Acknowledge NMUs

18 files changed, 531 insertions, 113 deletions

diff --git a/debian/changelog b/debian/changelog
index c2d673f7..145812d2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,77 @@
 pam (1.1.8-4) UNRELEASED; urgency=medium
 
+  * Acknowledge various NMUs; thanks to the various folks who have helped
+    keep this package in good condition.
+  * debian/control: update VCS headers to point to git (temporarily under
+    my personal salsa namespace, until I get around to restoring team
+    setup).
+
+ -- Steve Langasek <vorlon@debian.org>  Wed, 09 Apr 2014 14:04:10 -0700
+
+pam (1.1.8-3.8) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Set Rules-Requires-Root to binary-targets as pam relies on
+    chgrp in debian/rules.
+  * Update pam-auth-update to detect write errors and properly
+    fail when that happens.  (Closes: #880501)
+  * Remove Roger Leigh from uploaders as he has restired from
+    Debian.  (Closes: #869348)
+  * Reduce priority of libpam0g to optional.
+  * Rebuild with a recent version of dpkg-source, which ensures
+    that the Build-Depends are correct in the .dsc file.
+    (Closes: #890602)
+  * Apply patch from Felix Lechner to make pam-auth-update ignore
+    editor backup files.  (Closes: #519361)
+  * Apply update to Brazilian Portuguese translations of the
+    debconf templates.  Thanks to Adriano Rafael Gomes.
+    (Closes: #799417)
+
+ -- Niels Thykier <niels@thykier.net>  Sat, 11 Aug 2018 15:31:24 +0000
+
+pam (1.1.8-3.7) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * libpam-modules: Added a config for pam_mkhomedir, disabled by default.
+    (Closes: #568577)
+  * pam-auth-update: Add support for --enable option which is useful for
+    enabling non-default configs without prompting the admin. (LP: #1192719)
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Fri, 02 Feb 2018 16:57:43 +0200
+
+pam (1.1.8-3.6) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * cve-2015-3238.patch: Add the changes in the generated pam_exec.8
+    and pam_unix.8 in addition to (and after) the changes to the
+    source .xml files. This avoids unwanted rebuilds that can cause
+    problems due to differing files on different architectures of
+    the Multi-Arch: same libpam-modules. (Closes: #851545)
+
+ -- Adrian Bunk <bunk@debian.org>  Sat, 27 May 2017 18:44:02 +0300
+
+pam (1.1.8-3.5) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Build-Depend on libfl-dev:native as well, for cross builds.
+    Re-closes: #846459
+  * Fix "Unescaped left brace in regex" with Perl 5.22. Closes: #810873
+
+ -- Adam Borowski <kilobyte@angband.pl>  Fri, 30 Dec 2016 14:37:29 +0100
+
+pam (1.1.8-3.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add libfl-dev to Build-Depends, fixing FTBFS.  Closes: #846459
+  * Move xsl stuff to Build-Depends from -Indep to fix misbuilt manpages.
+    Closes: #812566
+
+ -- Adam Borowski <kilobyte@angband.pl>  Sun, 18 Dec 2016 01:03:58 +0100
+
+pam (1.1.8-3.3) unstable; urgency=low
+
+  * Non-maintainer upload.
+  [ Steve Langasek ]
   * Updated Swedish translation to correct a typo, thanks to Anders Jonsson
     and Martin Bagge.  Closes: #743875
   * Updated Turkish translation, thanks to Mert Dirik <mertdirik@gmail.com>.
@@ -10,11 +82,37 @@ pam (1.1.8-4) UNRELEASED; urgency=medium
   * Acknowledge security NMU.
   * pam-auth-update: don't mishandle trailing whitespace in profiles.
     LP: #1487103.
-  * debian/control: update VCS headers to point to git (temporarily under
-    my personal salsa namespace, until I get around to restoring team
-    setup).
 
- -- Steve Langasek <vorlon@debian.org>  Wed, 09 Apr 2014 14:04:10 -0700
+  [ Laurent Bigonville ]
+  * debian/control: Fix Vcs-* and Homepage fields (Closes: #752343)
+  * debian/watch: Update watch file and point it to http://www.linux-pam.org
+  * debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in
+    namespace.init script (Closes: #624842)
+  * debian/control: Build-depends against debhelper (>= 9) to match the
+    defined debhelper compatibility
+  * Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality,
+    thanks to Jakub Wilk <jwilk@debian.org> for noticing (Closes: #761594)
+  * debian/control: Bump Standards-Version to 3.9.8 (no further changes)
+  * debian/libpam-doc.doc-base.applications-guide: Fix spelling
+  * debian/libpam0g-dev.examples: Do not use shell brace expansion
+  * debian/patches-applied/pam-loginuid-in-containers: Updated with the version
+    from Ubuntu, this should fix logins in containers (Closes: #726661)
+  * debian/patches-applied/update-motd: Updated with the version from Ubuntu:
+    use /run/motd.dynamic instead of /var/run/motd, nothing in the archive
+    uses the later (Closes: #743286)
+  * debian/patches-applied/make_documentation_reproducible.patch: Make the
+    build reproducible, removes differences when building with different
+    locale values (Closes: #792127)
+
+ -- Laurent Bigonville <bigon@debian.org>  Wed, 18 May 2016 02:04:29 +0200
+
+pam (1.1.8-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix
+    module (Closes: #789986)
+
+ -- Tianon Gravi <tianon@debian.org>  Wed, 06 Jan 2016 15:53:31 -0800
 
 pam (1.1.8-3.1) unstable; urgency=high
 
@@ -318,7 +416,7 @@ pam (1.1.2-1) unstable; urgency=low
     - Add support for NSS groups to pam_group.  Closes: #589019,
       LP: #297408.
     - Support cross-building the package.  Thanks to Neil Williams
-      <codehelp@debian.org> for the patch.  Closes: #284854.   
+      <codehelp@debian.org> for the patch.  Closes: #284854.
   * debian/rules: pass getconf LFS_CFLAGS so that we get a 64-bit rlimit
     interface.  Closes: #579402.
   * Drop patches conditional_module,_conditional_man and
@@ -633,7 +731,7 @@ pam (1.0.1-10) unstable; urgency=high
   * Fix lintian overrides for libpam-runtime
   * Overrides for lintian finding quilt patches
   * pam_mail-fix-quiet: patch from Andreas Henriksson
-    applied upstream to fix quiet option of pam_mail, Closes: #439268 
+    applied upstream to fix quiet option of pam_mail, Closes: #439268
 
