT_PATCHES, quilt is now mislead to using the non-existent
debian/patches and this makes dh_quilt_unpatch fail, so we delete that
directory unless it corresponds to the real debian/patches-applied that we
want to be used.
-- Helmut Grohne <helmut@subdivi.de> Tue, 24 Oct 2023 19:38:53 +0200
pam (1.5.2-9) unstable; urgency=low
* Revert 1.5.2-8 upload; as far as I can tell the change is incorrect,
Closes: #1054493
-- Sam Hartman <hartmans@debian.org> Tue, 24 Oct 2023 09:19:43 -0600
pam (1.5.2-7) unstable; urgency=medium
[ Steve Langasek ]
* Drop reference to stale package version in libpam-modules.postinst;
thanks, Gioele Barabucci <gioele@svario.it>.
[ Sam Hartman ]
* Fix pam-auth-update --disable logic error, Closes: #1039873
* Set myself as maintainer; thanks Steve for past and future work.
* Fix watch file, thanks Daniel Lewart, Closes: #1040310
* Install upstream NEWS file as main upstream changelog; detailed
CHANGELOG only in libpam-doc, Closes: #1040315
* Updated Turkish Debconf translations, Thanks Atila KOÇ, Closes: #1029002
-- Sam Hartman <hartmans@debian.org> Wed, 16 Aug 2023 17:22:53 -0600
pam (1.5.2-6ubuntu1) mantic; urgency=medium
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 15 May 2023 15:17:53 -0700
pam (1.5.2-6) unstable; urgency=medium
* Update debian/copyright, Thanks Bastian Germann, Closes: #460232
* When pam-auth-update is called with --root, use
/usr/share/pam-configs from the root not from the host system, Thanks
Johannes Schauer Marin Rodrigues, Closes: #1022952
* Build-depend on libcrypt-dev, Closes: #1024645
* Add pam-auth-udpate --disable, Closes: #1004000
* Add autopkgtests
-- Sam Hartman <hartmans@debian.org> Tue, 03 Jan 2023 13:15:23 -0700
pam (1.5.2-5ubuntu1) lunar; urgency=medium
* Merge from Debian unstable; remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 07 Nov 2022 12:53:39 -0800
pam (1.5.2-5) unstable; urgency=medium
* pam_namespace_helper manpage *wasn't* missing, it was just being
wrongly shipped in libpam-modules instead - so complete the moving
of the manpage to the libpam-modules-bin where it belongs with the
binary. Really Closes: #1021336.
-- Steve Langasek <vorlon@debian.org> Thu, 06 Oct 2022 18:56:06 +0000
pam (1.5.2-4) unstable; urgency=medium
* pam_namespace_helper manpage was missing, but namespace.conf.5 was
already shipped in libpam-modules. Leave it there. Closes: #1021336.
-- Steve Langasek <vorlon@debian.org> Thu, 06 Oct 2022 17:28:36 +0000
pam (1.5.2-3) unstable; urgency=medium
* Add missing manpages for pam_namespace which for some reason don't get
installed by the upstream rules
* Drop obsolete upgrade code from maintainer scripts which is no longer
used
* Drop manual multiarch file handling in favor of dh-exec.
* No special-case needed for pam_modutil_sanitize_helper_fds in symbols
file, it's covered by the existing globs.
* debian/local/Debian-PAM-MiniPolicy: drop references to ancient
package versions. Thanks, Marc Haber.
* Support DPKG_ROOT in the postinst scripts. Closes: #993161.
Thanks, Johannes Schauer Marin Rodrigues.
* Further proof libpam-runtime postinst for DPKG_ROOT just in case.
-- Steve Langasek <vorlon@debian.org> Thu, 06 Oct 2022 04:05:02 +0000
pam (1.5.2-2ubuntu1) kinetic; urgency=medium
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
* Dropped changes, no longer needed:
- d/libpam-modules.postinst: Add /snap/bin to $PATH in /etc/environment
* Refresh patches.
