[ubuntu/questing-proposed] pam 1.7.0-5ubuntu1 (Accepted)
Ankush Pathak
ankush.pathak at canonical.com
Mon Jul 21 16:49:14 UTC 2025
pam (1.7.0-5ubuntu1) questing; urgency=medium
* Merge with Debian unstable (LP: #2112053). Remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager
when there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/patches/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/update-motd.5, debian/libpam-runtime.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
- d/p/pam_env-remove-deprecation-notice-for-user_readenv.patch: drop
deprecation warning about user_readenv from pam_env (LP 2059859)
- debian/patches/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- d/po/eu.po, d/po/fi.po, d/po/vi.po: Clean-up translation files
- debian/patches/fix-pam_motd_ftbfs.patch: fix FTBFS in display_legal()
- d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP #2087827)
* Drop Changes:
- debian/pam-configs/mkhomedir: honor default private home directory
permissions for pam_mkdir.so by specifying a umask of 0027
(LP #1957024)
[Dropped the above change and its revert below]
- debian/pam-configs/mkhomedir: remove umask override added previously
for LP #1957024 as this is not actually needed since pam_mkhomedir
already respects HOME_MODE from login.defs and it complicates umask
management in general
- SECURITY UPDATE: privilege escalation via pam_namespace
[Fixed in 1.7.0-4]
* Changed Delta:
- d/p/extrausers.patch,
d/p/pam_umask_usergroups_from_login.defs.patch,
d/p/update-motd-manpage-ref: Update patches to work with meson. Drop
text-based man-pages in favor of XML ones. Add required code to build
scripts.
- debian/tests/usr-lib-config: Fix typo in "mv /usr/lib/pam.d/passwd
/etc/pam.d/*"
pam (1.7.0-5) unstable; urgency=high
* pam_access: backport upstream commit to implement nodns option to allow people to work around #1087019
pam (1.7.0-4) experimental; urgency=high
[ Gioele Barabucci ]
* d/control: Update standards version to 4.7.0, no changes needed
* d/TODO: Remove outdated item about fop (Closes: #629438)
[ Sam Hartman ]
* Fix CVE-2025-6020: local privilege escalation in pam_namespace, Closes: 1107919
[ James Morris ]
* pam_access improperly checks for group membership of a user.
(Closes: #1103339)
pam (1.7.0-3) unstable; urgency=high
* Disable HURD suid patch for now because it breaks on Linux, Closes:
#1095194
pam (1.7.0-2) unstable; urgency=medium
* Release to unstable
pam (1.7.0-1) experimental; urgency=medium
* New upstream version, Closes: #1088923
- ChangeLog removed upstream, do not install it.
- Upstream claims CVE-2024-10041 is fixed by PAM 1.6.0, Closes:
#1086038
* Build depend on meson
* Depend on fop
* Use installed faillock and namespace man page rather than source man page.
* Install text module documentation in libpam-doc/txt
* Build and install pdf documentation
* Remove Steve from uploaders, thanks for all your contributions; you
will be missed.
* In response to lintian complaint, clarify that PAM can be distributed under any version of the GPL.
* Pdf files are compressed; update doc-base
* Properly handle environment.5 manpage, Closes: #1081181
* Move pam module man pages into libpam-runtime to avoid multi-arch uninstallability
* Move libpam0g-dev man pages into libpam-doc
* Build depend on pkgconf rather than pkg-config
* Only build-depend on documentation tools for arch-indep builds; do not build docs for arch all builds, Closes: #1093222
* pam_limits: do not override systemd's limits by default; add the set_all option to restore previous behavior, Closes: #995236
* Document pam_limits change in news
Date: Thu, 03 Jul 2025 22:03:16 +0530
Changed-By: Ankush Pathak <ankush.pathak at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Dave Jones <dave.jones at canonical.com>
https://launchpad.net/ubuntu/+source/pam/1.7.0-5ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 03 Jul 2025 22:03:16 +0530
Source: pam
Built-For-Profiles: noudeb
Architecture: source
Version: 1.7.0-5ubuntu1
Distribution: questing
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ankush Pathak <ankush.pathak at canonical.com>
Closes: 629438 995236 1081181 1086038 1088923 1093222 1095194 1103339 1107919
Launchpad-Bugs-Fixed: 2112053
Changes:
pam (1.7.0-5ubuntu1) questing; urgency=medium
.
* Merge with Debian unstable (LP: #2112053). Remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager
when there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/patches/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/update-motd.5, debian/libpam-runtime.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
- d/p/pam_env-remove-deprecation-notice-for-user_readenv.patch: drop
deprecation warning about user_readenv from pam_env (LP 2059859)
- debian/patches/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- d/po/eu.po, d/po/fi.po, d/po/vi.po: Clean-up translation files
- debian/patches/fix-pam_motd_ftbfs.patch: fix FTBFS in display_legal()
- d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP #2087827)
* Drop Changes:
- debian/pam-configs/mkhomedir: honor default private home directory
permissions for pam_mkdir.so by specifying a umask of 0027
(LP #1957024)
[Dropped the above change and its revert below]
- debian/pam-configs/mkhomedir: remove umask override added previously
for LP #1957024 as this is not actually needed since pam_mkhomedir
already respects HOME_MODE from login.defs and it complicates umask
management in general
- SECURITY UPDATE: privilege escalation via pam_namespace
[Fixed in 1.7.0-4]
* Changed Delta:
- d/p/extrausers.patch,
d/p/pam_umask_usergroups_from_login.defs.patch,
d/p/update-motd-manpage-ref: Update patches to work with meson. Drop
text-based man-pages in favor of XML ones. Add required code to build
scripts.
