Le dimanche 3 août 2025, 17:12:44 heure d’été d’Europe centrale Bastien Roucaries a écrit : > Le dimanche 3 août 2025, 14:05:33 heure d’été d’Europe centrale Salvatore > Bonaccorso a écrit : > Hi > > Feel free to decrease to important, because with default apparmor package it > will only break samba share, for reasonable pam configuration. For subtle > one it fallback to unix_chkpwd the account could be locked Hi,
I have a lighly tested patch for apparmor https://salsa.debian.org/rouca/apparmor/-/commits/bookworm integreti/marc.deslauriers could you test in order to see if I miss something. rouca > > Other apparmor profiles are configured by default > > I achieved to reproduce on virtual machine: > - reverting the patch allow unix_chkpwd on apparmor > - enable the usr.bin.passwd profile > > It fail > > For bookworm it will need to be fixed > > Bastien > > > On Sun, Aug 03, 2025 at 01:22:13PM +0200, Bastien Roucaries wrote: > > > Source: pam > > > Version: 1.7.0-5 > > > Severity: grave > > > Justification: may breaks the whole system (loggin) > > > X-Debbugs-CC: [email protected] > > > X-Debbugs-CC: Debian Security Team <[email protected]> > > > > > > Hi, > > > > > > Following fix of CVE-2024-10041 pam now use /usr/sbin/unix_chkpwd > > > inconditionnaly > > > > > > If someone use apparmor login or user then login will fail, may be some > > > time latter due to expired password or other unix configuration > > > > > > see https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 > > > https://salsa.debian.org/apparmor-team/apparmor/-/commit/243162ca2938b39 > > > 17 > > > 24f547596787c7f77d1fc5f > > > > > > I order to be in the safe side could you add Breaks: apparmor-profiles > > > (<< > > > 4.1.0-1~) or may be Pre-Depends: > > > > > > apparmor need to be updated before pam. > > > > > > I know it is late in the release cycle, but I just detected trying to > > > debug stuff for pam. > > > > > > Maybe postone > > > > Should this be reassigned to src:apparmor instread then and marked > > affecting src:pam? > > > > Regards, > > Salvatore
signature.asc
Description: This is a digitally signed message part.