* debian/patches-applied/extrausers.patch: update for upstream changes.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 18 Aug 2022 18:16:30 +0000
pam (1.5.2-2) unstable; urgency=medium
* Pass --with-systemdunitdir=/usr/lib/systemd/system for consistent
builds whether we are or aren't building in an environment with systemd
present.
* Install the pam_namespace.service unit in the libpam-modules-bin
package.
-- Steve Langasek <vorlon@debian.org> Thu, 18 Aug 2022 16:47:57 +0000
pam (1.5.2-1) unstable; urgency=medium
* New upstream release.
- fixes compatibility with libpam-systemd. Closes: #1017467.
- fixes bashisms in configure.ac. Closes: #998361.
* Refresh patches.
* Drop patches included or obsoleted upstream:
- debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
- debian/patches-applied/pam_unix_initialize_daysleft
- debian/patches-applied/pam_faillock_create_directory
- debian/patches-applied/pam_unix_avoid_checksalt
- debian/patches-applied/pam_env-allow-environment-files-without-EOL-at-EOF.patch
* Drop libpam-cracklib which has been obsoleted upstream.
* Add pkgconfig .pc files to libpam0g-dev. Closes: #1012688.
* Update .symbols file.
* Updated Romanian debconf translation, thanks Andrei Popescu, Closes:
#986416
* Drop versioning of quilt build-dependency to quiet lintian, since the
version is satisfied by oldoldoldstable.
* Drop unused build-build-dependency on bzip2.
* Adjust lintian overrides for latest lintian syntax.
* Update Standards-Version.
* Bump debhelper compat to 13.
* debian/not-installed: document upstream files that aren't used.
* Override incorrect lintian warning about use of dpkg database.
* Override lintian warning for PAM module manpages being in section 8
* Override lintian warning for unused debconf templates
* Install additional upstream manpages: faillock(8), environment(5),
pwhistory_helper(8)
* Install additional helpers in libpam-modules-bin: pam_namespace_helper,
pwhistory_helper
* Fix wrong syntax in symbols file
-- Steve Langasek <vorlon@debian.org> Thu, 18 Aug 2022 07:27:16 +0000
pam (1.4.0-13ubuntu1) kinetic; urgency=medium
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
- d/libpam-modules.postinst: Add /snap/bin to $PATH in /etc/environment
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 26 Apr 2022 11:10:38 -0700
pam (1.4.0-13) unstable; urgency=medium
* Don't build with NIS support. This is only used for password changes on
NIS systems, and is pulling a large dependency chain into the Essential
package set which is not justifiable.
-- Steve Langasek <vorlon@debian.org> Mon, 25 Apr 2022 16:12:04 -0700
pam (1.4.0-11ubuntu2) jammy; urgency=medium
* Drop Recommends on update-motd which is no longer used and is not being
maintained.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 23 Mar 2022 18:43:24 -0700
pam (1.4.0-11ubuntu1) jammy; urgency=medium
* Merge from Debian unstable, remaining changes:
- debian/control: have libpam-modules recommend update-motd package
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
- d/libpam-modules.postinst: Add /snap/bin to $PATH in /etc/environment
* Dropped changes, included in Debian:
- d/p/pam_env-allow-environment-files-without-EOL-at-EOF.patch:
Allow /etc/environment files without EOL at EOF.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 07 Feb 2022 08:51:50 -0800
pam (1.4.0-11) unstable; urgency=medium
* Whitespace fixes in debconf templates.