   [ Dustin Kirkland ]
   * debian/patches/update-motd: run the update-motd scripts in pam_motd;
@@ -641,7 +739,7 @@ pam (1.0.1-10) unstable; urgency=high
 
   [ Sam Hartman ]
   * cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem
-    (CVE-2009-0887) (Closes: #520115) 
+    (CVE-2009-0887) (Closes: #520115)
 
  -- Steve Langasek <vorlon@debian.org>  Thu, 06 Aug 2009 17:54:32 +0100
 
@@ -663,7 +761,7 @@ pam (1.0.1-8) unstable; urgency=low
     - Swedish, thanks to Martin Bagge <brother@bsnet.se> (closes: #518324)
     - Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
       (closes: #518329)
-    - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #518335) 
+    - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #518335)
     - Slovak, thanks to Ivan Masár <helix84@centrum.sk> (closes: #518341)
     - Czech, thanks to Miroslav Kure <kurem@debian.cz> (closes: #518992)
     - Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt>
@@ -681,14 +779,14 @@ pam (1.0.1-8) unstable; urgency=low
 pam (1.0.1-7) unstable; urgency=low
 
   * 027_pam_limits_better_init_allow_explicit_root:
-    - fix the patch so that our limit resets are actually *applied*, 
+    - fix the patch so that our limit resets are actually *applied*,
       which has apparently been broken for who knows how long!
     - shadow the finite kernel defaults for RLIMIT_SIGPENDING and
       RLIMIT_MSGQUEUE as well, so that the preceding change doesn't
       suddenly expose systems to DoS or other issues.
-    - include documentation in the patch, giving examples of how to set 
+    - include documentation in the patch, giving examples of how to set
       limits for root.  Thanks to Jonathan Marsden.
-  * pam-auth-update: swap out known md5sums from intrepid pre-release 
+  * pam-auth-update: swap out known md5sums from intrepid pre-release
     versions with the md5sums from the released intrepid version
   * pam-auth-update: set the umask, so we don't accidentally mark
     /etc/pam.d/common-* unreadable.  Thanks to Martin Krafft for catching.
@@ -739,7 +837,7 @@ pam (1.0.1-5) unstable; urgency=low
     - Czech, thanks to Miroslav Kure <<kurem@upcase.inf.upol.cz>
       (closes: #510608)
     - French, thanks to Steve Petruzzello <dlist@bluewin.ch>
-    - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #510617)  
+    - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #510617)
     - Basque, thanks to Piarres Beobide <pi+debian@beobide.net>
       (closes: #510699)
     - Russian, thanks to Yuri Kozlov <yuray@komyakino.ru> (closes: #510701)
@@ -1280,7 +1378,7 @@ pam (0.79-4) unstable; urgency=medium
 pam (0.79-3.2) unstable; urgency=low
 
   * Non-maintainer upload to fix important bug, that makes passwd segfault
-    when CTRL-D is pressed at the password prompt.  Applied the patch 
+    when CTRL-D is pressed at the password prompt.  Applied the patch
     provided by Dann Frazier.  (Closes: #360657)
 
  -- Margarita Manterola <marga@debian.org>  Sat,  5 Aug 2006 02:11:22 -0300
@@ -1386,7 +1484,7 @@ pam (0.76-22) unstable; urgency=medium
 pam (0.76-21) unstable; urgency=medium
 
   * Fix patch 055 again because -20 was broken and didn't actually fix the
-    problem. 
+    problem.
 
  -- Sam Hartman <hartmans@debian.org>  Tue,  4 May 2004 21:37:38 -0400
 
@@ -1397,22 +1495,22 @@ pam (0.76-20) unstable; urgency=medium
   * Medium urgency because the version now in testing has confusing and
     verbose log messages.
   * Include pam_getenv script which hopefully will be used by some people
-    somewhere for some purpose 
+    somewhere for some purpose
 
  -- Sam Hartman <hartmans@debian.org>  Wed, 28 Apr 2004 22:51:18 -0400
 
 pam (0.76-19) unstable; urgency=low
 
   * Oops, too busy testing the upgrade from woody to make sure the upgrade
-    from -16 to -18 worked.  Thanks to all those who reported, 
-      Closes: #243413 
+    from -16 to -18 worked.  Thanks to all those who reported,
+      Closes: #243413
 
  -- Sam Hartman <hartmans@debian.org>  Tue, 13 Apr 2004 16:08:54 -0400
 
 pam (0.76-18) unstable; urgency=low
 
   * Manipulate conffiles to avoid unnecessary prompt in woody to sarge
-    upgrade, Closes: #218318 
+    upgrade, Closes: #218318
 
  -- Sam Hartman <hartmans@debian.org>  Sat, 10 Apr 2004 18:10:35 -0400
 
@@ -1421,9 +1519,9 @@ pam (0.76-17) unstable; urgency=low
   * common-password now includes length restrictions and cracklib
     examples, Closes: #227681, #237537
   * Patch 054: abstract out the logic from pam_securetty to determine if a
-    tty is in /etc/securetty into a library function 
+    tty is in /etc/securetty into a library function
   * Patch 55: Add nullok_secure option to pam_unix.  If set,  then null
-    passwords are accepted from terminals in /etc/securetty. 
+    passwords are accepted from terminals in /etc/securetty.
   * common-auth now includes nullok_secure, Closes: #228114
 
 
@@ -1432,8 +1530,8 @@ pam (0.76-17) unstable; urgency=low
 pam (0.76-16) unstable; urgency=low
 
   * Patch 51 from the x86-64 folks to support 32-bit ll_time in
-    pam_lastlog even if time_t is 64-bits 
-  * Don't call openlog in pam_unix (patch 52), Closes: #213566 
+    pam_lastlog even if time_t is 64-bits
+  * Don't call openlog in pam_unix (patch 52), Closes: #213566
   * Return PAM_USER_UNKNOWN for unknown users in pam_unix (patch 53), Closes: #204506
 
  -- Sam Hartman <hartmans@debian.org>  Tue, 23 Mar 2004 22:26:04 -0500
@@ -1446,8 +1544,8 @@ pam (0.76-15) unstable; urgency=low
   *  Clean up binaries, Thanks Russell, Closes: #212158
   * Depend on sufficiently new cracklib2-dev, Closes: #214092
   * Treate GNU/* as GNU for OS variable to make pam_limits compile,
-    (patch 050) Closes: #220980 
-  * No longer build-depend on latex2html, Closes: #221318 
+    (patch 050) Closes: #220980
+  * No longer build-depend on latex2html, Closes: #221318
   * Allow : in tty specification for pam_group, (patch 048) Closes: #220439
   * Pull in locking patch from Linux-PAM CVS; this ended up causing
     021_pam_nis_locking to be reworked and that patch now no longer
@@ -1500,7 +1598,7 @@ pam (0.76-12) unstable; urgency=low
 pam (0.76-11) unstable; urgency=low
 
