This bug was fixed in the package pam - 1.7.0-5ubuntu1
---------------
pam (1.7.0-5ubuntu1) questing; urgency=medium
* Merge with Debian unstable (LP: #2112053). Remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager
when there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/patches/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/patches/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/update-motd.5, debian/libpam-runtime.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- debian/patches/extrausers.patch: Add a pam_extrausers module
that is basically just a copy of pam_unix but looks at
/var/lib/extrausers/{group,passwd,shadow} instead of /etc/
- debian/libpam-modules-bin.install: install the helper binaries for
pam_extrausers to /sbin
- debian/rules: Make pam_extrausers_chkpwd sguid shadow
- Add lintian override for pam_extrausers_chkpwd
- Disable custom daemon restart detection code if needrestart is available
- d/p/pam_env-remove-deprecation-notice-for-user_readenv.patch: drop
deprecation warning about user_readenv from pam_env (LP 2059859)
- debian/patches/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix's explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- d/po/eu.po, d/po/fi.po, d/po/vi.po: Clean-up translation files
- debian/patches/fix-pam_motd_ftbfs.patch: fix FTBFS in display_legal()
- d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP #2087827)
* Drop Changes:
- debian/pam-configs/mkhomedir: honor default private home directory
permissions for pam_mkdir.so by specifying a umask of 0027
(LP #1957024)
[Dropped the above change and its revert below]
- debian/pam-configs/mkhomedir: remove umask override added previously
for LP #1957024 as this is not actually needed since pam_mkhomedir
already respects HOME_MODE from login.defs and it complicates umask
management in general
- SECURITY UPDATE: privilege escalation via pam_namespace
[Fixed in 1.7.0-4]
* Changed Delta:
- d/p/extrausers.patch,
d/p/pam_umask_usergroups_from_login.defs.patch,
d/p/update-motd-manpage-ref: Update patches to work with meson. Drop
text-based man-pages in favor of XML ones. Add required code to build
scripts.
- debian/tests/usr-lib-config: Fix typo in "mv /usr/lib/pam.d/passwd
/etc/pam.d/*"
pam (1.7.0-5) unstable; urgency=high
* pam_access: backport upstream commit to implement nodns option to
allow people to work around #1087019
pam (1.7.0-4) experimental; urgency=high
[ Gioele Barabucci ]
* d/control: Update standards version to 4.7.0, no changes needed
* d/TODO: Remove outdated item about fop (Closes: #629438)
[ Sam Hartman ]
* Fix CVE-2025-6020: local privilege escalation in pam_namespace, Closes:
1107919
[ James Morris ]
* pam_access improperly checks for group membership of a user.
(Closes: #1103339)
pam (1.7.0-3) unstable; urgency=high
* Disable HURD suid patch for now because it breaks on Linux, Closes:
#1095194
pam (1.7.0-2) unstable; urgency=medium
* Release to unstable
pam (1.7.0-1) experimental; urgency=medium
* New upstream version, Closes: #1088923
- ChangeLog removed upstream, do not install it.
- Upstream claims CVE-2024-10041 is fixed by PAM 1.6.0, Closes:
#1086038
* Build depend on meson
* Depend on fop
* Use installed faillock and namespace man page rather than source man page.
* Install text module documentation in libpam-doc/txt
* Build and install pdf documentation
* Remove Steve from uploaders, thanks for all your contributions; you
will be missed.
* In response to lintian complaint, clarify that PAM can be distributed under
any version of the GPL.
* Pdf files are compressed; update doc-base
* Properly handle environment.5 manpage, Closes: #1081181
* Move pam module man pages into libpam-runtime to avoid multi-arch
uninstallability
* Move libpam0g-dev man pages into libpam-doc
* Build depend on pkgconf rather than pkg-config
* Only build-depend on documentation tools for arch-indep builds; do not
build docs for arch all builds, Closes: #1093222
* pam_limits: do not override systemd's limits by default; add the set_all
option to restore previous behavior, Closes: #995236
* Document pam_limits change in news
-- Ankush Pathak <ankush.pat...@canonical.com> Thu, 03 Jul 2025
22:03:16 +0530
** Changed in: pam (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-10041
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-6020
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2112053
Title:
Merge pam from Debian Unstable for questing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2112053/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
