From e007ca3d9f75a0df3a7c04d3577d2ac781324ce1 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 26 Jun 2024 09:46:57 +0200
Subject: Adding debian version 1:9.7p1-6.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 debian/NEWS                       | 16 ++++++++++++++++
 debian/changelog                  |  7 +++++++
 debian/openssh-server.sshd.pam.in |  2 +-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/debian/NEWS b/debian/NEWS
index 4e3b2ee..79738c6 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,19 @@
+openssh (1:9.7p1-6) UNRELEASED; urgency=medium
+
+  Debian's PAM configuration for OpenSSH no longer reads the
+  ~/.pam_environment file.  The implementation of this in pam_env has a
+  history of security problems and has been deprecated by the upstream
+  Linux-PAM maintainers due to the possibility that "user supplied
+  environment variables in the PAM environment could affect behavior of
+  subsequent modules in the stack without the consent of the system
+  administrator".
+
+  Instead, environment variables need to be set somewhere that will be
+  handled by the session process; for most users, this will be shell
+  initialization files such as ~/.bash_profile or ~/.bashrc.
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 23 May 2024 19:17:29 +0100
+
 openssh (1:9.5p1-1) experimental; urgency=medium
 
   OpenSSH 9.5p1 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index 8c231b5..c02c599 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:9.7p1-6) unstable; urgency=medium
+
+  * Stop reading ~/.pam_environment, which has a history of security
+    problems and is deprecated by PAM upstream (closes: #1018260).
+
+ -- Colin Watson <cjwatson@debian.org>  Tue, 25 Jun 2024 14:20:44 +0100
+
 openssh (1:9.7p1-5) unstable; urgency=medium
 
   [ Colin Watson ]
diff --git a/debian/openssh-server.sshd.pam.in b/debian/openssh-server.sshd.pam.in
index 2cad67d..adfb8b1 100644
--- a/debian/openssh-server.sshd.pam.in
+++ b/debian/openssh-server.sshd.pam.in
@@ -44,7 +44,7 @@ session    required     pam_limits.so
 session    required     pam_env.so # [1]
 # In Debian 4.0 (etch), locale-related environment variables were moved to
 # /etc/default/locale, so read that as well.
-session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session    required     pam_env.so envfile=/etc/default/locale
 
 # SELinux needs to intervene at login time to ensure that the process starts
 # in the proper default security context.  Only sessions which are intended
-- 
cgit v1.2.3