   * Don't allow db4 to satisfy build-depends because it doesn't actually
-    work, and sometimes building with it would be wrong. 
+    work, and sometimes building with it would be wrong.
   * Don't depend on libpcap-dev on Debian BSD
   * Conflict with old libpam-modules, Closes: #191906
   * Incorrect username should not be logged at alert (patch 43),
@@ -1514,9 +1612,9 @@ pam (0.76-10) unstable; urgency=low
   * Don't double list conffiles, Closes: #190954
   * Only install example sources not executables,  Closes: #185286
   * Display correct directory in error message for  pam_mkhomedir, patch
-    042 thanks to Akira TAGOH, Closes: #165240 
+    042 thanks to Akira TAGOH, Closes: #165240
   * Don't log  EPERM when setting NOFILE limit as Linux doesn't let you
-    set that to -1, Closes: #180310 
+    set that to -1, Closes: #180310
   * Add newline to end of distributed time.conf, Closes: #172229
   * Up our standards version  and support noopt in DEB_BUILD_OPTIONS
 
@@ -1526,7 +1624,7 @@ pam (0.76-9) unstable; urgency=low
 
   * Fix pam_rhosts hurd patch so it actually works, Closes: #172914
   * Fix patch 040 not to clobber errno when logging the error fails,
-    Closes: #172186 
+    Closes: #172186
   * Fix dependency for linuxdoc-tools, Closes: #173097
 
  -- Sam Hartman <hartmans@debian.org>  Sun, 15 Dec 2002 17:10:58 -0500
@@ -1564,7 +1662,7 @@ pam (0.76-6) unstable; urgency=low
       * The "No, I don't think I actually want any of what upstream is
     smoking" release
   * If this were already in testing, this would be an severity emergency
-    upload 
+    upload
   * pam_unix currently treats * in shadow file as no password not
     disabled; major security issue; fixed in upstream CVS, (patch 035) Closes: #164659
   * OK, I think this actually fixes the rest of the manpage symlinks,
@@ -1585,7 +1683,7 @@ pam (0.76-4) unstable; urgency=low
 
   * Upstream correctly states that one should  use gcc not ld when
     linking and then hapilly proceeds to actually use ld, fixed, Closes: #163711
-   
+
   * Remove experimental warning from readme, Closes: 163742
 
  -- Sam Hartman <hartmans@debian.org>  Mon,  7 Oct 2002 23:45:53 -0400
@@ -1644,7 +1742,7 @@ pam (0.75-3) experimental; urgency=low
 
 pam (0.75-2) experimental; urgency=low
 
-  * Fix pam_userdb to build and to build against db3, fixes patch 020 
+  * Fix pam_userdb to build and to build against db3, fixes patch 020
   * Fix upstream makefile so pam_group has valid configuration, closes: #148657
   * time.conf reference to logoutd removed, closes: #143801
   * The static library contains all the appropriate symbols in this
@@ -1703,7 +1801,7 @@ pam (0.72-32) unstable; urgency=medium
 
   * This should probably get into testing before freeze; medium.
   * Patch from Volker Stolz to fix bug in previous pam_group patch,
-    closes: #111854 
+    closes: #111854
 
  -- Sam Hartman <hartmans@debian.org>  Sat, 22 Sep 2001 06:32:29 -0400
 
@@ -1716,7 +1814,7 @@ pam (0.72-31) unstable; urgency=low
 pam (0.72-30) unstable; urgency=low
 
   * Include patch from  robbe@orcus.priv.at to build pam_limits on hurd,
-    closes: #103556 
+    closes: #103556
   * Start installing limits.conf for hurd (may not work quite right)
 
  -- Sam Hartman <hartmans@debian.org>  Mon, 16 Jul 2001 09:35:51 -0400
@@ -1732,7 +1830,7 @@ pam (0.72-28) unstable; urgency=low
   * Fix scanf string so pam_limits chroot works, closes: #100812
   * Only log unknown user at warning, not alert, closes: #95220
   * By default do complete matches not substring matches for pam_time.
-    You can include explicit wildcard for substring, closes: #66152 
+    You can include explicit wildcard for substring, closes: #66152
 
  -- Sam Hartman <hartmans@debian.org>  Tue,  3 Jul 2001 17:31:45 -0400
 
@@ -1767,8 +1865,8 @@ pam (0.72-24) unstable; urgency=low
 pam (0.72-23) unstable; urgency=low
 
   * Patch from Benoit Gaussen <ben@trez42.net> , Don't trim from , to end
-  of string in user input, only trim from salt 
-    grabbed from passwd file, closes: #96779 
+  of string in user input, only trim from salt
+    grabbed from passwd file, closes: #96779
   * Fix NIS double locking, closes: #96736
 
  -- Sam Hartman <hartmans@debian.org>  Wed, 16 May 2001 15:46:34 -0400
@@ -1800,7 +1898,7 @@ pam (0.72-19) unstable; urgency=low
 
   * New maintainer, closes: #92353
   * Install pam-undocumented; somehow it was not installed in -18
-  
+
  -- Sam Hartman <hartmans@debian.org>  Wed,  4 Apr 2001 21:32:17 -0400
 
 pam (0.72-18) unstable; urgency=low
@@ -2238,7 +2336,7 @@ pam (0.69-2) unstable; urgency=low
   * Fixed problem where libpam was getting built with -DDEBUG
   * pam_unix_passwd.c: Changed the perms on shadow to be 0.42 and 0640
     instead of 0.0 and 0600
-  * unix_chkpwd: fix it not being sgid shadow 
+  * unix_chkpwd: fix it not being sgid shadow
 
  -- Ben Collins <bcollins@debian.org>  Thu,  9 Sep 1999 13:52:01 -0400
 
@@ -2322,7 +2420,7 @@ pam (0.66-6) unstable; urgency=low
 
 pam (0.66-5) unstable; urgency=low
 
-  * Removed harcoded libc6 dependency from libpam0g-dev and changed it to 
+  * Removed harcoded libc6 dependency from libpam0g-dev and changed it to
     libc6-dev. closes: #33615
   * Added md5 flag for pam_unix_passwd.so
   * Removed upperLOWER program since it is just an example. Moved it's
@@ -2439,7 +2537,7 @@ pam (0.65-0.8) frozen unstable; urgency=high
 pam (0.65-0.7) frozen unstable; urgency=high
 
   * Fixed security vulnerability in the pam_unix and pam_tally modules
-    (reported by Michal Zalewski on bugtraq; patch 
+    (reported by Michal Zalewski on bugtraq; patch
     A000-SECURITY-PATCH-0.65-and-below.gz by Andrey V. Savochkin).
 
