Adding upstream version 1.5.2.upstream/1.5.2upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 7232 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..df5f174
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,7232 @@
+2021-09-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix a typo found using codespell tool.
+	* modules/pam_pwhistory/pam_pwhistory.c: Replace "crypted password" with
+	"hashed password" in comment.
+	* modules/pam_unix/passverify.c (create_password_hash): Rename "crypted"
+	local variable to "hashed".
+
+2021-08-30  Fabrice Fontaine  <fontaine.fabrice@gmail.com>
+
+	configure.ac: also search libcrypt through pkg-config.
+	libxcrypt provides a libcrypt.pc file so use it if available as this
+	will allow to retrieve the library path (e.g.
+	-L/home/buildroot/output/host//riscv64-buildroot-linux-musl/sysroot/usr/lib)
+	which is useful when cross-compiling and will avoid the following build
+	failure on buildroot:
+
+	/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/riscv64-buildroot-linux-musl/10.2.0/../../../../riscv64-buildroot-linux-musl/bin/ld: .libs/passverify.o: in function `.L30':
+	passverify.c:(.text+0x368): undefined reference to `crypt_checksalt'
+
+	Fixes:
+	 - http://autobuild.buildroot.org/results/20b14e222b35c2d1269960075832b784ba81aa1a
+
+2021-08-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_unix: workaround the problem caused by libnss_systemd.
+	The getspnam(3) manual page says that errno shall be set to EACCES when
+	the caller does not have permission to access the shadow password file.
+	Unfortunately, this contract is broken when libnss_systemd is used in
+	the nss stack.
+
+	Workaround this problem by falling back to the helper invocation when
+	pam_modutil_getspnam returns NULL regardless of errno.  As pam_unix
+	already behaves this way when selinux is enabled, it should be OK
+	for the case when selinux is not enabled, too.
+
+	* modules/pam_unix/passverify.c (get_account_info): When
+	pam_modutil_getspnam returns NULL, unconditionally fall back
+	to the helper invocation.
+
+	Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root")
+	Resolves: https://github.com/linux-pam/linux-pam/issues/379
+
+2021-08-18  Jérôme Fenal  <jfenal@free.fr>
+
+	po: update translations using Weblate (French)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2021-08-02  panchenbo  <panchenbo@uniontech.com>
+
+	po/zh_CN.po: fix pam_lastlog translation errors.
+	Closes: https://github.com/linux-pam/linux-pam/issues/383
+
+2021-07-24  simmon  <simmon@nplob.com>
+
+	po: update translations using Weblate (Korean)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Swedish)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Portuguese (Brazil))
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Portuguese (Brazil))
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Dutch)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Italian)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Hebrew)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Finnish)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Danish)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2021-07-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Catalan)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+
+2021-07-22  Yuri Chornoivan  <yurchor@ukr.net>
+
+	po: update translations using Weblate (Ukrainian)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2021-07-22  Oğuz Ersen  <oguzersen@protonmail.com>
+
+	po: update translations using Weblate (Turkish)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2021-07-21  Piotr Drąg  <piotrdrag@gmail.com>
+
+	po: update translations using Weblate (Polish)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2021-07-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (German)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2021-07-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Russian)
+	Currently translated at 100.0% (100 of 100 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+2021-07-21  Seong-ho Cho  <darkcircle.0426@gmail.com>
+
+	po: update translations using Weblate (Korean)
+	Currently translated at 100.0% (99 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-07-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update .pot and .po files.
+	Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
+	command.
+
+	Prepare for 1.5.2 release.
+	* configure.ac (AC_INIT): Raise version to 1.5.2.
+	* NEWS: Update.
+
+	pam_faillock: remove confusing comment.
+	* modules/pam_faillock/pam_faillock.c (faillock_message): Remove the
+	comment that meant to help translators but actually confused xgettext.
+
+2021-07-09  Iker Pedrosa  <ipedrosa@redhat.com>
+
+	pam_filter: Close file after controlling tty.
+	Failing to check the descriptor value meant that there was a bug in the
+	attempt to close the controlling tty. Moreover, this would lead to a
+	file descriptor leak as pointed out by the static analyzer tool:
+
+	Error: RESOURCE_LEAK (CWE-772): [#def26]
+	Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
+	Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)".
+	Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious.  "t" leaks when it is zero.
+	Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero?
+	Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle.
+	  365|   		pam_syslog(pamh, LOG_ERR,
+	  366|   			   "child cannot become new session: %m");
+	  367|-> 		return PAM_ABORT;
+	  368|   	    }
+	  369|
+
+2021-06-29  Andrew G. Morgan  <morgan@kernel.org>
+
+	Permit unix_chkpwd & pam_unix.so to run without being setuid-root.
+	Remove the hard-coding of the idea that the only way pam_unix.so can
+	read the shadow file is if it can, in some way, run setuid-root.
+	Linux capabilities only require cap_dac_override to read the /etc/shadow
+	file.
+
+	This change achieves two things: it opens a path for a linux-pam
+	application to run without being setuid-root; further, it allows
+	unix_chkpwd to run non-setuid-root if it is installed:
+
+	   sudo setcap cap_dac_override=ep unix_chkpwd
+
+	If we wanted to link against libcap, we could install this binary with
+	cap_dac_override=p, and use cap_set_proc() to raise the effective bit
+	at runtime. However, some distributions already link unix_chkpwd
+	against libcap-ng for some, likely spurious, reason so "ep" is fine
+	for now.
+
+2021-06-15  Fabrice Fontaine  <fontaine.fabrice@gmail.com>
+
+	configure.ac: fix build with libxcrypt and uclibc-ng.
+	Fix the following build failure with libxcrypt and uclibc-ng:
+
+	ld: unix_chkpwd-passverify.o: in function `verify_pwd_hash':
+	passverify.c:(.text+0xab4): undefined reference to `crypt_checksalt'
+
+	Fixes:
+	 - http://autobuild.buildroot.org/results/65d68b7c9c7de1c7cb0f941ff9982f93a49a56f8
+
+2021-06-14  Mathieu Trossevin  <mathieu.trossevin@gmail.com>
+
+	Add pkgconfig files for provided libraries.
+	* .gitignore: Add .pc files as they are generated by autoconf.
+	* configure.ac: Generate .pc files for libpam, libpam_misc and libpamc.
+	* libpam/Makefile.am: Install pam.pc.
+	* libpam/pam.pc.in: New file.
+	* libpam_misc/Makefile.am: Install pam_misc.pc
+	* libpam_misc/pam_misc.pc.in: New file.
+	* libpamc/Makefile.am: Install pamc.pc
+
+	This allow applications and PAM modules to automatically find libpam,
+	libpam_misc and libpamc if they are installed instead of having to
+	manually search for them.
+
+2021-06-14  Björn Esser  <besser82@fedoraproject.org>
+
+	Remove support for legacy xcrypt.
+	Since many distributions are shipping a version of libxcrypt >= 4.0.0
+	as a replacement for glibc's libcrypt now, older versions of xcrypt,
+	which could be installed in parallel, are not relevant anymore.
+
+	* configure.ac (AC_CHECK_HEADERS): Remove xcrypt.h.
+	(AC_SEARCH_LIBS): Remove xcrypt.
+	(AC_CHECK_FUNCS): Remove crypt_gensalt_r.
+	(AC_DEFINE): Remove HAVE_LIBXCRYPT.
+	* modules/pam_pwhistory/opasswd.c [HAVE_LIBXCRYPT]: Remove.