[ Sergio Durigan Junior ]
* d/p/pam_env-allow-environment-files-without-EOL-at-EOF.patch:
Allow /etc/environment files without EOL at EOF. In other words,
allow files without a newline at the end. (LP: #1953201)
-- Steve Langasek <vorlon@debian.org> Mon, 06 Dec 2021 11:11:31 -0800
pam (1.4.0-10ubuntu2) jammy; urgency=medium
[ Sergio Durigan Junior ]
* d/p/pam_env-allow-environment-files-without-EOL-at-EOF.patch:
Allow /etc/environment files without EOL at EOF. In other words,
allow files without a newline at the end. (LP: #1953201)
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 06 Dec 2021 11:05:28 -0800
pam (1.4.0-10ubuntu1) jammy; urgency=medium
* Merge from Debian unstable (LP: #1916509). Remaining changes:
- debian/control: have libpam-modules recommend update-motd package
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches-applied/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
- d/libpam-modules.postinst: Add /snap/bin to $PATH in /etc/environment
* Dropped changes, obsoleted:
- pam_motd: Export MOTD_SHOWN=pam after showing MOTD
- Return only PAM_IGNORE or error from pam_motd
- Fix patches to fix FTBFS
- Backport pam_faillock module from pam 1.4.0
- debian/patches-applied/nullok_secure-compat.patch: Support
nullok_secure as a deprecated alias for nullok.
- debian/pam-configs/unix: use nullok, not nullok_secure.
* Patches:
- d/p/pam_motd-legal-notice: refreshed
- Refreshed d/p/pam_umask_usergroups_from_login.defs.patch to use
pam_modutil_search_key instead of our own hand-rolled version
- d/p/extrausers.patch: Refreshed the patch and fixed the
HAVE_LIBSELINUX conditional removed upstream.
* d/local/pam-auth-update: refreshed the md5sum for debian/local/common-session
-- Simon Chopin <simon.chopin@canonical.com> Tue, 26 Oct 2021 10:49:14 +0200
pam (1.4.0-10) unstable; urgency=medium
* Fix syntax error in libpam0g.postinst when a systemd unit fails,
Closes: #992538
* Include upstream patch not to use crypt_checksalt; without this
passwords set prior to bullseye were considered expired, Closes:
#992848
* Support DPKG_ROOT for pam-auth-update, thanks Johannes 'josch' Schauer
Closes: #983427
-- Sam Hartman <hartmans@debian.org> Thu, 26 Aug 2021 13:43:23 -0600
pam (1.4.0-9) unstable; urgency=medium
* Revert prefer the multiarch path from 1.4.0-8: It turns out that
Debian uses DEFAULT_MODULE_PATH and _PAM_ISA in the opposite meaning
of upstream. If I had read the patch header of
patches-applied/lib_security_multiarch_compat more closely I would
have noticed this. The effect of 1.4.0-9 is what is stated in the
1.4.0-8 changelog: we prefer multiarch paths, but the original patch
did that.
* I did test this in 1.4.0-8, but my test design was flawed. I placed a
invalid shared object in /lib/security and confirmed it did not shadow
an object in /lib/x86_64-linux-gnu/security. However I realized
shortly after releasing 1.4.0-8 that a valid shared object in
/lib/security will shadow one in the multiarch path.
-- Sam Hartman <hartmans@debian.org> Fri, 09 Jul 2021 10:55:02 -0600
pam (1.4.0-8) unstable; urgency=high
[ Hideki Yamane ]
* debian/patches-applied/lib_security_multiarch_compat
- Fix regression introduced in 1.4.0-1: search both /lib/security and
/lib/[multiarch_tripple]/security/, Closes: #990790
[ Sam Hartman ]
* Reword changelog
* Prefer the multiarch path (_PAM_ISA) to the non-multiarch path.
That's different than buster, but guarantees everything already
working in bullseye will continue to work and also guarantees that
when multiarch modules are available we use them.
