| Package | pam |
|---|---|
| Version | 1.1.8-3.6+deb9u1 (stretch), 1.3.1-5+deb10u1 (buster) |
| Related CVEs | CVE-2024-22365 CVE-2025-6020 |
Multiple vulnerabilities were found in the PAM namespace module, used to configure private namespaces for user sessions.
CVE-2024-22365
Attackers may cause a denial of service
blocking the login process, via mkfifo, because the
openat call (for protect_dir) lacks the O_DIRECTORY flag.
CVE-2025-6020
pam_namespace may use access user-controlled paths
without proper protection, allowing local users to elevate
their privileges to root via multiple symlink attacks
and race conditions.
For Debian 10 buster, these problems have been fixed in version 1.3.1-5+deb10u1.
For Debian 9 stretch, these problems have been fixed in version 1.1.8-3.6+deb9u1.
We recommend that you upgrade your pam packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.