  -- J.H.M. Dassen (Ray) <jdassen@wi.LeidenUniv.nl>  Tue, 29 Dec 1998 16:20:18 +0100
diff --git a/debian/control b/debian/control
index 2f27f8f1..d8638647 100644
--- a/debian/control
+++ b/debian/control
@@ -3,17 +3,16 @@ Section: libs
 Priority: optional
 Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org>
 Maintainer: Steve Langasek <vorlon@debian.org>
-Standards-Version: 3.9.1
-Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 8.9.4), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config
-Build-Depends-Indep: xsltproc, libxml2-utils, docbook-xml, docbook-xsl, w3m
+Standards-Version: 3.9.8
+Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 9), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config, libfl-dev, libfl-dev:native, docbook-xsl, docbook-xml, xsltproc, libxml2-utils, w3m
 Build-Conflicts-Indep: fop
 Build-Conflicts: libdb4.2-dev, libxcrypt-dev
 Vcs-Browser: https://salsa.debian.org/vorlon/pam
 Vcs-Git: https://salsa.debian.org/vorlon/pam.git
-Homepage: http://pam.sourceforge.net/
+Homepage: http://www.linux-pam.org/
+Rules-Requires-Root: binary-targets
 
 Package: libpam0g
-Priority: required
 Architecture: any
 Multi-Arch: same
 Replaces: libpam0g-util
diff --git a/debian/libpam-doc.doc-base.applications-guide b/debian/libpam-doc.doc-base.applications-guide
index f38ef1e5..89768d7e 100644
--- a/debian/libpam-doc.doc-base.applications-guide
+++ b/debian/libpam-doc.doc-base.applications-guide
@@ -4,7 +4,7 @@ Author: Andrew G. Morgan <morgan@linux.kernel.org>
 Abstract: This manual documents what an application developer needs to know
  about the Linux-PAM library. It describes how an application might use
  the Linux-PAM library to authenticate users. In addition it contains a
- description of the funtions to be found in libpam_misc library, that can
+ description of the functions to be found in libpam_misc library, that can
  be used in general applications. Finally, it contains some comments on PAM
  related security issues for the application developer.
 Section: Programming
diff --git a/debian/libpam-modules.install b/debian/libpam-modules.install
index 191a34ea..5fd57b44 100644
--- a/debian/libpam-modules.install
+++ b/debian/libpam-modules.install
@@ -1,2 +1,3 @@
 etc/security/*		etc/security
 lib/*/security/*.so
+debian/pam-configs/mkhomedir	usr/share/pam-configs/
diff --git a/debian/libpam0g-dev.examples b/debian/libpam0g-dev.examples
index c1b7e77e..351b20ee 100644
--- a/debian/libpam0g-dev.examples
+++ b/debian/libpam0g-dev.examples
@@ -2,4 +2,6 @@ examples/blank.c
 examples/check_user.c
 examples/vpass.c
 examples/xsh.c
-libpamc/test/{agents,modules,regress}
+libpamc/test/agents
+libpamc/test/modules
+libpamc/test/regress
diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
index 60eb1e8f..6d17ab72 100644
--- a/debian/local/pam-auth-update
+++ b/debian/local/pam-auth-update
@@ -39,7 +39,7 @@ my $blanktemplate = 'libpam-runtime/no_profiles_chosen';
 my $titletemplate = 'libpam-runtime/title';
 my $confdir = '/etc/pam.d';
 my $savedir = '/var/lib/pam';
-my (%profiles, @sorted, @enabled, @conflicts, @new, %removals);
+my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_enable);
 my $force = 0;
 my $package = 0;
 my $priority = 'high';
@@ -62,7 +62,7 @@ my %md5sums = (
 
 opendir(DIR, $inputdir) || die "could not open config directory: $!";
 while (my $profile = readdir(DIR)) {
-	next if ($profile eq '.' || $profile eq '..');
+	next if ($profile eq '.' || $profile eq '..' || $profile =~ m/~$/ || $profile =~ m/^#.+#$/);
 	%{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile);
 }
 closedir DIR;
@@ -89,6 +89,13 @@ while ($#ARGV >= 0) {
 		}
 		# --remove implies --package
 		$package = 1 if (keys(%removals));
+	} elsif ($opt eq '--enable') {
+		while ($#ARGV >= 0) {
+			last if ($ARGV[0] =~ /^--/);
+			$to_enable{shift @ARGV} = 1;
+		}
+		# --enable implies --package
+		$package = 1 if (keys(%to_enable));
 	}
 }
 
@@ -119,7 +126,7 @@ if ($diff) {
 # find out what we've seen, so we can ignore those defaults
 my %seen;
 if (-e $savedir . '/seen') {
-	open(SEEN,$savedir . '/seen');
+	open(SEEN,$savedir . '/seen')  or die("open(${savedir}/seen) failed: $!");
 	while (<SEEN>) {
 		chomp;
 		$seen{$_} = 1;
@@ -136,6 +143,10 @@ if (!@enabled) {
 	$priority = 'high' unless ($force);
 }
 
+# add configs to enable
+push(@enabled,
+     grep { $to_enable{$_} } @sorted);
+
 # add any previously-unseen configs
 push(@enabled,
      grep { $profiles{$_}->{'Default'} eq 'yes' && !$seen{$_} } @sorted);
@@ -218,11 +229,11 @@ do {
 # the decision has been made about what configs to use, so even if
 # something fails after this, we shouldn't go munging the default
 # options again.  Save the list of known configs to /var/lib/pam.
-open(SEEN,"> $savedir/seen");
+open(SEEN,"> $savedir/seen") or die("open(${savedir}/seen) failed: $!");
 for my $i (@sorted) {
 	print SEEN "$i\n";
 }
-close(SEEN);
+close(SEEN) or die("close(${savedir}/seen) failed: $!");
 
 # @enabled now contains our list of profiles to use for piecing together
 # a config
@@ -372,7 +383,7 @@ sub create_from_template
 		}
 	}
 	close(INPUT);
-	close(OUTPUT);
+	close(OUTPUT) or die("close($dest) failed: $!");
 
 	if ($state < 4) {
 		unlink($dest);
@@ -525,16 +536,19 @@ sub write_profiles
 			}
 		}
 
-		close(OUTPUT);
+		close(OUTPUT) or die("close($dest) failed: $!");
 