-- Hideki Yamane <henrich@debian.org> Tue, 06 Jul 2021 22:09:15 +0900
pam (1.4.0-7) unstable; urgency=medium
* Updated portuguese debconf translation, thanks Pedro Ribeiro, Closes:
#983594
* Updated Simplified Chinese Translations, thanks Boyuan Yang
* Updated Bulgarian Translation, Thanks Damyan Ivanov
* Updated translation from the Slovak team, thanks Ladislav Michnovič,
Closes: #984891
* Updated Catalan translation, thanks Alex Muntada, Closes: #984568
* Updated Brazilian Portuguese translation, Thanks Adriano Rafael Gomes,
Closes: #984656
* French Debconf translations, thanks Jean-Pierre Giraud , Closes:
#984910
* Updated russian Debconf translations, thanks Алексей Шилин, Closes:
#984878
* Updated Dutch debconf templates, Thanks Frans Spiesschaert, Closes:
#984823
* Updated German Debconf translations, Thanks Sven Joachim
* Code review fixes for the fix to #982295, thanks Mark Hindley
- Actually set service to $1 rather than happening to use a variable
of the same name in enclosing scope
- Remove dead code setting idl when not used
* Code review fixes to the fix for #982530, thanks Martin Schurz
- Include '-' in the file matching regexp so we search
/etc/pam.d/common-* for uses of pam_tally. The profile check will
catch this unless the user has overwridden the configuration
- Fix capitalization of pam_Tally in debconf description
-- Sam Hartman <hartmans@debian.org> Mon, 15 Mar 2021 15:01:55 -0400
pam (1.4.0-6) unstable; urgency=medium
* Clearly it's been too long since I've done debconf; run
debconf-updatepo so the translations will show up as needing
translating.
-- Sam Hartman <hartmans@debian.org> Fri, 26 Feb 2021 10:48:23 -0500
pam (1.4.0-5) unstable; urgency=low
* Remove profiles containing pam_tally or pam_tally2 since we no longer
build them.
* Also, fail to permit profiles to be selected that include pam_tally
once the new pam-auth-update is installed
* Check for any user-added references to pam_tally and halt the upgrade,
Closes: #982530
* Handle services with systemd units but no init scripts, Closes: #982295
* Register md5sum for new common-password template, Closes: #982898
* After reading pam-auth-update source, I agree with Lucas Nussbaum
that common-session is intended only for interactive sessions.
Otherwise pam-auth-update should not duplicate module configurations
between common-session-noninteractive and common-session, so update
the documentation, Closes: #982297
-- Sam Hartman <hartmans@debian.org> Thu, 25 Feb 2021 15:48:22 -0500
pam (1.4.0-4) unstable; urgency=medium
* Document in README.source how to avoid multi-arch problems with documentation, Closes: #851650
* Update header to common-password talking about sha512
* The fix for #977648 incorrectly assumed how prerm scripts are called; update.
-- Sam Hartman <hartmans@debian.org> Wed, 03 Feb 2021 12:35:12 -0500
pam (1.4.0-3) unstable; urgency=medium
[ Josh Triplett ]
* libpam-runtime.postrm: Remove session-noninteractive files on purge,
Closes: #978601
[ Sam Hartman ]
* patches-applied/pam_mkhomedir_stat_before_opendir: Stat the skeleton
directory before opendir, Closes: #834589
* libpam-modules.install: Install pam_faillock binaries, Closes: #981092
* debian/patches-applied/pam_unix_initialize_daysleft : Initialize days before password expire, Closes: #980285
* pam-configs/unix: Default to yescript rather than sha512. From a theoretical security standpoint, it looks like yescript has similar security properties, assuming (as we typically do in the crypto protocol community) that sha256 is still reasonable. However, in terms of practical resistant to password cracking, particularly in terms of valuing space complexity as well as time complexity, yescript is superior, Closes: #978553
* No infinite loop on purge of libpam-runtime, Closes: #977648
* patches-applied/pam_faillock_create_directory: create /run/faillock when needed.
-- Sam Hartman <hartmans@debian.org> Mon, 01 Feb 2021 15:27:08 -0500
pam (1.4.0-2) unstable; urgency=medium
* Restart services on upgrade to 1.4.0. Closes: #978555.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 28 Dec 2020 19:20:38 -0800
pam (1.4.0-1) unstable; urgency=medium
* New upstream release. Closes: #948188.
- Stop using obsoleted selinux headers. Closes: #956355.
- Continue building pam_cracklib, which is deprecated upstream;
the replacement, pam_passwdqc, is packaged separately.
