pam - Debian Package Tracker

general

source: pam (main)
version: 1.7.0-5
maintainer: Sam Hartman (DMD)
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.4.0-9+deb11u1
stable: 1.5.2-6+deb12u1
testing: 1.7.0-5
unstable: 1.7.0-5

versioned links

1.4.0-9+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.5.2-6+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.0-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libpam-doc (4 bugs: 0, 0, 4, 0)
libpam-modules (49 bugs: 0, 29, 20, 0)
libpam-modules-bin (1 bugs: 0, 0, 1, 0)
libpam-runtime (25 bugs: 0, 15, 10, 0)
libpam0g (6 bugs: 0, 2, 4, 0)
libpam0g-dev

action needed

A new upstream version is available: 1.7.1 high

A new upstream version 1.7.1 is available, you should consider packaging it.

Created: 2025-06-19 Last update: 2025-07-20 10:32

3 security issues in bullseye high

There are 3 open security issues in bullseye.

1 important issue:

CVE-2025-6020: A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

2 issues postponed or untriaged:

CVE-2024-10041: (postponed; to be fixed through a stable update) A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
CVE-2024-22365: (needs triaging) linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

Created: 2025-06-17 Last update: 2025-07-07 05:32

3 security issues in bookworm high

There are 3 open security issues in bookworm.

1 important issue:

CVE-2025-6020: A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

2 issues left for the package maintainer to handle:

CVE-2024-10041: (needs triaging) A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
CVE-2024-22365: (needs triaging) linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-01-18 Last update: 2025-07-07 05:32

14 bugs tagged patch in the BTS normal

The BTS contains patches fixing 14 bugs (15 if counting merged bugs), consider including or untagging them.

Created: 2025-01-06 Last update: 2025-07-20 11:31

Depends on packages which need a new maintainer normal

The packages that pam depends on which need a new maintainer are:

db-defaults (#1055344)
- Build-Depends: libdb-dev
docbook-xsl (#802370)
- Build-Depends-Indep: docbook-xsl-ns
docbook5-xml (#802377)
- Build-Depends-Indep: docbook5-xml

Created: 2023-09-01 Last update: 2025-07-20 10:33

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-02-04 Last update: 2025-07-20 09:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.7.0-6, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 881ab0c5c1566334d8292212eec520c8e6286c95
Merge: 4fe6a864 03f0e7d6
Author: Sam Hartman <hartmans@debian.org>
Date:   Sun Jun 29 11:48:38 2025 -0600

    Merge branch 'trixie'
    
    Reupdate because additional changes were included in trixie.

commit 03f0e7d6fd856761c812da318c911b66fb85a96a
Author: Sam Hartman <hartmans@debian.org>
Date:   Sun Jun 29 11:42:26 2025 -0600

    Document changes for 1.7.0-5

commit 9f4ce6432f499cc936b9961fcdecafa48723022d
Author: Sam Hartman <hartmans@debian.org>
Date:   Sun Jun 29 11:37:09 2025 -0600

    Refixup pam_namespace pam citations

commit 942d8564bf7fb88f1cecbd324b461013da0b6b13
Author: Sam Hartman <hartmans@debian.org>
Date:   Thu Jun 26 16:04:28 2025 -0600

    pam_access: backport upstream commit to implement nodns option to allow people to work around #1087019

commit 4fe6a864edc7a11134414775e1503885e091fc20
Author: Sam Hartman <hartmans@debian.org>
Date:   Thu Jun 26 11:54:26 2025 -0600

    Document changes on master that are not proposed for inclusion in trixie

commit 817d6f3ed2610c9e3490a92bc77d4dc7fce6fde1
Author: James Morris <morisja@gmail.com>
Date:   Mon Jun 9 17:30:26 2025 -0400

    pam_access improperly checks for group membership of a user.
    
    Patch from upstream
    
    https://github.com/linux-pam/linux-pam/issues/860
    
    https://github.com/linux-pam/linux-pam/commit/fc927d8f1a6d81e5bcf58096871684b35b793fe2
    
    Closes: #1103339
    
    Fixes !28

commit 82a3aaa99aed57487b6537d9e4d1f98cfa425d9d
Author: Sam Hartman <hartmans@debian.org>
Date:   Thu Jun 26 11:12:42 2025 -0600

    Fix CVE-2025-6020: local privilege escalation in pam_namespace, Closes: 1107919

commit cb448e6474f53e4e40bfb594597156dc6256605c
Author: Gioele Barabucci <gioele@svario.it>
Date:   Thu Feb 13 20:05:18 2025 +0100

    d/libpam-runtime.postinst: Drop redundant version check
    
    The check against version 1.0.1-11 has been redundant since Debian 5
    "lenny".

commit 5ea47ce9ee44b5cac894c66fb223f02735299d55
Author: Gioele Barabucci <gioele@svario.it>
Date:   Thu Feb 13 19:22:52 2025 +0100

    d/libpam-modules.postinst: Drop redundant version check
    
    The check against version 0.99.9.0-1 has been redundant since Debian 5
    "lenny".

commit a2d9adc8e86c8457b482ecb44b11058e5003f447
Author: Gioele Barabucci <gioele@svario.it>
Date:   Thu Feb 13 19:06:36 2025 +0100

    d/TODO: Remove outdated item about fop
    
    Closes: #629438

commit a7986fea5c987d0f821984fd9d7c89ed013c42d4
Author: Gioele Barabucci <gioele@svario.it>
Date:   Thu Feb 13 16:29:07 2025 +0100

    d/control: Update standards version to 4.7.0, no changes needed

commit 0da056d8d80e238a65d4f62769b34cb1fd768d77
Author: Gioele Barabucci <gioele@svario.it>
Date:   Thu Feb 13 16:00:18 2025 +0100

    d/control: Remove outdated constraints
    
    Both debconf 1.5.19 and libpam-modules 1.0.1-6 are older than
    Debian 6 "squeeze".
    
    Explicitly requiring debconf is not needed because `${misc:Depends}`
    already deals with it.

commit f54ffb63b95cb46b809284124295787f39bd7ed8
Author: Gioele Barabucci <gioele@svario.it>
Date:   Thu Feb 13 14:52:23 2025 +0100

    Add support for <!nodoc>

commit aab675ec3b3d04aa33413d7ae24c69ec739d443a
Merge: 6f7964a3 fd7ff719
Author: Sam Hartman <hartmans@debian.org>
Date:   Thu Feb 13 18:32:52 2025 -0700

    Merge in lintian fixes.

commit fd7ff7193ea87ba8e789fce0c48751fa88d4f40f
Author: Gioele Barabucci <gioele@svario.it>
Date:   Thu Feb 13 14:42:32 2025 +0100

    d/u/metadata: Add Repository URL

commit 79e2ed9455aa9d2b05fd4f43516d2cccbfff19ed
Author: Gioele Barabucci <gioele@svario.it>
Date:   Mon Sep 9 17:19:08 2024 +0200

    d/libpam-modules.lintian-overrides: Remove unused hardening overrides
    
    Fixes: lintian: libpam-modules: mismatched-override hardening-no-fortify-functions

commit 9005eb03afd07d5b0fa0dfbb2e82a1a5ecfeae26
Author: Gioele Barabucci <gioele@svario.it>
Date:   Thu Feb 13 12:44:32 2025 +0100

    d/lintian-overrides: Document that sysadmin manpages are libpam-runtime

commit 732ab13ecae9d8bde3148f373501ad117c6e9766
Author: Gioele Barabucci <gioele@svario.it>
Date:   Mon Sep 9 21:23:07 2024 +0200

    d/libpam0g.symbols: Add Build-Depends-Package
    
    Fixes: lintian: symbols-file-missing-build-depends-package-field

commit d0a03a5cc7f2c5a0a92a5ee8cb3ccd95f452c500
Author: Gioele Barabucci <gioele@svario.it>
Date:   Mon Sep 9 18:05:25 2024 +0200

    d/libpam-modules.lintian-overrides: Use new name shared-library-lacks-prerequisites

commit 67c98996bcfad7882db981788eaeeae834826949
Author: Gioele Barabucci <gioele@svario.it>
Date:   Mon Sep 9 17:56:38 2024 +0200

    d/libpam-{modules,runtime}.post{inst,rm}: Use `set -e` instead of `/bin/sh -e`
    
    Policy recommends to use `set -e` to ensure that scripts always have `-e`
    enabled, even when they are run as `sh foo.postinst`.
    
    Fixes: lintian: *: maintainer-script-without-set-e

commit bdeb29100e6c253416ee8b2a6e3a4f0c5eb14ea0
Author: Gioele Barabucci <gioele@svario.it>
Date:   Mon Sep 9 17:36:38 2024 +0200

    d/libpam0g.lintian-overrides: Remove outdated override for false positive package-name-doesnt-match-sonames

commit eae1ea71e649cce546557d9517cca87a792aee8c
Author: Gioele Barabucci <gioele@svario.it>
Date:   Mon Sep 9 17:31:19 2024 +0200

    d/s/lintian-overrides: Remove outdated dh-quilt-addon-but-quilt-source-format
    
    dh_quilt is no longer used since commit b99a4f53dcf4725e4b3b861fd8a28c0156a8a147

commit df7bb744b86913bf54f0e8c3e837e30bc3e0d96c
Author: Gioele Barabucci <gioele@svario.it>
Date:   Mon Sep 9 17:20:09 2024 +0200

    d/watch: Avoid leading spaces in non-continuation lines
    
    While the specs allow for leading spaces to be present in any line, some
    tools are confused then leading spacere are in non-continuation lines.
    
    Fixes: lintian: pam source: missing-debian-watch-file-standard [debian/watch]

commit 07d5c246315ac679b95a8bc59b1da6ea34bed289
Author: Gioele Barabucci <gioele@svario.it>
Date:   Mon Sep 9 17:17:15 2024 +0200

    d/libpam-runtime.lintian-overrides: Document why prerm is empty
    
    Fixes: lintian: libpam-runtime: maintainer-script-empty [prerm]

commit 6d4514fa9c31a0776c2e5a6a277b77f1aa780b68
Author: Gioele Barabucci <gioele@svario.it>
Date:   Wed Jun 12 20:44:08 2024 +0200

    d/libpam-modules.templates: Remove unused debconf variables
    
    `libpam-modules/disable-screensaver` and `libpam-modules/deprecate-tally`
    are no longer used in the maintainer scripts.

commit a816df4f91ca5726ed9c2f8590bfb95087b8d42a
Author: Gioele Barabucci <gioele@svario.it>
Date:   Wed Jun 12 20:38:17 2024 +0200

    d/libpam-modules.preinst: Remove outdated screensaver-related code
    
    Version 1.4.0-5 is older than what is currently in old-stable
    (Debian 11 bullseye, 1.4.0-9+deb11u1), so this code is never going
    to run in future installations of `libpam-modules`.
    
    Closes: #1073129

Created: 2025-02-14 Last update: 2025-07-12 14:32

lintian reports 21 warnings normal

Lintian reports 21 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-02-11 Last update: 2025-06-30 04:33

debian/patches: 23 patches to forward upstream low

Among the 23 debian patches available in version 1.7.0-5 of the package, we noticed the following issues:

23 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-02-28 Last update: 2025-06-30 11:30

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2024-10-29 Last update: 2024-10-29 14:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2024-04-07 Last update: 2025-06-29 23:27

news

[rss feed]

[2025-07-07] pam 1.7.0-5 MIGRATED to testing (Debian testing watch)
[2025-06-29] Accepted pam 1.7.0-5 (source) into unstable (Sam Hartman)
[2025-06-26] Accepted pam 1.7.0-4 (source) into experimental (Sam Hartman)
[2025-02-15] pam 1.7.0-3 MIGRATED to testing (Debian testing watch)
[2025-02-11] Accepted pam 1.7.0-3 (source) into unstable (Sam Hartman)
[2025-02-04] pam 1.7.0-2 MIGRATED to testing (Debian testing watch)
[2025-01-30] Accepted pam 1.7.0-2 (source) into unstable (Sam Hartman)
[2025-01-17] Accepted pam 1.7.0-1 (source) into experimental (Sam Hartman)
[2024-05-03] pam 1.5.3-7 MIGRATED to testing (Debian testing watch)
[2024-04-08] Accepted pam 1.5.3-7 (source) into unstable (Sam Hartman)
[2024-02-29] Accepted pam 1.5.3-6 (source) into unstable (Steve Langasek)
[2024-02-29] Accepted pam 1.5.3-5 (source) into unstable (Sam Hartman)
[2024-02-28] Accepted pam 1.5.3-4 (source) into unstable (Sam Hartman)
[2024-02-06] Accepted pam 1.5.3-3 (source) into experimental (Helmut Grohne) (signed by: Sam Hartman)
[2024-02-02] Accepted pam 1.5.3-2 (source all amd64) into experimental (Sam Hartman)
[2024-01-16] Accepted pam 1.5.3-1 (source) into experimental (Sam Hartman)
[2023-10-27] pam 1.5.2-9.1 MIGRATED to testing (Debian testing watch)
[2023-10-24] Accepted pam 1.5.2-9.1 (source) into unstable (Helmut Grohne)
[2023-10-24] Accepted pam 1.5.2-9 (source) into unstable (Sam Hartman)
[2023-10-24] Accepted pam 1.5.2-8 (source) into unstable (Helmut Grohne) (signed by: Sam Hartman)
[2023-09-23] Accepted pam 1.5.2-6+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sam Hartman)
[2023-08-19] pam 1.5.2-7 MIGRATED to testing (Debian testing watch)
[2023-08-16] Accepted pam 1.5.2-7 (source) into unstable (Sam Hartman)
[2023-01-14] pam 1.5.2-6 MIGRATED to testing (Debian testing watch)
[2023-01-04] Accepted pam 1.5.2-6 (source) into unstable (Sam Hartman)
[2022-10-12] pam 1.5.2-5 MIGRATED to testing (Debian testing watch)
[2022-10-06] Accepted pam 1.5.2-5 (source) into unstable (Steve Langasek)
[2022-10-06] Accepted pam 1.5.2-4 (source) into unstable (Steve Langasek)
[2022-10-06] Accepted pam 1.5.2-3 (source) into unstable (Steve Langasek)
[2022-08-24] pam 1.5.2-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 97 102
RC: 0
I&N: 50 54
M&W: 47 48
F&P: 0
patch: 14 15

links

homepage
lintian (0, 21)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (87, 58)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.5.3-7ubuntu6
72 bugs (6 patches)
patches for 1.5.3-7ubuntu6