 		# then do the renames, back-to-back
 		# we have to use system because File::Copy is in
 		# perl-modules, not perl-base
-		if (-e "$target" && $force) {
-			system('cp','-f',$target,$target . '.pam-old');
+		if (-e $target && $force) {
+			system('cp','-f',$target,$target . '.pam-old') == 0
+                            or die("cp -f ${target} ${target}.pam.old failed");
 		}
-		rename($dest,$target);
-		rename("$savedir/$type.new","$savedir/$type");
+		rename($dest,$target)
+                    or die("rename($dest, $target) failed: $!");
+		rename("$savedir/${type}.new","$savedir/$type")
+                    or die("rename(${savedir}/${type}.new, ${savedir}/${type}) failed: $!");
 	}
 
 	# at the end of a successful write, reset the 'seen' flag and the
diff --git a/debian/local/pam-auth-update.8 b/debian/local/pam-auth-update.8
index fd5e2ad4..a5ebdbad 100644
--- a/debian/local/pam-auth-update.8
+++ b/debian/local/pam-auth-update.8
@@ -68,6 +68,10 @@ Indicate that the caller is a package maintainer script; lowers the
 priority of debconf questions to `medium' so that the user is not
 prompted by default.
 .TP
+.B \-\-enable \fIprofile \fR[\fIprofile\fR...]
+Enable the specified profiles in system configuration. This is used to
+enable profiles that are not on by default.
+.TP
 .B \-\-remove \fIprofile \fR[\fIprofile\fR...]
 Remove the specified profiles from the system configuration.
 .B pam\-auth\-update \-\-remove
diff --git a/debian/local/pam_getenv b/debian/local/pam_getenv
index 2abddcad..e409c3e5 100644
--- a/debian/local/pam_getenv
+++ b/debian/local/pam_getenv
@@ -75,7 +75,7 @@ sub expand_val($) {
   my ($val) = @_;
 return undef unless $val;
 	die "Cannot handle PAM items\n" if /(?<!\\)\@/;
-  $val =~ s/(?<!\\)\${([^}]+)}/$ENV{$1}||""/eg;
+  $val =~ s/(?<!\\)\$\{([^}]+)\}/$ENV{$1}||""/eg;
   return $val;
 }
 
diff --git a/debian/pam-configs/mkhomedir b/debian/pam-configs/mkhomedir
new file mode 100644
index 00000000..9c27980a
--- /dev/null
+++ b/debian/pam-configs/mkhomedir
@@ -0,0 +1,7 @@
+Name: Create home directory on login
+Default: no
+Priority: 0
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	optional			pam_mkhomedir.so
diff --git a/debian/patches-applied/cve-2011-4708.patch b/debian/patches-applied/cve-2010-4708.patch
index c0fbb1ee..cf23e318 100644
--- a/debian/patches-applied/cve-2011-4708.patch
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -1,4 +1,4 @@
-Description: fix cve-2011-4708: .pam_environment privilege issue
+Description: fix cve-2010-4708: .pam_environment privilege issue
 Index: pam.debian/modules/pam_env/pam_env.c
 ===================================================================
 --- pam.debian.orig/modules/pam_env/pam_env.c
diff --git a/debian/patches-applied/cve-2015-3238.patch b/debian/patches-applied/cve-2015-3238.patch
new file mode 100644
index 00000000..cb5e8c06
--- /dev/null
+++ b/debian/patches-applied/cve-2015-3238.patch
@@ -0,0 +1,180 @@
+From e89d4c97385ff8180e6e81e84c5aa745daf28a79 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@thkukuk.de>
+Date: Mon, 22 Jun 2015 14:53:01 +0200
+Subject: Release version 1.2.1
+
+Security fix: CVE-2015-3238
+
+If the process executing pam_sm_authenticate or pam_sm_chauthtok method
+of pam_unix is not privileged enough to check the password, e.g.
+if selinux is enabled, the _unix_run_helper_binary function is called.
+When a long enough password is supplied (16 pages or more, i.e. 65536+
+bytes on a system with 4K pages), this helper function hangs
+indefinitely, blocked in the write(2) call while writing to a blocking
+pipe that has a limited capacity.
+With this fix, the verifiable password length will be limited to
+PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
+
+diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml
+index 2379366..d1b00a2 100644
+--- a/modules/pam_exec/pam_exec.8.xml
++++ b/modules/pam_exec/pam_exec.8.xml
+@@ -106,7 +106,8 @@
+               During authentication the calling command can read
+               the password from <citerefentry>
+               <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
+-              </citerefentry>.
++              </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++              bytes of a password are provided to the command.
+             </para>
+           </listitem>
+         </varlistentry>
+diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
+index 5ab9630..17ba6ca 100644
+--- a/modules/pam_exec/pam_exec.c
++++ b/modules/pam_exec/pam_exec.c
+@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+ 		}
+ 
+ 	      pam_set_item (pamh, PAM_AUTHTOK, resp);
+-	      authtok = strdupa (resp);
++	      authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
+ 	      _pam_drop (resp);
+ 	    }
+ 	  else
+-	    authtok = void_pass;
++	    authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
+ 
+ 	  if (pipe(fds) != 0)
+ 	    {
+diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
+index 4008402..a8b64bb 100644
+--- a/modules/pam_unix/pam_unix.8.xml
++++ b/modules/pam_unix/pam_unix.8.xml
+@@ -80,6 +80,13 @@
+     </para>
+ 
+     <para>
++      The maximum length of a password supported by the pam_unix module
++      via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++      - currently 512 bytes. The rest of the password provided by the
++      conversation function to the module will be ignored.
++    </para>
++
++    <para>
+       The password component of this module performs the task of updating
+       the user's password. The default encryption hash is taken from the
+       <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
+diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+index 2d330e5..c2e5de5 100644
+--- a/modules/pam_unix/pam_unix_passwd.c
++++ b/modules/pam_unix/pam_unix_passwd.c
+@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
+ 	/* wait for child */
+ 	/* if the stored password is NULL */
+         int rc=0;
+-	if (fromwhat)
+-	  pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
+-	else
+-	  pam_modutil_write(fds[1], "", 1);
+-	if (towhat) {
+-	  pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
++	if (fromwhat) {
++	    int len = strlen(fromwhat);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    pam_modutil_write(fds[1], fromwhat, len);
+ 	}
+-	else
+-	  pam_modutil_write(fds[1], "", 1);
++        pam_modutil_write(fds[1], "", 1);
++	if (towhat) {
++	    int len = strlen(towhat);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    pam_modutil_write(fds[1], towhat, len);
++        }
++        pam_modutil_write(fds[1], "", 1);
+ 
+ 	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
+ 	close(fds[1]);
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index b325602..e79b55e 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
+ int
+ read_passwords(int fd, int npass, char **passwords)
+ {
++        /* The passwords array must contain npass preallocated
++         * buffers of length MAXPASS + 1
++         */
+         int rbytes = 0;
+         int offset = 0;
+         int i = 0;
+         char *pptr;
+         while (npass > 0) {
+-                rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
++                rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset);
+ 
+                 if (rbytes < 0) {
+                         if (errno == EINTR) continue;
+diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
+index 3de6759..caf7ae8 100644
+--- a/modules/pam_unix/passverify.h
++++ b/modules/pam_unix/passverify.h
+@@ -8,7 +8,7 @@
+ 
+ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
+ 
+-#define MAXPASS		200	/* the maximum length of a password */
++#define MAXPASS PAM_MAX_RESP_SIZE  /* the maximum length of a password */
+ 
+ #define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
+ 
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index fdb45c2..abccd82 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 	/* if the stored password is NULL */
+         int rc=0;
+ 	if (passwd != NULL) {            /* send the password to the child */
+-	    if (write(fds[1], passwd, strlen(passwd)+1) == -1) {
++	    int len = strlen(passwd);
++
++	    if (len > PAM_MAX_RESP_SIZE)
++	      len = PAM_MAX_RESP_SIZE;
++	    if (write(fds[1], passwd, len) == -1 ||
++	        write(fds[1], "", 1) == -1) {
+ 	      pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
+ 	      retval = PAM_AUTH_ERR;
+ 	    }
+--- a/modules/pam_unix/pam_unix.8	2017-05-27 15:38:27.000000000 +0000
++++ b/modules/pam_unix/pam_unix.8	2017-05-27 15:34:49.000000000 +0000
+@@ -56,6 +56,10 @@
+ \fBnoreap\fR
+ module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&.
+ .PP
++The maximum length of a password supported by the pam_unix module via the helper binary is
++\fIPAM_MAX_RESP_SIZE\fR
++\- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&.
++.PP
+ The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the
+ \fBENCRYPT_METHOD\fR
+ variable from
+--- a/modules/pam_exec/pam_exec.8	2017-05-27 15:38:27.000000000 +0000
++++ b/modules/pam_exec/pam_exec.8	2017-05-27 15:56:25.000000000 +0000
+@@ -65,7 +65,9 @@
+ \fBexpose_authtok\fR
+ .RS 4
+ During authentication the calling command can read the password from
+-\fBstdin\fR(3)\&.
++\fBstdin\fR(3)\&. Only first
++\fIPAM_MAX_RESP_SIZE\fR
++bytes of a password are provided to the command\&.
+ .RE
+ .PP
+ \fBlog=\fR\fB\fIfile\fR\fR
diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch
new file mode 100644
index 00000000..26f16503
--- /dev/null
+++ b/debian/patches-applied/make_documentation_reproducible.patch
@@ -0,0 +1,28 @@
+Description: Make documentation reproducible
+ Add LC_ALL=C to w3m to avoid changes in the output when build the
+ documentation with different locales.
+Author: Juan Picca <jumapico@gmail.com>
+Last-Update: 2015-07-11
+
+--- pam.orig/configure
++++ pam/configure
+@@ -15162,7 +15162,7 @@ fi
+ 
+ 
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+      enable_docu=no
+ fi
+--- pam.orig/configure.in
++++ pam/configure.in
+@@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou
+ 
+ AC_PATH_PROG([BROWSER], [w3m])
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+      enable_docu=no
+ fi
diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers
index bea1e32f..1e965b2d 100644
--- a/debian/patches-applied/pam-loginuid-in-containers
+++ b/debian/patches-applied/pam-loginuid-in-containers
@@ -29,11 +29,11 @@ Description: pam_loginuid: Ignore failure in user namespaces
     Signed-off-by: Steve Langasek <vorlon@debian.org>
     Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
 
-Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
+Index: ubuntu/modules/pam_loginuid/pam_loginuid.c
 ===================================================================
---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c
-+++ pam.deb/modules/pam_loginuid/pam_loginuid.c
-@@ -46,25 +46,49 @@
+--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c	2014-01-31 21:07:08.665185675 +0000
++++ ubuntu/modules/pam_loginuid/pam_loginuid.c	2014-01-31 21:05:05.000000000 +0000
+@@ -47,25 +47,56 @@
  
  /*
   * This function writes the loginuid to the /proc system. It returns
@@ -50,48 +50,58 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
 +	char loginuid[24], buf[24];
 +	static const char host_uid_map[] = "         0          0 4294967295\n";
 +	char uid_map[sizeof(host_uid_map)];
++
++	/* loginuid in user namespaces currently isn't writable and in some
++	   case, not even readable, so consider any failure as ignorable (but try
++	   anyway, in case we hit a kernel which supports it). */
++	fd = open("/proc/self/uid_map", O_RDONLY);
++	if (fd >= 0) {
++		count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
++		if (strncmp(uid_map, host_uid_map, count) != 0)
++			rc = PAM_IGNORE;
++		close(fd);
++	}
  
- 	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+-	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
 -	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
 +	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
  	if (fd < 0) {
 -		if (errno != ENOENT) {
 -			rc = 1;
+-			pam_syslog(pamh, LOG_ERR,
+-				   "Cannot open /proc/self/loginuid: %m");
 +		if (errno == ENOENT) {
 +			rc = PAM_IGNORE;
-+		} else if (errno == EACCES) {
-+			fd = open("/proc/self/uid_map", O_RDONLY);
-+			if (fd >= 0) {
-+				count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
-+				if (strncmp(uid_map, host_uid_map, count) != 0)
-+					rc = PAM_IGNORE;
-+				close(fd);
-+			}
-+			if (rc != PAM_IGNORE)
-+				errno = EACCES;
 +		}
 +		if (rc != PAM_IGNORE) {
- 			pam_syslog(pamh, LOG_ERR,
- 				   "Cannot open /proc/self/loginuid: %m");
++			pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
++				   "/proc/self/loginuid");
  		}
  		return rc;
  	}
 -	if (pam_modutil_write(fd, loginuid, count) != count)
 -		rc = 1;
 +
++	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
 +	if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
 +	    memcmp(buf, loginuid, count) == 0) {
 +		rc = PAM_SUCCESS;
 +		goto done;	/* already correct */
 +	}
 +	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
-+	    pam_modutil_write(fd, loginuid, count) == count)
++	    pam_modutil_write(fd, loginuid, count) == count) {
 +		rc = PAM_SUCCESS;
++	} else {
++		if (rc != PAM_IGNORE) {
++			pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
++				   "/proc/self/loginuid");
++		}
++	}
 + done:
  	close(fd);
  	return rc;
  }
-@@ -164,6 +188,7 @@
+@@ -165,6 +196,7 @@
  {
          const char *user = NULL;
  	struct passwd *pwd;
@@ -99,7 +109,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
  #ifdef HAVE_LIBAUDIT
  	int require_auditd = 0;
  #endif
-@@ -182,9 +207,14 @@
+@@ -183,9 +215,14 @@
  		return PAM_SESSION_ERR;
  	}
  