- Update symbols file for new symbols.
- Refresh lintian overrides for changes to available pam modules.
* Drop patches to implement "nullok_secure" option for pam_unix.
Closes: #674857, #936071, LP: #1860826.
* debian/patches-applied/cve-2010-4708.patch: drop, applied upstream.
* debian/patches-applied/nullok_secure-compat.patch: Support
nullok_secure as a deprecated alias for nullok.
* debian/pam-configs/unix: use nullok, not nullok_secure.
* Drop pam_tally and pam_tally2 modules, which have been deprecated
upstream in favor of pam_faillock. Closes: #569746, LP: #772121.
* Add hardening+=bindnow to build options, per lintian.
-- Steve Langasek <vorlon@debian.org> Mon, 28 Dec 2020 06:05:13 +0000
pam (1.3.1-5ubuntu11) impish; urgency=medium
* extrausers.patch: update for compatibility with the removal of
nullok_secure.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Sep 2021 22:39:58 -0700
pam (1.3.1-5ubuntu10) impish; urgency=medium
* Fix up the nullok_secure-compat.patch to apply properly on 1.3.1.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Sep 2021 18:28:12 -0700
pam (1.3.1-5ubuntu9) impish; urgency=medium
* Correctly document current VCS in debian/control.
* Drop patches to implement "nullok_secure" option for pam_unix.
Closes: #674857, #936071, LP: #1860826.
* debian/patches-applied/nullok_secure-compat.patch: Support
nullok_secure as a deprecated alias for nullok.
* debian/pam-configs/unix: use nullok, not nullok_secure.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 15 Sep 2021 18:18:19 -0700
pam (1.3.1-5ubuntu8) impish; urgency=medium
* Disable custom daemon restart detection code if needrestart is available
(LP: #1935972)
-- Simon Chopin <simon.chopin@canonical.com> Tue, 13 Jul 2021 10:28:04 +0200
pam (1.3.1-5ubuntu7) impish; urgency=medium
* Backport pam_faillock module from pam 1.4.0 (LP: #1927796)
- debian/patches-applied/add_pam_faillock.patch: add module.
- debian/patches-applied/pam_faillock_create_directory: create dir
before creating file in modules/pam_faillock/faillock.c.
- debian/rules: set execute permissions on pam_faillock test.
- debian/libpam-modules-bin.install: install faillock binary and man
page.
-- Richard Maciel Costa <richard.maciel.costa@canonical.com> Thu, 08 Apr 2021 07:06:27 -0400
pam (1.3.1-5ubuntu6) groovy; urgency=medium
* Fix FTBFS with selinux/flask.h
- debian/patches-applied/selinux_flask_ftbfs.patch: Fix FTBFS due to
deprecated selinux/flask.h
-- Mike Salvatore <mike.salvatore@canonical.com> Wed, 05 Aug 2020 21:10:51 -0400
pam (1.3.1-5ubuntu5) groovy; urgency=medium
* debian/libpam-modules.postinst: Add /snap/bin to $PATH in
/etc/environment. (LP: #1659719)
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Fri, 10 Jul 2020 08:35:49 +1200
pam (1.3.1-5ubuntu4) focal; urgency=medium
* Return only PAM_IGNORE or error from pam_motd (LP: #1856703)
-- Balint Reczey <rbalint@ubuntu.com> Tue, 17 Dec 2019 17:41:40 +0100
pam (1.3.1-5ubuntu3) focal; urgency=medium
* Fix patches to fix FTBFS
-- Balint Reczey <rbalint@ubuntu.com> Thu, 05 Dec 2019 13:18:35 +0100
pam (1.3.1-5ubuntu2) focal; urgency=medium
* pam_motd: Export MOTD_SHOWN=pam after showing MOTD (LP: #1855092)
-- Balint Reczey <rbalint@ubuntu.com> Wed, 04 Dec 2019 12:23:57 +0100
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libpam0g`.
Generated by dwww version 1.16 on Sat Dec 13 16:16:13 CET 2025.