ELA-1522-1 pam security update

multiple vulnerabilities

2025-09-22
Packagepam
Version1.1.8-3.6+deb9u1 (stretch), 1.3.1-5+deb10u1 (buster)
Related CVEs CVE-2024-22365 CVE-2025-6020


Multiple vulnerabilities were found in the PAM namespace module, used to configure private namespaces for user sessions.

CVE-2024-22365

Attackers may cause a denial of service
blocking the login process, via mkfifo, because the
openat call (for protect_dir) lacks the O_DIRECTORY flag.

CVE-2025-6020

pam_namespace may use access user-controlled paths
without proper protection, allowing local users to elevate
their privileges to root via multiple symlink attacks
and race conditions.


For Debian 10 buster, these problems have been fixed in version 1.3.1-5+deb10u1.

For Debian 9 stretch, these problems have been fixed in version 1.1.8-3.6+deb9u1.

We recommend that you upgrade your pam packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.