@@ -117,7 +127,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
  	}
  
  #ifdef HAVE_LIBAUDIT
-@@ -194,11 +224,12 @@
+@@ -195,11 +232,12 @@
  		argv++;
  	}
  
diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch
new file mode 100644
index 00000000..6c6f1861
--- /dev/null
+++ b/debian/patches-applied/pam_namespace_fix_bashism.patch
@@ -0,0 +1,61 @@
+From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001
+From: Steve Langasek <vorlon@debian.org>
+Date: Tue, 14 Jan 2014 19:48:51 -0800
+Subject: pam_namespace: don't use bashisms in default namespace.init script
+
+* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
+namespace init script, so that scripts run with maximum privilege regardless
+of the shell implementation.
+* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
+shebang line
+
+This is not a POSIX standard option, it's a bashism.  The bash manpage says
+that it's used to prevent the effective user id from being reset to the real
+user id on startup, and to ignore certain unsafe variables from the
+environment.
+
+In the case of pam_namespace, the -p is not necessary for environment
+sanitizing because the PAM module (properly) sanitizes the environment
+before execing the script.
+
+The stated reason given in CVS history for passing -p is to "preserve euid
+when called from setuid apps (su, newrole)."  This should be done more
+portably, by calling setuid() before spawning the shell.
+
+Signed-off-by: Steve Langasek <vorlon@debian.org>
+Bug-Debian: http://bugs.debian.org/624842
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
+---
+ modules/pam_namespace/namespace.init  | 2 +-
+ modules/pam_namespace/pam_namespace.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init
+index 9ab5806..67d4aa2 100755
+--- a/modules/pam_namespace/namespace.init
++++ b/modules/pam_namespace/namespace.init
+@@ -1,4 +1,4 @@
+-#!/bin/sh -p
++#!/bin/sh
+ # It receives polydir path as $1, the instance path as $2,
+ # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+ # and user name in $4.
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index e0d5e30..92883f5 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath,
+ 						_exit(1);
+ 				}
+ #endif
++				/* Pass maximum privs when we exec() */
++				if (setuid(geteuid()) < 0) {
++					/* ignore failures, they don't matter */
++				}
++
+ 				if (execle(init_script, init_script,
+ 					polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0)
+ 					_exit(1);
+-- 
+cgit v0.12
+
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index d0e5fe69..51598ca8 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -15,7 +15,7 @@ hurd_no_setfsuid
 045_pam_dispatch_jump_is_ignore
 054_pam_security_abstract_securetty_handling
 055_pam_unix_nullok_secure
-cve-2011-4708.patch
+cve-2010-4708.patch
 PAM-manpage-section 
 update-motd
 no_PATH_MAX_on_hurd
@@ -23,4 +23,7 @@ lib_security_multiarch_compat
 pam-loginuid-in-containers
 cve-2013-7041.patch
 cve-2014-2583.patch
+cve-2015-3238.patch
 pam-limits-nofile-fd-setsize-cap
+pam_namespace_fix_bashism.patch
+make_documentation_reproducible.patch
diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd
index a89655df..6c2af5bb 100644
--- a/debian/patches-applied/update-motd
+++ b/debian/patches-applied/update-motd
@@ -86,16 +86,16 @@ Index: pam.debian/modules/pam_motd/pam_motd.c
 -
 -	pam_info (pamh, "%s", mtmp);
 -	break;
-+    /* Run the update-motd dynamic motd scripts, outputting to /var/run/motd.
-+       If /etc/motd -> /var/run/motd, the displayed MOTD will be dynamic.
-+       Otherwise, the admin can force a static MOTD by breaking that symlink
-+       and publishing into an /etc/motd text file. */
++    /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic.
++       This will be displayed only when calling pam_motd with
++       motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd
++       display both this file and /etc/motd. */
 +    if (do_update && (stat("/etc/update-motd.d", &st) == 0)
 +        && S_ISDIR(st.st_mode))
 +    {
 +	mode_t old_mask = umask(0022);
-+	if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /var/run/motd.new"))
-+	    rename("/var/run/motd.new", "/var/run/motd");
++	if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"))
++	    rename("/run/motd.dynamic.new", "/run/motd.dynamic");
 +	umask(old_mask);
      }
  
diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po
index e2ec8a50..d36ff2e5 100644
--- a/debian/po/pt_BR.po
+++ b/debian/po/pt_BR.po
@@ -2,27 +2,28 @@
 # Copyright (c) 2007 Steve Langasek <vorlon@debian.org>
 # This file is distributed under the same license as the pam package.
 # Eder L. Marques <eder@edermarques.net>, 2007-2009.
+# Fernando Ike de Oliveira <fike@midstorm.org>, 2013.
+# Adriano Rafael Gomes <adrianorg@arg.eti.br>, 2009-2015.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: pam_0.99.7.1-5\n"
+"Project-Id-Version: pam\n"
 "Report-Msgid-Bugs-To: pam@packages.debian.org\n"
 "POT-Creation-Date: 2011-10-30 15:05-0400\n"
-"PO-Revision-Date: 2011-03-29 13:01-0700\n"
-"Last-Translator: Eder L. Marques <eder@edermarques.net>\n"
+"PO-Revision-Date: 2015-09-18 20:27-0300\n"
+"Last-Translator: Adriano Rafael Gomes <adrianorg@arg.eti.br>\n"
 "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
 "org>\n"
 "Language: pt_BR\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"pt_BR utf-8\n"
 
 #. Type: string
 #. Description
 #: ../libpam0g.templates:1001
 msgid "Services to restart for PAM library upgrade:"
-msgstr "Serviços a serem reiniciados para a atualização de bibliotecas PAM:"
+msgstr "Serviços a serem reiniciados para atualização da biblioteca PAM:"
 
 #. Type: string
 #. Description
@@ -35,14 +36,14 @@ msgid ""
 msgstr ""
 "A maioria dos serviços que utilizam PAM precisam ser reiniciados para usar "
 "os módulos construídos para esta nova versão da libpam. Por favor, revise a "
-"seguinte lista separada por espaços de seus scripts init.d para os serviços "
-"a serem reiniciados agora, e a corrija se necessário."
+"seguinte lista separada por espaços de scripts init.d de serviços que serão "
+"reiniciados agora, e a corrija, se necessário."
 
