Coming in late. So, trixie is already released, so how do you want me to handle this? Add the breaks for the next trixie update?
>>>>> "Bastien" == Bastien Roucaries <[email protected]> writes: Bastien> Le dimanche 3 août 2025, 17:12:44 heure d’été d’Europe Bastien> centrale Bastien Roucaries a écrit : >> Le dimanche 3 août 2025, 14:05:33 heure d’été d’Europe centrale >> Salvatore Bonaccorso a écrit : Hi >> >> Feel free to decrease to important, because with default apparmor >> package it will only break samba share, for reasonable pam >> configuration. For subtle one it fallback to unix_chkpwd the >> account could be locked Bastien> Hi, Bastien> I have a lighly tested patch for apparmor Bastien> https://salsa.debian.org/rouca/apparmor/-/commits/bookworm Bastien> integreti/marc.deslauriers could you test in order to see Bastien> if I miss something. Bastien> rouca >> >> Other apparmor profiles are configured by default >> >> I achieved to reproduce on virtual machine: - reverting the patch >> allow unix_chkpwd on apparmor - enable the usr.bin.passwd profile >> >> It fail >> >> For bookworm it will need to be fixed >> >> Bastien >> >> > On Sun, Aug 03, 2025 at 01:22:13PM +0200, Bastien Roucaries wrote: >> > > Source: pam > > Version: 1.7.0-5 > > Severity: grave > > >> Justification: may breaks the whole system (loggin) > > >> X-Debbugs-CC: [email protected] > > X-Debbugs-CC: Debian >> Security Team <[email protected]> >> > > >> > > Hi, >> > > >> > > Following fix of CVE-2024-10041 pam now use >> /usr/sbin/unix_chkpwd > > inconditionnaly >> > > >> > > If someone use apparmor login or user then login will fail, >> may be some > > time latter due to expired password or other unix >> configuration >> > > >> > > see https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 > > >> https://salsa.debian.org/apparmor-team/apparmor/-/commit/243162ca2938b39 >> > > 17 > > 24f547596787c7f77d1fc5f >> > > >> > > I order to be in the safe side could you add Breaks: >> apparmor-profiles > > (<< > > 4.1.0-1~) or may be Pre-Depends: >> > > >> > > apparmor need to be updated before pam. >> > > >> > > I know it is late in the release cycle, but I just detected >> trying to > > debug stuff for pam. >> > > >> > > Maybe postone >> > >> > Should this be reassigned to src:apparmor instread then and >> marked > affecting src:pam? >> > >> > Regards, > Salvatore
