Le dimanche 10 août 2025, 18:01:19 heure d’été d’Europe centrale Sam Hartman a écrit : > Coming in late. > So, trixie is already released, so how do you want me to handle this? > Add the breaks for the next trixie update?
I think so, better safe than sorry Bastien > > >>>>> "Bastien" == Bastien Roucaries <[email protected]> writes: > > Bastien> Le dimanche 3 août 2025, 17:12:44 heure d’été d’Europe > Bastien> centrale Bastien Roucaries a écrit : > >> Le dimanche 3 août 2025, 14:05:33 heure d’été d’Europe centrale > >> Salvatore Bonaccorso a écrit : Hi > >> > >> Feel free to decrease to important, because with default apparmor > >> package it will only break samba share, for reasonable pam > >> configuration. For subtle one it fallback to unix_chkpwd the > >> account could be locked > Bastien> Hi, > > Bastien> I have a lighly tested patch for apparmor > Bastien> https://salsa.debian.org/rouca/apparmor/-/commits/bookworm > > Bastien> integreti/marc.deslauriers could you test in order to see > Bastien> if I miss something. > > Bastien> rouca > > >> > >> Other apparmor profiles are configured by default > >> > >> I achieved to reproduce on virtual machine: - reverting the patch > >> allow unix_chkpwd on apparmor - enable the usr.bin.passwd profile > >> > >> It fail > >> > >> For bookworm it will need to be fixed > >> > >> Bastien > >> > >> > On Sun, Aug 03, 2025 at 01:22:13PM +0200, Bastien Roucaries wrote: > >> > > Source: pam > > Version: 1.7.0-5 > > Severity: grave > > > >> Justification: may breaks the whole system (loggin) > > > >> X-Debbugs-CC: [email protected] > > X-Debbugs-CC: Debian > >> Security Team <[email protected]> > >> > > > >> > > Hi, > >> > > > >> > > Following fix of CVE-2024-10041 pam now use > >> /usr/sbin/unix_chkpwd > > inconditionnaly > >> > > > >> > > If someone use apparmor login or user then login will fail, > >> may be some > > time latter due to expired password or other unix > >> configuration > >> > > > >> > > see https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 > > > >> > https://salsa.debian.org/apparmor-team/apparmor/-/commit/243162ca2938b39 > >> > > 17 > > 24f547596787c7f77d1fc5f > >> > > > >> > > I order to be in the safe side could you add Breaks: > >> apparmor-profiles > > (<< > > 4.1.0-1~) or may be Pre-Depends: > >> > > > >> > > apparmor need to be updated before pam. > >> > > > >> > > I know it is late in the release cycle, but I just detected > >> trying to > > debug stuff for pam. > >> > > > >> > > Maybe postone > >> > > >> > Should this be reassigned to src:apparmor instread then and > >> marked > affecting src:pam? > >> > > >> > Regards, > Salvatore > >
signature.asc
Description: This is a digitally signed message part.