+	* modules/pam_unix/bigcrypt.c [HAVE_LIBXCRYPT]: Likewise.
+	* modules/pam_userdb/pam_userdb.c [HAVE_LIBXCRYPT]: Likewise.
+	* modules/pam_unix/passverify.c [HAVE_LIBXCRYPT]: Likewise.
+	(create_password_hash) [HAVE_LIBXCRYPT]: Likewise.
+
+2021-06-14  Jeff Squyres  <jsquyres@cisco.com>
+
+	pam_misc: set default length of misc_conv() buffer to 4096.
+
+	pam_misc: make length of misc_conv() configurable.
+	Add --with-misc-conv-bufsize=<number> option to configure to allow
+	a longer buffer size for libpam_misc's misc_conv() function (it still
+	defaults to 512 bytes).
+
+2021-06-14  Iker Pedrosa  <ipedrosa@redhat.com>
+
+	pam_timestamp: replace hmac implementation.
+	sha1 is no longer recommended as a cryptographic algorithm for
+	authentication. Thus, the idea of this change is to replace the
+	implementation provided by hmacsha1 included in pam_timestamp module by
+	the one in the openssl library. This way, there's no need to maintain
+	the cryptographic algorithm implementation and it can be easily changed
+	with a single configuration change.
+
+	modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
+	functions around openssl's hmac implementation. Moreover, manage the key
+	generation and its read and write in a file. Include an option to
+	configure the cryptographic algorithm in login.defs file.
+	modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
+	modules/pam_timestamp/pam_timestamp.c: replace calls to functions
+	provided by hmacsha1 by functions provided by openssl's wrapper.
+	configure.ac: include openssl dependecy if it is enabled.
+	modules/pam_timestamp/Makefile.am: include new files and openssl library
+	to compilation.
+	ci/install-dependencies.sh: include openssl library to dependencies.
+	NEWS: add new item to next release.
+	Make.xml.rules.in: add stringparam profiling for hmac
+	doc/custom-man.xsl: change import docbook to one with profiling
+	modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
+	indicate the value in /etc/login.defs that holds the value for the
+	encryption algorithm
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
+
+2021-06-13  Dmitry V. Levin  <ldv@altlinux.org>
+
+	.github: add gcc-11, clang-12, and clang-11 jobs.
+	* .github/workflows/ci.yml (gcc11-x86_64, gcc11-x86, gcc11-x32,
+	clang12-x86_64, clang11-x86_64): New jobs.
+
+2021-06-13  Dmitry V. Levin  <ldv@altlinux.org>
+
+	tests: fix -Wmaybe-uninitialized warnings.
+	Fix the following class of compilation warnings reported by gcc 11:
+
+	tst-pam_end.c: In function ‘main’:
+	tst-pam_end.c:55:12: error: ‘conv’ may be used uninitialized [-Werror=maybe-uninitialized]
+	   55 |   retval = pam_start (service, user, &conv, &pamh);
+	      |            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	In file included from tst-pam_end.c:41:
+	../libpam/include/security/pam_appl.h:23:1: note: by argument 3 of type ‘const struct pam_conv *’ to ‘pam_start’ declared here
+	   23 | pam_start(const char *service_name, const char *user,
+	      | ^~~~~~~~~
+	tst-pam_end.c:49:19: note: ‘conv’ declared here
+	   49 |   struct pam_conv conv;
+	      |                   ^~~~
+
+	* tests/tst-pam_end.c (main): Initialize conv variable.
+	* tests/tst-pam_fail_delay.c: Likewise.
+	* tests/tst-pam_get_item.c: Likewise.
+	* tests/tst-pam_getenvlist.c: Likewise.
+	* tests/tst-pam_set_data.c: Likewise.
+	* tests/tst-pam_set_item.c: Likewise.
+	* tests/tst-pam_start.c: Likewise.
+	* tests/tst-pam_start_confdir.c: Likewise.
+
+2021-06-10  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_unix: do not use crypt_checksalt when checking for password expiration
+	According to Zack Weinberg, the intended meaning of
+	CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
+	method", it is not supposed to mean "force a password change on next
+	login for any user with an existing stored hash using this method".
+
+	This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
+
+	* modules/pam_unix/passverify.c (check_shadow_expiry)
+	[CRYPT_CHECKSALT_AVAILABLE]: Remove.
+
+	Closes: https://github.com/linux-pam/linux-pam/issues/367
+
+2021-06-10  Patrick Schleizer  <adrelanos@whonix.org>
+
+	pam_exec: implement quiet_log option.
+	* modules/pam_exec/pam_exec.c (call_exec): Implement quiet_log option.
+	* modules/pam_exec/pam_exec.8.xml: Document it.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/334
+
+2021-05-24  Jeff Squyres  <jsquyres@cisco.com>
+
+	pam.conf: clarify default action for unspecified return codes.
+	Add short blurbs explaining that if a return code is not specified in
+	the "[value1=action1 value2=action2 ...]" form and "default=action" is
+	not specified, that return code's action defaults to "bad".
+
+2021-05-01  Hasan  <aliyevH@hotmail.com>
+
+	man: fix spelling bug in pam_end.3.xml.
+	* doc/man/pam_end.3.xml: Fix repeated words.
+
+2021-04-25  simmon  <simmon@nplob.com>
+
+	po: update translations using Weblate (Korean)
+	Currently translated at 100.0% (99 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ko/
+
+2021-04-25  Emilio Herrera  <ehespinosa57@gmail.com>
+
+	po: update translations using Weblate (Spanish)
+	Currently translated at 81.8% (81 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/es/
+
+2021-04-22  Josef Moellers  <jmoellers@suse.de>
+
+	pam_limits: "Unlimited" is not a valid value for RLIMIT_NOFILE.
+	Replace it with a value obtained from /proc/sys/fs/nr_open
+
+	* modules/pam_limits/limits.conf.5.xml: Document the replacement.
+	* modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE
+	  value with a value obtained from /proc/sys/fs/nr_open
+
+2021-04-21  Stanislav Zidek  <szidek@redhat.com>
+
+	pam_userdb: Prevent garbage characters from db.
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791965
+
+2021-04-12  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	misc_conv: Flush the terminal input after the password is read.
+	Fixes #347
+
+	* libpam_misc/misc_conv.c (read_string): Use TCSAFLUSH instead
+	  of TCSADRAIN when resetting the terminal echo state
+
+2021-04-12  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_access: clean up the remote host matching code.
+	* modules/pam_access/pam_access.c (from_match): Split out remote_match()
+	  function and avoid calling it when matching against LOCAL keyword.
+	  There is also no point in doing domain match against TTY or SERVICE.
+
+2021-03-25  chuanqin  <chuanqing.qin@nokia-sbell.com>
+
+	pam_faillock: convert spaces to tab to keep code style.
+	convert spaces to tab which mixture use in modules/pam_faillock/main.c
+
+2021-03-08  theslimshaney  <33791263+theslimshaney@users.noreply.github.com>
+
+	pam_env: fix example in pam_env.conf.5 for setting variable.
+
+2021-03-05  dshein-alt  <76520100+dshein-alt@users.noreply.github.com>
+
+	pam_mkhomedir: use HOME_MODE or UMASK from /etc/login.defs.
+	Follow the example of useradd(8) and set the user home directory mode

+	to the value of HOME_MODE or UMASK configuration item from

+	/etc/login.defs when umask option is not specified.