 #. Type: error
 #. Description
 #: ../libpam0g.templates:2001
 msgid "Display manager must be restarted manually"
-msgstr "Gerenciadores de display devem ser reiniciados manualmente"
+msgstr "Gerenciador de display deve ser reiniciado manualmente"
 
 #. Type: error
 #. Description
@@ -55,7 +56,7 @@ msgid ""
 msgstr ""
 "Os gerenciadores de display wdm e xdm precisam ser reiniciados para a nova "
 "versão da libpam, mas existem sessões de login X ativas em seu sistema que "
-"podem ser terminadas por este reinicio. Você consequentemente necessitará "
+"serão terminadas por este reinício. Você consequentemente necessitará "
 "reiniciar estes serviços manualmente antes que logins X adicionais sejam "
 "possíveis."
 
@@ -63,7 +64,7 @@ msgstr ""
 #. Description
 #: ../libpam0g.templates:3001
 msgid "Failure restarting some services for PAM upgrade"
-msgstr "Falha ao reiniciar alguns serviços para a atualização da PAM"
+msgstr "Falha ao reiniciar alguns serviços para atualização do PAM"
 
 #. Type: error
 #. Description
@@ -81,13 +82,14 @@ msgid ""
 "You will need to start these manually by running '/etc/init.d/<service> "
 "start'."
 msgstr ""
-"Você deverá iniciá-los manualmente executando '/etc/init.d/<serviço> start'."
+"Você deverá iniciá-los manualmente executando \"/etc/init.d/<serviço> start"
+"\"."
 
 #. Type: boolean
 #. Description
 #: ../libpam0g.templates:4001
 msgid "Restart services during package upgrades without asking?"
-msgstr ""
+msgstr "Reiniciar serviços durante a atualização de pacotes sem perguntar?"
 
 #. Type: boolean
 #. Description
@@ -101,12 +103,20 @@ msgid ""
 "necessary restarts will be done for you automatically so you can avoid being "
 "asked questions on each library upgrade."
 msgstr ""
+"Existem serviços instalados no seu sistema que precisam ser reiniciados "
+"quando determinadas bibliotecas, tais como libpam, libc e libssl são "
+"atualizadas. Uma vez que essas reinicializações podem causar interrupções de "
+"serviços para o sistema, normalmente você terá que responder a cada "
+"atualização qual será a lista de serviços que quiser reiniciar. Você pode "
+"escolher esta opção para evitar novas solicitações; ao invés disso, todas as "
+"reinicializações necessárias serão realizadas automaticamente para evitar "
+"que você responda a cada atualização de biblioteca."
 
 #. Type: title
 #. Description
 #: ../libpam-runtime.templates:1001
 msgid "PAM configuration"
-msgstr ""
+msgstr "Configuração do PAM"
 
 #. Type: multiselect
 #. Description
@@ -124,9 +134,9 @@ msgid ""
 "sessions."
 msgstr ""
 "O PAM (\"Pluggable Authentication Modules\") determina como a autenticação, "
-"autorização e alteração de senha são tratados no sistema, assim como permite "
-"a configuração de ações adicionais a serem tomadas quando sessões de usuário "
-"são iniciadas."
+"a autorização e a alteração de senha são tratadas no sistema, assim como "
+"permite a configuração de ações adicionais a serem tomadas quando sessões de "
+"usuário são iniciadas."
 
 #. Type: multiselect
 #. Description
@@ -138,7 +148,7 @@ msgid ""
 msgstr ""
 "Alguns pacotes de módulos PAM fornecem perfis que podem ser usados para "
 "ajustar automaticamente o comportamento de todas as aplicações que usam PAM "
-"no sistema. Por favor, indique quais destes comportamentos você deseja "
+"no sistema. Por favor, indique quais desses comportamentos você deseja "
 "habilitar."
 
 #. Type: error
@@ -178,7 +188,7 @@ msgid ""
 "configuration by hand."
 msgstr ""
 "Um ou mais dos arquivos /etc/pam.d/common-{auth,account,password,session} "
-"foram modificados localmente. Por favor, indique quais destas modificações "
+"foram modificados localmente. Por favor, indique se essas modificações "
 "locais devem ser sobrescritas usando a configuração fornecida pelo sistema. "
 "Se você recusar esta opção, você precisará gerenciar a configuração de "
 "autenticação do seu sistema manualmente."
@@ -197,15 +207,15 @@ msgid ""
 "all users access without authenticating, and is not allowed.  Please select "
 "at least one PAM profile from the available list."
 msgstr ""
-"Nenhum perfil PAM foi selecionado para uso neste sistema. Isto irá garantir "
-"a todos os usuários acesso sem autenticação, e isto não é permitido. Por "
+"Nenhum perfil PAM foi selecionado para uso neste sistema. Isto garantiria a "
+"todos os usuários acesso sem autenticação, e isto não é permitido. Por "
 "favor, selecione no mínimo um perfil PAM da lista disponível."
 
 #. Type: error
 #. Description
 #: ../libpam-modules.templates:1001
 msgid "xscreensaver and xlockmore must be restarted before upgrading"
-msgstr "O xscreensaver e xlockmore precisam ser reiniciados antes de atualizar"
+msgstr "xscreensaver e xlockmore devem ser reiniciados antes da atualização"
 
 #. Type: error
 #. Description
@@ -220,7 +230,7 @@ msgid ""
 msgstr ""
 "Uma ou mais instâncias do xscreensaver ou do xlockmore foram detectadas em "
 "execução neste sistema. Por causa de modificações incompatíveis de "
-"biblioteca a atualização do pacote libpam-modules impossibilitará você de se "
-"autenticar nestes programas. Você deve providenciar que estes programas "
+"biblioteca, a atualização do pacote libpam-modules impossibilitará você de "
+"se autenticar nestes programas. Você deve providenciar que estes programas "
 "sejam reiniciados ou parados antes de continuar com esta atualização, para "
 "evitar bloquear seus usuários fora de suas sessões atuais."
diff --git a/debian/watch b/debian/watch
index da5e1ef6..e137cd73 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,4 @@
 version=3
-opts=pasv ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-(.*).tar.gz
-
+opts=uversionmangle=s/^(\S+-doc)/0.0.$1/ \
+http://www.linux-pam.org/library/ \
+(?:|.*/)Linux-PAM(?:[_\-]v?|)(\d[^\s/]*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz)