Merge branch 'i8c' with version 1.3.1-34 into 'i8'

SOURCES/pam-1.3.1-access-handle-hostnames.patch

@@ -0,0 +1,158 @@
+diff -up Linux-PAM-1.3.1/modules/pam_access/pam_access.c.access-handle-hostnames Linux-PAM-1.3.1/modules/pam_access/pam_access.c
+--- Linux-PAM-1.3.1/modules/pam_access/pam_access.c.access-handle-hostnames	2024-01-19 16:45:18.319862531 +0100
++++ Linux-PAM-1.3.1/modules/pam_access/pam_access.c	2024-01-19 16:50:34.239545948 +0100
+@@ -683,7 +683,7 @@ string_match (pam_handle_t *pamh, const
+     /*
+      * If the token has the magic value "ALL" the match always succeeds.
+      * Otherwise, return YES if the token fully matches the string.
+-	 * "NONE" token matches NULL string.
++     * "NONE" token matches NULL string.
+      */
+ 
+     if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
+@@ -701,7 +701,8 @@ string_match (pam_handle_t *pamh, const
+ 
+ /* network_netmask_match - match a string against one token
+  * where string is a hostname or ip (v4,v6) address and tok
+- * represents either a single ip (v4,v6) address or a network/netmask
++ * represents either a hostname, a single ip (v4,v6) address
++ * or a network/netmask
+  */
+ static int
+ network_netmask_match (pam_handle_t *pamh,
+@@ -710,10 +711,12 @@ network_netmask_match (pam_handle_t *pam
+     char *netmask_ptr;
+     char netmask_string[MAXHOSTNAMELEN + 1];
+     int addr_type;
++    struct addrinfo *ai = NULL;
+ 
+     if (item->debug)
+-    pam_syslog (pamh, LOG_DEBUG,
++      pam_syslog (pamh, LOG_DEBUG,
+ 		"network_netmask_match: tok=%s, item=%s", tok, string);
++
+     /* OK, check if tok is of type addr/mask */
+     if ((netmask_ptr = strchr(tok, '/')) != NULL)
+       {
+@@ -745,52 +748,109 @@ network_netmask_match (pam_handle_t *pam
+ 	    netmask_ptr = number_to_netmask(netmask, addr_type,
+ 		netmask_string, MAXHOSTNAMELEN);
+ 	  }
+-	}
++
++        /*
++         * Construct an addrinfo list from the IP address.
++         * This should not fail as the input is a correct IP address...
++         */
++	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
++	  {
++	    return NO;
++	  }
++      }
+     else
+-	/* NO, then check if it is only an addr */
+-	if (isipaddr(tok, NULL, NULL) != YES)
++      {
++        /*
++	 * It is either an IP address or a hostname.
++	 * Let getaddrinfo sort everything out
++	 */
++	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+ 	  {
++	    if (item->debug)
++	      pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
++
+ 	    return NO;
+ 	  }
++	netmask_ptr = NULL;
++      }
+ 
+     if (isipaddr(string, NULL, NULL) != YES)
+       {
+-	/* Assume network/netmask with a name of a host.  */
+ 	struct addrinfo hint;
+ 
++	/* Assume network/netmask with a name of a host.  */
+ 	memset (&hint, '\0', sizeof (hint));
+ 	hint.ai_flags = AI_CANONNAME;
+ 	hint.ai_family = AF_UNSPEC;
+ 
+ 	if (item->gai_rv != 0)
++	  {
++	    freeaddrinfo(ai);
+ 	    return NO;
++	  }
+ 	else if (!item->res &&
+ 		(item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
++	  {
++	    freeaddrinfo(ai);
+ 	    return NO;
++	  }
+         else
+ 	  {
+ 	    struct addrinfo *runp = item->res;
++	    struct addrinfo *runp1;
+ 
+ 	    while (runp != NULL)
+ 	      {
+ 		char buf[INET6_ADDRSTRLEN];
+ 
+-		inet_ntop (runp->ai_family,
+-			runp->ai_family == AF_INET
+-			? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
+-			: (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
+-			buf, sizeof (buf));
++		if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
++		  {
++		    freeaddrinfo(ai);
++		    return NO;
++		  }
+ 
+-		if (are_addresses_equal(buf, tok, netmask_ptr))
++		for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
+ 		  {
+-		    return YES;
++                    char buf1[INET6_ADDRSTRLEN];
++
++                    if (runp->ai_family != runp1->ai_family)
++                      continue;
++
++                    if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
++		      {
++			freeaddrinfo(ai);
++			return NO;
++		      }
++
++                    if (are_addresses_equal (buf, buf1, netmask_ptr))
++                      {
++                        freeaddrinfo(ai);
++                        return YES;
++                      }
+ 		  }
+ 		runp = runp->ai_next;
+ 	      }
+ 	  }
+       }
+     else
+-      return (are_addresses_equal(string, tok, netmask_ptr));
++      {
++       struct addrinfo *runp1;
++
++       for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
++         {
++           char buf1[INET6_ADDRSTRLEN];
++
++           (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
++
++           if (are_addresses_equal(string, buf1, netmask_ptr))
++             {
++               freeaddrinfo(ai);
++               return YES;
++             }
++         }
++      }
++
++  freeaddrinfo(ai);
+ 
+   return NO;
+ }

SOURCES/pam-1.3.1-audit-messages-formatting.patch

@@ -0,0 +1,33 @@
+diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.audit-messages-formatting Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.audit-messages-formatting	2024-03-11 16:21:51.928946604 +0100
++++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c	2024-03-11 16:21:51.934946609 +0100
+@@ -334,7 +334,7 @@ check_tally(pam_handle_t *pamh, struct o
+ 
+ 				(void)pam_get_item(pamh, PAM_TTY, &tty);
+ 				(void)pam_get_item(pamh, PAM_RHOST, &rhost);
+-				snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
++				snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
+ 				audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+ 					rhost, NULL, tty, 1);
+ 			}
+@@ -450,7 +450,7 @@ write_tally(pam_handle_t *pamh, struct o
+ 			errno == EAFNOSUPPORT))
+ 			return PAM_SYSTEM_ERR;
+ 
+-		snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
++		snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
+ 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+ 			NULL, NULL, NULL, 1);
+ 
+diff -up Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c.audit-messages-formatting Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c.audit-messages-formatting	2024-03-11 16:21:51.934946609 +0100
++++ Linux-PAM-1.3.1/modules/pam_selinux/pam_selinux.c	2024-03-11 16:23:24.521025061 +0100
+@@ -106,7 +106,7 @@ int send_audit_message(pam_handle_t *pam
+ 		pam_syslog(pamh, LOG_ERR, "Error translating selected context.");
+ 		selected_raw = NULL;
+ 	}
+-	if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
++	if (asprintf(&msg, "op=pam_selinux default-context=%s selected-context=%s",
+ 		     default_raw ? default_raw : (default_context ? default_context : "?"),
+ 		     selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
+ 		pam_syslog(pamh, LOG_ERR, "Error allocating memory.");

SOURCES/pam-1.3.1-faillock-create-tallydir.patch

@@ -0,0 +1,13 @@
+diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-create-tallydir Linux-PAM-1.3.1/modules/pam_faillock/faillock.c
+--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-create-tallydir	2024-01-08 11:32:02.122392119 +0100
++++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.c	2024-01-08 11:33:10.916515943 +0100
+@@ -74,6 +74,9 @@ open_tally (const char *dir, const char
+ 
+ 	if (create) {
+ 		flags |= O_CREAT;
++		if (access(dir, F_OK) != 0) {
++			mkdir(dir, 0755);
++		}
+ 	}
+ 
+ 	fd = open(path, flags, 0600);

SOURCES/pam-1.3.1-namespace-protect-dir.patch

@@ -0,0 +1,58 @@
+From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Wed, 27 Dec 2023 14:01:59 +0100
+Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
+ local DoS situations
+
+Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
+being placed in user controlled directories, causing the PAM module to
+block indefinitely during `openat()`.
+
+Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
+refer to a directory.
+
+With this the check whether the final path element is a directory
+becomes unnecessary, drop it.
+---
+ modules/pam_namespace/pam_namespace.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index 2528cff8..f72d6718 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
+ 	int dfd = AT_FDCWD;
+ 	int dfd_next;
+ 	int save_errno;
+-	int flags = O_RDONLY;
++	int flags = O_RDONLY | O_DIRECTORY;
+ 	int rv = -1;
+ 	struct stat st;
+ 
+@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
+ 		rv = openat(dfd, dir, flags);
+ 	}
+ 
+-	if (rv != -1) {
+-		if (fstat(rv, &st) != 0) {
+-			save_errno = errno;
+-			close(rv);
+-			rv = -1;
+-			errno = save_errno;
+-			goto error;
+-		}
+-		if (!S_ISDIR(st.st_mode)) {
+-			close(rv);
+-			errno = ENOTDIR;
+-			rv = -1;
+-			goto error;
+-		}
+-	}
+-
+ 	if (flags & O_NOFOLLOW) {
+ 		/* we are inside user-owned dir - protect */
+ 		if (protect_mount(rv, p, idata) == -1) {
+-- 
+2.43.0
+

SOURCES/pam-1.3.1-unix-default-rounds.patch

@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c.unix-default-rounds Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
+--- Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c.unix-default-rounds	2023-11-02 09:59:54.533238124 +0100
++++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c	2023-11-02 10:40:58.017404936 +0100
+@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
+ 	unsigned int ctrl, lctrl;
+ 	int retval;
+ 	int remember = -1;
+-	int rounds = -1;
++	int rounds = 0;
+ 	int pass_min_len = 0;
+ 
+ 	/* <DO NOT free() THESE> */

SOURCES/pam-1.3.1-unix-enable-bcrypt.patch

@@ -0,0 +1,174 @@
+From f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Thu, 15 Nov 2018 15:01:57 +0100
+Subject: [PATCH] pam_unix: Use bcrypt b-variant for computing new hashes.
+
+Bcrypt hashes used the "$2a$" prefix since 1997.
+However, in 2011 an implementation bug was discovered in bcrypt
+affecting the handling of characters in passphrases with the 8th
+bit set.
+
+Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
+for a behavior that exactly matches crypt_blowfish's "$2y$", and
+the crypt_blowfish implementation supports it as well since v1.1.
+
+That said new computed bcrypt hashes should use the "$2b$" prefix.
+
+* modules/pam_unix/passverify.c: Use bcrypt b-variant.
+---
+ modules/pam_unix/passverify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 9c1771e2..1f433b3a 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
+ 		/* algoid = "$1" */
+ 		return crypt_md5_wrapper(password);
+ 	} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
+-		algoid = "$2a$";
++		algoid = "$2b$";
+ 	} else if (on(UNIX_SHA256_PASS, ctrl)) {
+ 		algoid = "$5$";
+ 	} else if (on(UNIX_SHA512_PASS, ctrl)) {
+-- 
+2.41.0
+
+diff -up Linux-PAM-1.3.1/configure.ac.legacy-xcrypt Linux-PAM-1.3.1/configure.ac
+--- Linux-PAM-1.3.1/configure.ac.legacy-xcrypt	2023-10-26 12:08:46.896437225 +0200
++++ Linux-PAM-1.3.1/configure.ac	2023-10-26 12:10:38.289654696 +0200
+@@ -395,19 +395,32 @@ AC_SUBST(LIBAUDIT)
+ AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
+ 	       [test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
+ 
+-AC_CHECK_HEADERS(xcrypt.h crypt.h)
+-AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
+-  [crypt_libs="xcrypt crypt"],
+-  [crypt_libs="crypt"])
++AC_CHECK_HEADERS(crypt.h)
+ 
+ BACKUP_LIBS=$LIBS
+-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
+-AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
++LIBCRYPT=""
++PKG_CHECK_MODULES([CRYPT], [libcrypt], [
++  CFLAGS="$CFLAGS $CRYPT_CFLAGS"
++  CPPFLAGS="$CPPFLAGS $CRYPT_CFLAGS"
++  LIBS="$LIBS $CRYPT_LIBS"
++  LIBCRYPT="$CRYPT_LIBS"
++], [
++  AC_SEARCH_LIBS([crypt_gensalt_rn],[crypt])
++  case "$ac_cv_search_crypt_gensalt_rn" in
++	-l*) LIBCRYPT="$ac_cv_search_crypt_gensalt_rn" ;;
++	no) AC_SEARCH_LIBS([crypt_r],[crypt])
++		case "$ac_cv_search_crypt_r" in
++		-l*) LIBCRYPT="$ac_cv_search_crypt_r" ;;
++		no ) AC_SEARCH_LIBS([crypt],[crypt])
++		case "$ac_cv_search_crypt" in
++			-l*) LIBCRYPT="$ac_cv_search_crypt" ;;
++		esac ;;
++	esac ;;
++  esac
++])
++AC_CHECK_FUNCS([crypt_r])
+ LIBS=$BACKUP_LIBS
+ AC_SUBST(LIBCRYPT)
+-if test "$LIBCRYPT" = "-lxcrypt" -a "$ac_cv_header_xcrypt_h" = "yes" ; then
+-	AC_DEFINE([HAVE_LIBXCRYPT], 1, [Define to 1 if xcrypt support should be compiled in.])
+-fi
+ 
+ AC_ARG_WITH([randomdev], AS_HELP_STRING([--with-randomdev=(<path>|yes|no)],[use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
+ if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
+diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c
+--- Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c.legacy-xcrypt	2023-10-26 12:08:46.896437225 +0200
++++ Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c	2023-10-26 12:11:14.437725259 +0200
+@@ -52,9 +52,7 @@
+ #include <stdarg.h>
+ #include <sys/stat.h>
+ 
+-#if defined (HAVE_XCRYPT_H)
+-#include <xcrypt.h>
+-#elif defined (HAVE_CRYPT_H)
++#ifdef HAVE_CRYPT_H
+ #include <crypt.h>
+ #endif
+ 
+diff -up Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c
+--- Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c.legacy-xcrypt	2017-02-10 11:10:15.000000000 +0100
++++ Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c	2023-10-26 12:08:46.896437225 +0200
+@@ -29,9 +29,7 @@
+ #include <string.h>
+ #include <stdlib.h>
+ #include <security/_pam_macros.h>
+-#ifdef HAVE_LIBXCRYPT
+-#include <xcrypt.h>
+-#elif defined(HAVE_CRYPT_H)
++#ifdef HAVE_CRYPT_H
+ #include <crypt.h>
+ #endif
+ 
+diff -up Linux-PAM-1.3.1/modules/pam_unix/passverify.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_unix/passverify.c
+--- Linux-PAM-1.3.1/modules/pam_unix/passverify.c.legacy-xcrypt	2023-10-26 12:08:46.895437223 +0200
++++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c	2023-10-26 12:16:25.470320408 +0200
+@@ -19,9 +19,7 @@
+ #include <sys/time.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+-#ifdef HAVE_LIBXCRYPT
+-#include <xcrypt.h>
+-#elif defined(HAVE_CRYPT_H)
++#ifdef HAVE_CRYPT_H
+ #include <crypt.h>
+ #endif
+ 
+@@ -406,23 +404,19 @@ PAMH_ARG_DECL(char * create_password_has
+ 		return crypted;
+ 	}
+ 
+-#ifdef HAVE_CRYPT_GENSALT_R
+-	if (on(UNIX_BLOWFISH_PASS, ctrl)) {
+-		char entropy[17];
+-		crypt_make_salt(entropy, sizeof(entropy) - 1);
+-		sp = crypt_gensalt_r (algoid, rounds,
+-				      entropy, sizeof(entropy),
+-				      salt, sizeof(salt));
+-	} else {
+-#endif
+-		sp = stpcpy(salt, algoid);
+-		if (on(UNIX_ALGO_ROUNDS, ctrl)) {
+-			sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
+-		}
+-		crypt_make_salt(sp, 16);
+-#ifdef HAVE_CRYPT_GENSALT_R
++#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
++	/*
++	 * Any version of libcrypt supporting auto entropy is
++	 * guaranteed to have crypt_gensalt_rn().
++	 */
++	sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
++#else
++	sp = stpcpy(salt, algoid);
++	if (on(UNIX_ALGO_ROUNDS, ctrl)) {
++		sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
+ 	}
+-#endif
++	crypt_make_salt(sp, 16);
++#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
+ #ifdef HAVE_CRYPT_R
+ 	sp = NULL;
+ 	cdata = malloc(sizeof(*cdata));
+diff -up Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c
+--- Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c.legacy-xcrypt	2023-10-26 12:08:46.880437194 +0200
++++ Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c	2023-10-26 12:08:46.896437225 +0200
+@@ -17,9 +17,7 @@
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <errno.h>
+-#ifdef HAVE_LIBXCRYPT
+-#include <xcrypt.h>
+-#elif defined(HAVE_CRYPT_H)
++#ifdef HAVE_CRYPT_H
+ #include <crypt.h>
+ #endif
+ 