- debian/tests/usr-lib-config: Fix typo in "mv /usr/lib/pam.d/passwd
/etc/pam.d/*"
.
pam (1.7.0-5) unstable; urgency=high
.
* pam_access: backport upstream commit to implement nodns option to allow people to work around #1087019
.
pam (1.7.0-4) experimental; urgency=high
.
[ Gioele Barabucci ]
* d/control: Update standards version to 4.7.0, no changes needed
* d/TODO: Remove outdated item about fop (Closes: #629438)
.
[ Sam Hartman ]
* Fix CVE-2025-6020: local privilege escalation in pam_namespace, Closes: 1107919
.
[ James Morris ]
* pam_access improperly checks for group membership of a user.
(Closes: #1103339)
.
pam (1.7.0-3) unstable; urgency=high
.
* Disable HURD suid patch for now because it breaks on Linux, Closes:
#1095194
.
pam (1.7.0-2) unstable; urgency=medium
.
* Release to unstable
.
pam (1.7.0-1) experimental; urgency=medium
.
* New upstream version, Closes: #1088923
- ChangeLog removed upstream, do not install it.
- Upstream claims CVE-2024-10041 is fixed by PAM 1.6.0, Closes:
#1086038
* Build depend on meson
* Depend on fop
* Use installed faillock and namespace man page rather than source man page.
* Install text module documentation in libpam-doc/txt
* Build and install pdf documentation
* Remove Steve from uploaders, thanks for all your contributions; you
will be missed.
* In response to lintian complaint, clarify that PAM can be distributed under any version of the GPL.
* Pdf files are compressed; update doc-base
* Properly handle environment.5 manpage, Closes: #1081181
* Move pam module man pages into libpam-runtime to avoid multi-arch uninstallability
* Move libpam0g-dev man pages into libpam-doc
* Build depend on pkgconf rather than pkg-config
* Only build-depend on documentation tools for arch-indep builds; do not build docs for arch all builds, Closes: #1093222
* pam_limits: do not override systemd's limits by default; add the set_all option to restore previous behavior, Closes: #995236
* Document pam_limits change in news
Checksums-Sha1:
4de3326ee57a2ed5ced9d1fed6bd088d57372f6f 2945 pam_1.7.0-5ubuntu1.dsc
935f3a737f834ac94a6600e4e3619de47e0cfa6a 507824 pam_1.7.0.orig.tar.xz
0cc8ae9ba7a17610041e702b70eaba8765f93ced 801 pam_1.7.0.orig.tar.xz.asc
d0e7d342b7d22d132f1794fa5d9de28b2e3f5e21 193972 pam_1.7.0-5ubuntu1.debian.tar.xz
e30ca9a4bb05adf019343c01c32da4e476061491 7756 pam_1.7.0-5ubuntu1_source.buildinfo
Checksums-Sha256:
abd444fb219b2e5d4d73e96d6971d49c7db274988a2ed2f9e62b31de12a0f7a8 2945 pam_1.7.0-5ubuntu1.dsc
57dcd7a6b966ecd5bbd95e1d11173734691e16b68692fa59661cdae9b13b1697 507824 pam_1.7.0.orig.tar.xz
7a8ea18ec7d9dd1f8cbf9055c32128cbca8241aa63e9fea44d56ce6f0e15e441 801 pam_1.7.0.orig.tar.xz.asc
edd959f2f4ec07ff9fea277acb1866f5db52d5b1460bfb9922604f423bb74277 193972 pam_1.7.0-5ubuntu1.debian.tar.xz
7496fad74f6a84b24401733c234bc494da526052bc5e631b930c6c90f8623f10 7756 pam_1.7.0-5ubuntu1_source.buildinfo
Files:
38ea5aa07ed2d3545a13cc06b9802640 2945 libs optional pam_1.7.0-5ubuntu1.dsc
c1e41d59d6852e45d0f953c8c8f869d6 507824 libs optional pam_1.7.0.orig.tar.xz
9a57369709c01169ecc6b2ff59a43db6 801 libs optional pam_1.7.0.orig.tar.xz.asc
d1e657ef4f3c665cce8441a3e4cb49f3 193972 libs optional pam_1.7.0-5ubuntu1.debian.tar.xz
dacbd33387f2483348c5995e6844711b 7756 libs optional pam_1.7.0-5ubuntu1_source.buildinfo
Original-Maintainer: Sam Hartman <hartmans at debian.org>
Vcs-Git: https://git.launchpad.net/~ankushpathak/ubuntu/+source/pam
Vcs-Git-Commit: 2835097ac88fd3553ee0464c66b628a2ae7955e5
Vcs-Git-Ref: refs/heads/merge-lp2112053-questing
More information about the Questing-changes
mailing list