SPECS/pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 27%{?dist}.inferit
+Release: 34%{?dist}.inferit
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -100,6 +100,19 @@ Patch64: pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch
 # https://github.com/linux-pam/linux-pam/commit/55f206447a1e4ee26e307e7a9c069236e823b1a5
 # https://github.com/linux-pam/linux-pam/commit/80bfda5962e5be3daa70e0fc8c75fc97d1c55121
 Patch65: pam-1.3.1-pam-misc-configurable.patch
+# https://github.com/linux-pam/linux-pam/commit/530c9f9e2d746e1d168c6b17863debda7664ac7c
+# https://github.com/linux-pam/linux-pam/commit/f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016
+Patch66: pam-1.3.1-unix-enable-bcrypt.patch
+Patch67: pam-1.3.1-unix-default-rounds.patch
+# https://github.com/linux-pam/linux-pam/commit/d54870f993e97fe75e2cd0470a3701d5af22877c
+Patch68: pam-1.3.1-faillock-create-tallydir.patch
+# https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f
+Patch69: pam-1.3.1-access-handle-hostnames.patch
+# https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
+Patch70: pam-1.3.1-namespace-protect-dir.patch
+# https://github.com/linux-pam/linux-pam/commit/c85513220c1bd3150e39c6277422d29cfa44acc7
+# https://github.com/linux-pam/linux-pam/commit/1648734a69c31e9ce834da70144ac9a453296807
+Patch71: pam-1.3.1-audit-messages-formatting.patch
 
 Patch1000: 0001-Fix-Russian-translation.patch
 
@@ -215,6 +228,12 @@ cp %{SOURCE18} .
 %patch63 -p1 -b .pam-faillock-clarify-missing-user
 %patch64 -p1 -b .pam-faillock-avoid-logging-erroneous
 %patch65 -p1 -b .pam-misc-configurable
+%patch66 -p1 -b .unix-enable-bcrypt
+%patch67 -p1 -b .unix-default-rounds
+%patch68 -p1 -b .faillock-create-tallydir
+%patch69 -p1 -b .access-handle-hostnames
+%patch70 -p1 -b .namespace-protect-dir
+%patch71 -p1 -b .audit-messages-formatting
 %patch1000 -p1
 
 autoreconf -i
@@ -470,10 +489,29 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
+* Wed Jul 03 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 1.3.1-34.inferit
+- Update to 1.3.1-34
+
+* Thu Apr  4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-34
+- fix formatting of audit messages. Resolves: RHEL-28620
+
 * Thu Mar 14 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 1.3.1-27.inferit
 - Fix Russian translation
 - Rebuilt for MSVSphere 8.9
 
+* Mon Feb 12 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-33
+- pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
+  situations. CVE-2024-22365. Resolves: RHEL-21242
+
+* Fri Jan 26 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-32
+- pam_access: handle hostnames in access.conf. Resolves: RHEL-3374
+
+* Mon Jan  8 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-31
+- pam_faillock: create tallydir before creating tallyfile. Resolves: RHEL-19810
+
+* Thu Nov  2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-30
+- pam_unix: enable bcrypt. Resolves: RHEL-5057
+
 * Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.3.1-27
 - Rebuilt for MSVSphere 8.8
 
@@ -2195,7 +2233,7 @@ support)
   conflicting types if unistd.c declares it
 
 * Mon May 15 2000 Nalin Dahyabhai <nalin@redhat.com>
-- fix problems compiling on Red Hat Linux 5.x (bug #11005)
+- fix problems compiling on MSVSphere 5.x (bug #11005)
 
 * Wed Apr 26 2000 Bill Nottingham <notting@redhat.com>
 - fix size assumptions in pam_(pwdb|unix) md5 code