+
+2021-02-13  Ricky Tigg  <ricky.tigg@gmail.com>
+	    Ricky Tigg  <ricky.tigg@gmail.com>
+
+	po: update translations using Weblate (Finnish)
+	Currently translated at 100.0% (99 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2021-02-13  Balázs Meskó  <meskobalazs@mailbox.org>
+	    Balázs Meskó  <meskobalazs@mailbox.org>
+
+	po: update translations using Weblate (Hungarian)
+	Currently translated at 77.7% (77 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hu/
+
+2021-02-13  Carmen Bianca Bakker  <carmen@carmenbianca.eu>
+	    Carmen Bianca Bakker  <carmen@carmenbianca.eu>
+
+	po: update translations using Weblate (Esperanto)
+	Currently translated at 43.4% (43 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/eo/
+
+2021-02-13  Weblate  <noreply@weblate.org>
+	    Weblate  <noreply@weblate.org>
+
+	Update translation files.
+	Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+	Translation: linux-pam/master
+
+2021-01-27  Changqing Li  <changqing.li@windriver.com>
+
+	configure.ac: add --with-systemdunitdir option.
+	* Add this option to support the following scenario:
+	prefix = '/usr'
+	servicedir = '/lib/systemd/system'
+
+	* The default behavior is changed:
+	If this option is not given, servicedir will be set to the value that is
+	obtained from systemd pkg-config file. If the value cannot be obtained,
+	servicedir will be set to the default value '$(prefix)/lib/systemd/system'.
+
+2021-01-27  Changqing Li  <changqing.li@windriver.com>
+
+	faillock: create tallydir before creating tallyfile.
+	The default tallydir is "/var/run/faillock", and this default
+	tallydir may not exist.
+
+	Function open may fail as tallydir does not exist when creating
+	the tallyfile. Therefore, faillock will not work well.
+
+	Fix this problem by creating tallydir before creating tallyfile
+	when the tallydir does not exist.
+
+2021-01-27  Ludwig Nussel  <ludwig.nussel@suse.de>
+
+	pam_securetty: don't complain about missing config.
+	Not shipping a config file should be perfectly valid for distros while
+	still having eg login pre-configured to honor securetty when present.
+	PAM itself doesn't ship any template either. So avoid spamming the log
+	file if /etc/securetty wasn't found.
+
+2021-01-25  Kolja  <razzeee@gmail.com>
+
+	faillock: Use pluralization via dngettext or fallback.
+
+2021-01-18  Andreas-Johann Ø Ulvestad  <aj@aju.no>
+	    Andreas-Johann Ø Ulvestad  <aj@aju.no>
+
+	po: update translations using Weblate (Norwegian Nynorsk)
+	Currently translated at 100.0% (99 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nn/
+
+2021-01-18  Jan Kuparinen  <copper_fin@hotmail.com>
+	    Jan Kuparinen  <copper_fin@hotmail.com>
+
+	po: update translations using Weblate (Finnish)
+	Currently translated at 100.0% (99 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-12-28  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_umask: fix handling of umask parameter.
+	Potential failures of strdup(3) were ignored, fix this by not using
+	strdup(3) at all.
+
+	* modules/pam_umask/pam_umask.c (struct options_t): Add const to umask
+	field, add login_umask field.
+	(parse_option): Do not use strdup.
+	(get_options): Assign pam_modutil_search_key return values
+	to options->login_umask.
+	(pam_sm_open_session): Free options.login_umask instead of
+	options.umask.
+
+2020-12-28  Sven Hartge  <sven@svenhartge.de>
+
+	pam_setquota: Minor whitespace, spelling and mail address fixes.
+
+2020-12-26  Vlad  <milovlad@outlook.com>
+	    Vlad  <milovlad@outlook.com>
+
+	po: update translations using Weblate (Romanian)
+	Currently translated at 100.0% (99 of 99 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ro/
+
+2020-12-23  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_mkhomedir: fix umask wording in documentation.
+	* modules/pam_mkhomedir/pam_mkhomedir.8.xml (umask): Fix wording.
+
+2020-12-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Bulgarian)
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/bg/
+
+2020-12-17  Issam E. Maghni  <issam.e.maghni@mailbox.org>
+
+	configure: test -a|o is not POSIX.
+	Fixes `test: too many arguments` when building Linux-PAM using sbase.
+	This is due to a non-POSIX syntax test ... -a ... and test ... -o ....
+
+	> The XSI extensions specifying the -a and -o binary primaries and the
+	> '(' and ')' operators have been marked obsolescent.
+
+	See https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
+
+2020-12-08  Christian Göttsche  <cgzones@googlemail.com>
+
+	pam_namespace: check for string_to_security_class failure.
+	Check for the unlikely case string_to_security_class() does not find the
+	associated SELinux security class.
+	This will only happen if the loaded SELinux policy does not define the
+	class "dir" (which no sane policy does) or querying the selinuxfs
+	fails.
+
+	Suggested by #309
+
+2020-12-08  Christian Göttsche  <cgzones@googlemail.com>
+
+	pam_selinux: check for string_to_security_class failure.
+	Check for the unlikely case string_to_security_class() does not find the
+	associated SELinux security class.
+	This will only happen if the loaded SELinux policy does not define the
+	class "chr_file" (which no sane policy does) or querying the selinuxfs
+	fails.
+
+	Suggested by #309
+
+2020-12-07  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Clarify the effect of 'done' in documentation.
+	The done action does not terminate the stack processing in case
+	there is a failing module with bad action up in the stack.
+
+	Fixes #307
+
+	* doc/man/pam.conf-syntax.xml: Clarify the effect of 'done'.
+
+2020-11-28  Dmitry V. Levin  <ldv@altlinux.org>
+
+	.github: partially migrate from ubuntu-18.04 to ubuntu-20.04.
+	* .github/workflows/ci.yml (runs-on): Switch from ubuntu-latest to
+	ubuntu-20.04 for whitespace-errors and *-x86_64 jobs.  Stick with
+	ubuntu-18.04 for *-x86 and *-x32 jobs until we figure out how to
+	obtain -lcrypt on ubuntu-20.04 for these architectures.
+
+2020-11-28  Dmitry V. Levin  <ldv@altlinux.org>
+
+	ci: do not install libxcrypt-dev.
+	Apparently, both -lcrypt and -lxcrypt from ubuntu-18.04 already provide
+	crypt_r.
+
+	* ci/install-dependencies.sh (packages): Remove libxcrypt-dev.
+
+2020-11-24  Thomas M. DuBuisson  <tommd@muse.dev>
+
+	pam_unix: fix memory leak on error path.
+	* modules/pam_unix/bigcrypt.c (bigcrypt) [HAVE_CRYPT_R]: Do not leak
+	cdata if crypt_r() fails.
+
+2020-11-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	maint: update release procedure.
+	* maint/README-release: Update.
+
+2020-11-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update .po and .pot files.
+	Regenerate po/Linux-PAM.pot and po/*.po using "make -C po update-po"
+	command.  This removes translations of pam_cracklib, pam_tally, and
+	pam_tally2 modules that were removed in v1.5.0.
+
+	Complements: v1.5.0~10 "Remove deprecated pam_cracklib module"
+	Complements: v1.5.0~9 "Remove deprecated pam_tally and pam_tally2 modules"
+
+2020-11-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: cleanup POTFILES.in.
+	* po/POTFILES.in: Strip "./" prefix, sort the list.
+
+2020-11-24  Jan Kuparinen  <copper_fin@hotmail.com>
+	    Jan Kuparinen  <copper_fin@hotmail.com>
+
+	po: update translations using Weblate (Finnish)
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-11-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Prepare for 1.5.1 release.
+	* configure.ac (AC_INIT): Raise version to 1.5.1.
+
+	Fix various typos found using codespell tool.
+	* modules/pam_limits/limits.conf: Replace "overriden" with "overridden".
+	* modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Replace
+	"preseves" with "preserves".
+	* modules/pam_setquota/pam_setquota.8.xml: Replace "specifed" with
+	"specified".
+	* modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Replace
+	"fileystem" with "filesystem", "conditons" with "conditions".
+
+	Fix grammar: replace "an user" with "a user" everywhere.
+	* NEWS: Replace "an user" with "a user".
+	* modules/pam_faillock/pam_faillock.8.xml: Likewise.
+	* modules/pam_lastlog/pam_lastlog.8.xml: Likewise.
+	* modules/pam_limits/pam_limits.c: Likewise.
+	* modules/pam_sepermit/sepermit.conf: Likewise.
+	* modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
+	* modules/pam_userdb/pam_userdb.c: Likewise.
+
+2020-11-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_wheel: Use pam_modutil_user_in_group_uid_gid instead of reimplementation
+	The pam_modutil_user_in_group... functions use getgrouplist to check
+	the membership so they work also in setups with remote services which do
+	not provide group members in struct group.
+
+	Fixes #297
+
+	* modules/pam_wheel/pam_wheel.c (perform_check): Call pam_modutil_user_in_group_uid_gid
+	  to do the group check.
+
+2020-11-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Add NEWS entries for the 1.5.1 security fix release.
+
+2020-11-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Second blank check with root for non-existent users must never return 1.
+	The commit af0faf66 ("pam_unix: avoid determining if user exists") introduced
+	a regression where the blank check could return 1 if root had an empty
+	password hash because in the second case the password hash of root was
+	used. We now always return 0 in this case.
+
+	The issue was found by Johannes Löthberg.
+
+	Fixes #284
+
+	* modules/pam_unix/support.c (_unix_blankpasswd): Make the loop
+	to cover the complete blank check so both existing and non existing
+	cases are identical except for the possible return value.
+
+2020-11-12  Tavian Barnes  <tavianator@tavianator.com>
+
+	faillock: Add a nodelay option.
+	Fixes #295
+
+2020-11-10  Allison Karlitskaya  <allison.karlitskaya@redhat.com>
+
+	libpam: add supplementary groups on priv drop.
+	Replace the setgroups(0, NULL) call in pam_modutil_drop_priv() with a
+	call to initgroups().  This makes sure that the user's supplementary
+	groups are also configured.  Fall back to setgroups(0, NULL) in case the
+	initgroups() call fails.
+
+	This fixes the permission check in pam_motd: this feature was intended
+	to allow setting permissions on a motd file to prevent it from being
+	shown to users who are not a member of a particular group (for example,
+	wheel).
+
+	Closes #292
+
+2020-11-05  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_env: deprecation notice of reading the user environment.
+	* modules/pam_env/pam_env.8.xml: Add the notice to the manual.
+	* modules/pam_env/pam_env.c (_pam_parse): Log deprecation warning
+	  if user_readenv is set.
+
+2020-11-04  Andreas Schneider  <asn@cryptomilk.org>
+
+	libpam: Fix memory leak on error path in _pam_start_internal()
+
+2020-11-04  Andreas Schneider  <asn@cryptomilk.org>
+
+	libpam: Fix memory leak with pam_start_confdir()
+	Found with AddressSanitzer in pam_wrapper tests.
+
+	==985738== 44 bytes in 4 blocks are definitely lost in loss record 18 of 18
+	==985738==    at 0x4839809: malloc (vg_replace_malloc.c:307)
+	==985738==    by 0x48957E1: _pam_strdup (pam_misc.c:129)
+	==985738==    by 0x489851B: _pam_start_internal (pam_start.c:85)
+	==985738==    by 0x4849C8C: libpam_pam_start_confdir (pam_wrapper.c:418)
+	==985738==    by 0x484AF94: pwrap_pam_start (pam_wrapper.c:1461)
+	==985738==    by 0x484AFEE: pam_start (pam_wrapper.c:1483)
+	==985738==    by 0x401723: setup_noconv (test_pam_wrapper.c:189)
+	==985738==    by 0x4889E82: ??? (in /usr/lib64/libcmocka.so.0.7.0)
+	==985738==    by 0x488A444: _cmocka_run_group_tests (in /usr/lib64/libcmocka.so.0.7.0)
+	==985738==    by 0x403EE5: main (test_pam_wrapper.c:1059)
+
+2020-11-04  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_env: allow environment files without EOL at EOF.
+	Fixes #263
+
+	* modules/pam_env/pam_env.c (_assemble_line): Do not error out if at feof()
+
+2020-11-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Prepare for 1.5.0 release.
+	* configure.ac (AC_INIT): Raise version to 1.5.0.
+	* NEWS: Update.
+
+2020-11-03  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_ftp: fix potential memory leak.
+	modules/pam_ftp/pam_ftp.c: free anon_user before returning as it may be
+	still in use.
+
+	pam_faillock: fix unread store statement.
+	modules/pam_faillock/main.c: remove store statement since the value is
+	only read in the enclosing expression.
+
+	pam_dispatch: fix unread store statement.
+	libpam/pam_dispatch: remove store statement since the value is never
+	read.
+
+2020-10-29  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Remove deprecated pam_tally and pam_tally2 modules.
+	* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
+	--enable-tally --enable-tally2.
+	* configure.ac: Remove --enable-tally and --enable-tally2 options.
+	(AM_CONDITIONAL): Remove COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
+	(AC_CONFIG_FILES): Remove modules/pam_tally/Makefile and
+	modules/pam_tally2/Makefile.
+	* doc/sag/pam_tally.xml: Remove.
+	* doc/sag/pam_tally2.xml: Likewise.
+	* doc/sag/Linux-PAM_SAG.xml: Do not include pam_tally.xml and
+	pam_tally2.xml.
+	* modules/Makefile.am (MAYBE_PAM_TALLY, MAYBE_PAM_TALLY2): Remove.
+	(SUBDIRS): Remove MAYBE_PAM_TALLY and MAYBE_PAM_TALLY2.
+	* modules/pam_tally/.gitignore: Remove.
+	* modules/pam_tally/Makefile.am: Likewise.
+	* modules/pam_tally/README.xml: Likewise.
+	* modules/pam_tally/faillog.h: Likewise.
+	* modules/pam_tally/pam_tally.8.xml: Likewise.
+	* modules/pam_tally/pam_tally.c: Likewise.
+	* modules/pam_tally/pam_tally_app.c: Likewise.
+	* modules/pam_tally/tst-pam_tally: Likewise.
+	* modules/pam_tally2/.gitignore: Likewise.
+	* modules/pam_tally2/Makefile.am: Likewise.
+	* modules/pam_tally2/README.xml: Likewise.
+	* modules/pam_tally2/pam_tally2.8.xml: Likewise.
+	* modules/pam_tally2/pam_tally2.c: Likewise.
+	* modules/pam_tally2/pam_tally2_app.c: Likewise.
+	* modules/pam_tally2/tallylog.h: Likewise.
+	* modules/pam_tally2/tst-pam_tally2: Likewise.
+	* modules/pam_timestamp/pam_timestamp_check.8.xml: Fix typo by replacing
+	pam_tally with pam_timestamp.
+	* po/POTFILES.in: Remove ./modules/pam_tally/pam_tally_app.c,
+	./modules/pam_tally/pam_tally.c, ./modules/pam_tally2/pam_tally2_app.c,
+	and ./modules/pam_tally2/pam_tally2.c.
+	* NEWS: Document this change.
+
+	Remove deprecated pam_cracklib module.
+	* ci/install-dependencies.sh: Remove libcrack2-dev.
+	* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
+	--enable-cracklib=check.
+	* conf/pam.conf: Remove references to pam_cracklib.so.
+	* configure.ac: Remove --enable-cracklib option.
+	(AC_SUBST): Remove LIBCRACK.
+	(AM_CONDITIONAL): Remove COND_BUILD_PAM_CRACKLIB.
+	(AC_CONFIG_FILES): Remove modules/pam_cracklib/Makefile.
+	* doc/sag/pam_cracklib.xml: Remove.
+	* doc/sag/Linux-PAM_SAG.xml: Do not include pam_cracklib.xml.
+	* modules/Makefile.am (MAYBE_PAM_CRACKLIB): Remove.
+	(SUBDIRS): Remove MAYBE_PAM_CRACKLIB.
+	* modules/pam_cracklib/Makefile.am: Remove.
+	* modules/pam_cracklib/README.xml: Likewise.
+	* modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
+	* modules/pam_cracklib/pam_cracklib.c: Likewise.
+	* modules/pam_cracklib/tst-pam_cracklib: Likewise.
+	* xtests/tst-pam_cracklib1.c: Likewise.
+	* xtests/tst-pam_cracklib1.pamd: Likewise.
+	* xtests/tst-pam_cracklib2.c: Likewise.
+	* xtests/tst-pam_cracklib2.pamd: Likewise.
+	* modules/pam_pwhistory/pam_pwhistory.8.xml: Replace pam_cracklib
+	in examples with pam_passwdqc.
+	* modules/pam_unix/pam_unix.8.xml: Likewise.
+	* po/POTFILES.in: Remove ./modules/pam_cracklib/pam_cracklib.c.
+	* xtests/.gitignore: Remove tst-pam_cracklib1 and tst-pam_cracklib2.
+	* xtests/Makefile.am (EXTRA_DIST): Remove tst-pam_cracklib1.pamd
+	and tst-pam_cracklib2.pamd.
+	(XTESTS): Remove tst-pam_cracklib1 and tst-pam_cracklib2.
+	* NEWS: Document this change.
+
+2020-10-27  DDoSolitary  <DDoSolitary@gmail.com>
+
+	pam_env: fix a typo in doc of pam_env.conf.
+
+2020-10-25  Christian Göttsche  <cgzones@googlemail.com>
+
+	Add missing format function attributes and enable -Wmissing-format-attribute
+	Exported functions already have these attributes, add them to other functions.
+	This enables compilers to find format specifier mismatches, like:
+
+	   foo_print("Hello %d", "world")
+
+	* m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wmissing-format-attribute.
+	* conf/pam_conv1/Makefile.am (AM_CFLAGS): Add -I$(top_srcdir)/libpam/include.
+	* conf/pam_conv1/pam_conv_y.y: Include <security/_pam_types.h>.
+	(yyerror): Add printf format attribute.
+	* modules/pam_pwhistory/opasswd.c (helper_log_err): Likewise.
+	* modules/pam_rootok/pam_rootok.c (log_callback): Likewise.
+	* modules/pam_tally/pam_tally.c (tally_log): Likewise.
+	* modules/pam_tally2/pam_tally2.c (tally_log): Likewise.
+	* modules/pam_unix/passverify.c (helper_log_err): Likewise.
+
+2020-10-21  Milo Casagrande  <milo@milo.name>
+	    Milo Casagrande  <milo@milo.name>
+
+	po: update translations using Weblate (Italian)
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2020-10-21  Yaron Shahrabani  <sh.yaron@gmail.com>
+	    Yaron Shahrabani  <sh.yaron@gmail.com>
+
+	po: update translations using Weblate (Hebrew)
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-10-21  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_motd: unset prompt value to drop privileges.
+	modules/pam_motd/pam_motd.c: set NULL value instead of "key user" for the
+	prompt when dropping privileges.
+
+2020-10-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_modutil_sanitize_fds: Add explicit casts to avoid warnings.
+
+	Revert "libpam/pam_modutil_sanitize.c: optimize the way to close fds"
+	This reverts commit 1b087edc7f05237bf5eccc405704cd82b848e761.
+
+2020-10-14  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_motd: document file filtering.
+	modules/pam_motd/pam_motd.8.xml: document file filtering of motd
+	messages.
+	NEWS: annotate change.
+
+2020-10-14  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_motd: filter motd by user and group.
+	modules/pam_motd/pam_motd.c: filter motd by user and group owning the
+	proper files. This is achieved by changing the ids of the process
+	reading the files from root to the target user.
+
+	Resolves:
+	https://bugzilla.redhat.com/show_bug.cgi?id=1861640
+
+2020-10-13  Mikhail Labiuk  <m.labyuk@omprussia.ru>
+
+	pam_faillock: fix invalid error message.
+	args_parse function pass "conf=" argument to set_conf_opt() after handling by self.
+	set_conf_opt is not able to handle "conf" argument and write error:
+	sddm-helper[415]: pam_faillock(sddm:auth): Unknown option: conf
+
+2020-10-05  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_namespace: polyinstantiation refer to gdm doc.
+	modules/pam_namespace/pam_namespace.8.xml: delete obsolete information
+	about polyinstantiation and refer to gdm's documentation.
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841
+
+2020-09-30  Anton D. Kachalov  <rnouse@google.com>
+
+	Prevent SEGFAULT for unknown UID.
+	When running systemd service with DynamicUser being set, the dynamic UID
+	might be not mapped to user name (/etc/nsswitch.conf is not configured
+	with systemd nss module).
+
+	The getuidname() routine might return NULL and this is not checked by callee.
+
+2020-09-10  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_wheel: clarify use_uid option in man page.
+	modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the
+	real uid of the calling process.
+
+2020-09-10  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_wheel: if getlogin fails fallback to PAM_RUSER.
+	modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user
+	ID, then try with PAM_RUSER.
+
+	Resolves:
+	https://bugzilla.redhat.com/show_bug.cgi?id=1866866
+
+2020-09-10  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_wheel: improve coding style.
+	modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state
+	condition statements
+
+2020-08-08  Dmitry V. Levin  <ldv@altlinux.org>
+
+	configure: add --disable-unix option.
+	Some distributions do not build pam_unix, e.g. ALT uses pam_tcb instead.
+	Add a configure option to disable build of pam_unix so that those who
+	choose not to build pam_unix no longer have to edit modules/Makefile.am
+	file.  The default is unchanged, i.e. build of pam_unix is enabled.
+
+	* configure.ac (AC_ARG_ENABLE): Add unix.
+	(AM_CONDITIONAL): Add COND_BUILD_PAM_UNIX.
+	* modules/Makefile.am [COND_BUILD_PAM_UNIX] (MAYBE_PAM_UNIX): Define.
+	(SUBDIRS): Replace pam_unix with $(COND_BUILD_PAM_UNIX).
+
+2020-08-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Build all installed executables with -Wl,-z,now if available.
+	This makes them built with full RELRO if -Wl,-z,relro is specified.
+
+	* m4/ld-z-now.m4: New file.
+	* m4/.gitignore: Add it to exclude list.
+	* configure.ac: Call PAM_LD_Z_NOW.
+	(EXE_LDFLAGS): Append $ZNOW_LDFLAGS.
+
+2020-08-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules: build all helpers with proper CFLAGS and LDFLAGS.
+	This makes all installed executables built with @EXE_CFLAGS@ and
+	@EXE_LDFLAGS@.
+
+	* modules/pam_mkhomedir/Makefile.am (mkhomedir_helper_CFLAGS,
+	mkhomedir_helper_LDFLAGS): New variables.
+	* modules/pam_tally/Makefile.am (pam_tally_CFLAGS, pam_tally_LDFLAGS):
+	Likewise.
+	* modules/pam_tally2/Makefile.am (pam_tally2_CFLAGS,
+	pam_tally2_LDFLAGS): Likewise.
+
+2020-08-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: rename PIE_* AC_SUBST variables to EXE_*
+	There are going to be other options added to CFLAGS and LDFLAGS
+	of executables made along with modules.
+
+	* configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from
+	PIE_CFLAGS and PIE_LDFLAGS, respectively.  AC_SUBST them instead of
+	PIE_CFLAGS and PIE_LDFLAGS.  All users updated.
+
+2020-08-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	m4: make libprelude-config diagnostics less noisy.
+	Before this change, every normal build of Linux-PAM used to contain
+	the following diagnostics:
+
+	  checking for libprelude-config... no
+	  checking for libprelude - version >= 0.9.0... no
+	  *** The libprelude-config script installed by LIBPRELUDE could not be found
+	  *** If LIBPRELUDE was installed in PREFIX, make sure PREFIX/bin is in
+	  *** your path, or set the LIBPRELUDE_CONFIG environment variable to the
+	  *** full path to libprelude-config.
+
+	Given that libprelude-config is rarely used nowadays,
+	the first two lines of diagnostics should be enough.
+
+	* m4/libprelude.m4 (AM_PATH_LIBPRELUDE): When libprelude-config
+	is not found, do not print the lengthy diagnostics unless
+	--with-libprelude-prefix was specified.
+
+2020-08-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	configure.ac: rewrite --disable-pie and -fpie/pie check.
+	* configure.ac: Rewrite -fpie/pie check using AC_LINK_IFELSE to make
+	the code more readable.  Add --enable-pie=check support and make it
+	the default, terminate if --enable-pie is specified but -fpie/pie
+	support is not available.
+
+	m4: rewrite ld --no-undefined check.
+	* m4/ld-no-undefined.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+	autoconf macro.
+
+	m4: rewrite ld --as-needed check.
+	* m4/ld-as-needed.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+	autoconf macro.
+
+	m4: rewrite ld -O1 check.
+	* m4/ld-O1.m4: Rewrite using AC_LINK_IFELSE to create a more readable
+	autoconf macro.
+
+2020-08-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	m4: rewrite __attribute__((unused)) check.
+	Rewrite using AC_CACHE_CHECK to create a more readable autoconf macro.
+
+	* m4/attribute.m4: New file.
+	* m4/japhar_grep_cflags.m4: Remove.
+	* m4/.gitignore: Replace japhar_grep_cflags.m4 with attribute.m4.
+	* configure.ac: Replace AC_C___ATTRIBUTE__ with PAM_ATTRIBUTE_UNUSED.
+
+2020-08-06  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: add -Wcast-align=strict to WARN_CFLAGS.
+	This way -Wcast-align will be tested regardless of the target machine.
+
+	* m4/warn_lang_flags.m4: Add gl_WARN_ADD([-Wcast-align=strict]).
+
+2020-08-06  Dmitry V. Levin  <ldv@altlinux.org>
+
+	configure.ac: rewrite WARN_CFLAGS initialization.
+	As the old machinery was not prepared for adding compiler options
+	conditionally when the compiler supports them, replace it with
+	a new machinery that implements this.
+
+	* m4/warnings.m4: New file.
+	* m4/warn_lang_flags.m4: Likewise.
+	* m4/.gitignore: Add exclusions for them.
+	* m4/japhar_grep_cflags.m4 (JAPHAR_GREP_CFLAGS): Remove.
+	* configure.ac: Call pam_WARN_LANG_FLAGS.  Remove all uses
+	of JAPHAR_GREP_CFLAGS.
+
+2020-08-06  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix -Wcast-align compilation warnings on arm.
+	Apparently, gcc is also not smart enough to infer the alignment
+	of structure fields, for details see
+	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89133
+
+	Use unions to avoid these casts altogether, this fixes compilation
+	warnings reported by gcc on arm, e.g.:
+
+	md5.c: In function 'MD5Update':
+	md5.c:92:35: error: cast increases required alignment of target type [-Werror=cast-align]
+	   92 |   MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+	      |                                   ^
+	md5.c:101:35: error: cast increases required alignment of target type [-Werror=cast-align]
+	  101 |   MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+	      |                                   ^
+	md5.c: In function 'MD5Final':
+	md5.c:136:35: error: cast increases required alignment of target type [-Werror=cast-align]
+	  136 |   MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+	      |                                   ^
+	md5.c:147:9: error: cast increases required alignment of target type [-Werror=cast-align]
+	  147 |  memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
+	      |         ^
+	md5.c:149:34: error: cast increases required alignment of target type [-Werror=cast-align]
+	  149 |  MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+	      |                                  ^
+
+	* modules/pam_namespace/md5.h (struct MD5Context): Replace "buf" and
+	"in" fields with unions.  All users updated.
+	* modules/pam_unix/md5.h (struct MD5Context): Likewise.
+	* modules/pam_timestamp/sha1.h (struct sha1_context.pending): Replace
+	with a union.  All users updated.
+
+	Complements: v1.4.0~195 ("Fix most of clang -Wcast-align compilation warnings")
+
+2020-08-05  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_namespace: fix big-endian check in md5 implementation.
+	* modules/pam_namespace/md5.c: Do not check against the list of
+	architectures that are known to be little-endian, instead check
+	for WORDS_BIGENDIAN macro defined by AC_C_BIGENDIAN autoconf macro
+	on big-endian platforms.
+
+2020-08-05  Christian Göttsche  <cgzones@googlemail.com>
+
+	pam_namespace: skip context translation.
+	These retrieved contexts are just passed to libselinux functions and not
+	printed or otherwise made available to the outside, so a context
+	translation to human readable MCS/MLS labels is not needed.
+	(see man:setrans.conf(5))
+
+	pam_xauth: skip context translation.
+	The retrieved context is just passed to libselinux functions and not
+	printed or otherwise made available to the outside, so a context
+	translation to human readable MCS/MLS labels is not needed.
+	(see man:setrans.conf(5))
+
+	pam_xauth: replace deprecated security_context_t.
+	libselinux 3.1 deprecated the typedef security_context_t.
+	Use the underlaying type.
+
+	pam_unix: skip context translation.
+	These retrieved contexts are just passed to libselinux functions and not
+	printed or otherwise made available to the outside, so a context
+	translation to human readable MCS/MLS labels is not needed.
+	(see man:setrans.conf(5))
+
+	pam_unix: replace deprecated security_context_t.
+	libselinux 3.1 deprecated the typedef security_context_t.
+	Use the underlaying type.
+
+	pam_rootok: skip context translation.
+	The retrieved context is just passed to the libselinux function
+	'selinux_check_access()', so a context translation to human readable
+	MCS/MLS labels is not needed. (see man:setrans.conf(5))
+
+	pam_rootok: replace deprecated security_context_t.
+	libselinux 3.1 deprecated the typedef security_context_t.
+	Use the underlaying type.
+
+	pam_namespace: replace deprecated matchpathcon.
+	The matchpathcon family is deprecated.
+	Use the selabel family.
+
+	pam_namespace: replace deprecated security_context_t.
+	libselinux 3.1 deprecated the typedef security_context_t.
+	Use the underlaying type.
+
+2020-08-03  Christian Göttsche  <cgzones@googlemail.com>
+
+	autotools: enable warnings.
+
+2020-08-03  Christian Göttsche  <cgzones@googlemail.com>
+
+	autotools: update deprecated macros.
+	see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Obsolete-Macros.html
+
+	- update AC_HELP_STRING to AS_HELP_STRING
+	- update AC_TRY_COMPILE to AC_COMPILE_IFELSE
+	- update AC_TRY_RUN to AC_RUN_IFELSE
+	- update AC_TRY_LINK to AC_LINK_IFELSE
+
+2020-08-03  Issam Maghni  <concatime@users.noreply.github.com>
+
+	configure.ac: fix typo in --with-kernel-overflow-uid= option to match its documentation
+
+2020-07-22  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Add comment for the ignored PAM_AUTHTOK_ERR case.
+	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Add comment
+	about the reason for ignoring PAM_AUTHTOK_ERR.
+
+2020-07-22  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Fix missing initialization of daysleft.
+	The daysleft otherwise stays uninitialized if there is no shadow entry.
+
+	Regression from commit f5adefa.
+
+	Fixes #255
+
+	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft.
+
+2020-07-20  Charles Lee  <lchopn@gmail.com>
+
+	po: update translations using Weblate (Chinese (Simplified))
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/
+
+2020-07-20  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_pwhistory: add helper to handle SELinux.
+	The purpose of the helper is to enable tighter confinement of login and
+	password changing services. The helper is thus called only when SELinux
+	is enabled on the system.
+
+	Resolves: https://github.com/linux-pam/linux-pam/pull/247
+
+2020-07-19  A S Alam  <amanpreet.alam@gmail.com>
+
+	po: update translations using Weblate (Punjabi)
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pa/
+
+2020-07-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_inline.h: cleanup pam_read_passwords a bit.
+	* libpam/include/pam_inline.h (pam_read_passwords): Increment pptr once
+	instead of using pptr+1 several times.  This change is not expected
+	to affect the code generated by the compiler as the latter is likely
+	to perform the optimization itself.
+
+2020-07-15  ikerexxe  <ipedrosa@redhat.com>
+
+	Move read_passwords function from pam_unix to pam_inline.h.
+	[ldv: rewrote commit message]
+
+	* modules/pam_unix/passverify.h (read_passwords): Remove prototype.
+	* modules/pam_unix/passverify.c (read_passwords): Move ...
+	* libpam/include/pam_inline.h: ... here, rename to pam_read_passwords,
+	add static inline qualifiers.
+	Include <unistd.h> and <errno.h>.
+	* modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h".
+	(main): Replace read_passwords with pam_read_passwords.
+	* modules/pam_unix/unix_update.c: Include "pam_inline.h".
+	(set_password): Replace read_passwords with pam_read_passwords.
+
+2020-07-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_unix: use PAM_MAX_RESP_SIZE instead of its alias MAXPASS.
+	* modules/pam_unix/passverify.h (MAXPASS): Remove.
+	* modules/pam_unix/passverify.c (read_passwords): Replace MAXPASS
+	with PAM_MAX_RESP_SIZE.
+	* modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Likewise.
+	* modules/pam_unix/support.c (_unix_verify_password): Likewise.
+	* modules/pam_unix/unix_chkpwd.c (main): Likewise.
+	* modules/pam_unix/unix_update.c (set_password): Likewise.
+
+2020-07-09  Lucas Ramage  <ramage.lucas@protonmail.com>
+
+	pam_stress: create man page.
+	Resolves: https://github.com/linux-pam/linux-pam/issues/148
+
+	* modules/pam_stress/README: Remove.
+	* modules/pam_stress/README.xml: New file.
+	* modules/pam_stress/pam_stress.8.xml: Likewise.
+	* modules/pam_stress/Makefile.am (MAINTAINERCLEANFILES): Add
+	$(MANS) and README.
+	(EXTRA_DIST): Add $(XMLS).
+	(XMLS): Add README.xml and pam_stress.8.xml.
+	[HAVE_DOC] (dist_man_MANS): Add pam_stress.8.
+	[ENABLE_REGENERATE_MAN] (dist_noinst_DATA): Add README.
+	[ENABLE_REGENERATE_MAN]: Include $(top_srcdir)/Make.xml.rules.
+	* modules/pam_stress/.gitignore: Remove.
+
+	Resolves: https://github.com/linux-pam/linux-pam/pull/184
+
+2020-07-05  Dmitry V. Levin  <ldv@altlinux.org>
+
+	po: update translations using Weblate (Slovak)
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+	po: update translations using Weblate (Portuguese (Brazil))
+
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+	po: update translations using Weblate (Dutch)
+
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+	po: update translations using Weblate (Italian)
+
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+	po: update translations using Weblate (German)
+
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+	po: update translations using Weblate (Catalan)
+
+	Currently translated at 100.0% (122 of 122 strings).
+
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+
+2020-07-05  Yaron Shahrabani  <sh.yaron@gmail.com>
+
+	Translated using Weblate (Hebrew)
+	Currently translated at 75.4% (92 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+	Translated using Weblate (Arabic)
+
+	Currently translated at 61.4% (75 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ar/
+
+2020-07-02  Dmitry V. Levin  <ldv@altlinux.org>
+
+	misc_conv: fix potential information leak on error path.
+	* libpam_misc/misc_conv.c (read_string): Clear the stack buffer from
+	data read earlier from stdin in case of a read error.
+
+2020-07-01  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_loginuid: fix unlikely negative 3rd argument of strncmp on error path
+	[ldv: rewrote commit message]
+
+	* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Do not pass to
+	strncmp the return value of pam_modutil_read in an unlikely case when
+	the latter fails to read from /proc/self/uid_map.
+
+2020-07-01  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_namespace, pam_mkhomedir: fix unlikely descriptor leaks on error path
+	[ldv: rewrote commit message]
+
+	* modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Close just
+	opened file descriptor "srcfd" in an unlikely case when it cannot be
+	fstat'ed.
+	* modules/pam_namespace/pam_namespace.c (create_instance): Close just
+	opened file descriptor "fd" in an unlikely case when it cannot be
+	fstat'ed.
+
+2020-07-01  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_rootok: fix use of va_list.
+	CPPCHECK_WARNING (CWE-843):
+	error[va_end_missing]: va_list 'ap' was opened but not closed by
+	va_end().
+
+	[ldv: According to POSIX documentation, each invocation of va_start()
+	must be matched by a corresponding invocation of va_end().
+
+	According to the GNU libc documentation, "with most C compilers,
+	calling 'va_end' does nothing.  This is always true in the GNU C
+	compiler.  But you might as well call 'va_end' just in case your
+	program is someday compiled with a peculiar compiler."
+
+	The main reason for applying this change is to pacify static analysis
+	tools like cppcheck that insist on strict POSIX conformance in this
+	respect.]
+
+2020-07-01  ikerexxe  <ipedrosa@redhat.com>
+
+	misc_conv: fix potential stack buffer overflow.
+	[ldv: rewrote commit message]
+
+	* libpam_misc/misc_conv.c (read_string): Use _pam_overwrite_n instead
+	of _pam_overwrite to clear stack buffer "line" because the latter does
+	not have to be null-terminated.
+
+2020-07-01  Yaron Shahrabani  <sh.yaron@gmail.com>
+
+	Translated using Weblate (Hebrew)
+	Currently translated at 60.6% (74 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-06-30  Dmitry V. Levin  <ldv@altlinux.org>
+
+	misc_conv: remove redundant check.
+	* libpam_misc/misc_conv.c (read_string): Remove redundant nc > 0
+	check as it has already been tested in the previous condition.
+
+2020-06-29  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_limits: clarify configuration file.
+	Resolves: https://github.com/linux-pam/linux-pam/pull/249
+
+2020-06-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	.gitignore: move doc-specific entries to doc/.gitignore.
+
+	.gitignore: move module-specific entries to modules/.gitignore.
+
+2020-06-26  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_namespace: add systemd service file to gitignore.
+	* modules/pam_namespace/.gitignore: Add pam_namespace.service.
+
+	Complements: v1.4.0~247 ("pam_namespace: secure tmp-inst directories")
+
+2020-06-26  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_faillock: add faillock executable to gitignore.
+	* modules/pam_faillock/.gitignore: Add faillock.
+
+	Complements: v1.4.0~76 ("pam_faillock: New module for locking after multiple auth failures")
+
+2020-06-25  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_env: clarify user_readenv option.
+
+2020-06-24  Baurzhan Muftakhidinov  <baurthefirst@gmail.com>
+
+	Translated using Weblate (Kazakh)
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/kk/
+
+2020-06-24  Yaron Shahrabani  <sh.yaron@gmail.com>
+
+	Translated using Weblate (Hebrew)
+	Currently translated at 44.2% (54 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/he/
+
+2020-06-22  Vito Caputo  <vcaputo@pengaru.com>
+
+	modules/pam_limits: add support for nonewprivs.
+	Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item.
+
+	The valid values are a boolean toggle 0/1 to keep semi-consistent
+	with the other numeric limits.  It's slightly awkward as this is
+	an oddball relative to the other items in pam_limits but outside
+	of the item value itself this does seem at home in pam_limits.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/224
+	Resolves: https://github.com/linux-pam/linux-pam/pull/225
+
+2020-06-17  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_usertype: avoid determining if user exists.
+	Taking a look at the time for the password prompt to appear it was
+	possible to determine if a user existed in a system. Solved it by
+	matching the runtime until the password prompt was shown by always
+	checking the password hash for an existing and a non-existing user.
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
+
+2020-06-17  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_unix: avoid determining if user exists.
+	Taking a look at the time for the password prompt to appear it was
+	possible to determine if a user existed in a system. Solved it by
+	matching the runtime until the password prompt was shown by always
+	checking the password hash for an existing and a non-existing user.
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
+
+2020-06-17  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_faillock: change /run/faillock/$USER permissions to 0660.
+	Nowadays, /run/faillock/$USER files have user:root ownership and 0600
+	permissions. This forces the process that writes to these files to have
+	CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660
+	the capability can be removed, which leads to a more secure system.
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
+
+2020-06-16  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_modutil_check_user_in_passwd: avoid timing attacks.
+	* libpam/pam_modutil_check_user.c (pam_modutil_check_user_in_passwd): Do
+	not exit the file reading loop when the user is found, continue reading
+	the file to avoid timing attacks.
+
+2020-06-15  Fabrice Fontaine  <fontaine.fabrice@gmail.com>
+
+	pam_faillock: fix build on musl.
+	Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of
+	fgetpwent_r which is not available on musl.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/236
+	Resolves: https://github.com/linux-pam/linux-pam/pull/237
+	Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b
+
+2020-06-15  Fabrice Fontaine  <fontaine.fabrice@gmail.com>
+	    Dmitry V. Levin  <ldv@altlinux.org>
+
+	Move check_user_in_passwd from pam_localuser.c to pam_modutil.
+
+	* modules/pam_localuser/pam_localuser.c: Include
+	<security/pam_modutil.h>.
+	(pam_sm_authenticate): Replace check_user_in_passwd with
+	pam_modutil_check_user_in_passwd.
+	(check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd,
+	move to ...
+	* libpam/pam_modutil_check_user.c: ... new file.
+	* libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c.
+	* libpam/include/security/pam_modutil.h
+	(pam_modutil_check_user_in_passwd): New function declaration.
+	* libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface.
+
+2020-06-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	configure.ac: fix non-portable use of test builtin.
+	Portable code should not assume that test builtin supports == operator.
+
+	* configure.ac (opt_uidmin, opt_sysuidmin, opt_kerneloverflowuid): Fix
+	initialization.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/241
+	Fixes: 926d7935e ("pam_usertype: new module to tell if uid is in login.defs ranges")
+
+2020-06-11  Fabrice Fontaine  <fontaine.fabrice@gmail.com>
+
+	configure.ac: fix build failure when crypt() does not require libcrypt.
+	Since commit 522246d20e4cd92fadc2d760228cb7e78cbeb4c5, the build fails
+	if "none required" is returned by AC_SEARCH_LIBS for libcrypt.
+
+	Resolves: https://github.com/linux-pam/linux-pam/pull/235
+	Fixes: http://autobuild.buildroot.org/results/92b3dd7c984d2b843ac9aacacd69eec99f28743e
+	Fixes: v1.4.0~228 ("Use cached 'crypt' library result correctly")
+
+2020-06-04  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: do not generate tarballs compressed with bzip2 and gzip.
+	There are tarballs compressed with xz, that should be enough.
+
+	* Makefile.am (AUTOMAKE_OPTIONS): Remove dist-bzip2, add no-dist-gzip.
+	(releasedocs): Do not create Linux-PAM-$(VERSION)-docs.tar.bz2
+	and Linux-PAM-$(VERSION)-docs.tar.gz.
+
+2020-06-04  Dmitry V. Levin  <ldv@altlinux.org>
+
+	maint: document release procedure.
+	* maint/README-release: New file.
+
+	maint: introduce gen-tag-message.
+	* maint/gen-tag-message: New script for preparing tag message.
+
+	maint: introduce make-dist.
+	* maint/make-dist: New script for preparing release tarballs.
+
+2020-06-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	gitlog-to-changelog: update from gnulib.
+
+2020-05-29  Josef Möllers  <jmoellers@suse.de>
+	    Tomáš Mráz  <tmraz@redhat.com>
+	    Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_setquota: skip mountpoints equal to the user's $HOME.
+	Matthias Gerstner found the following issue:
+
+	<quote>
+	So this pam_setquota module iterates over all mounted file systems using
+	`setmntent()` and `getmntent()`.  It tries to find the longest match of
+	a file system mounted on /home/$USER or above (except when the
+	fs=/some/path parameter is passed to the pam module).
+
+	The thing is that /home/$USER is owned by the unprivileged user.  And
+	there exist tools like fusermount from libfuse which is by default
+	installed setuid-root for everybody.  fusermount allows to mount a FUSE
+	file system using an arbitrary "source device name" as the unprivileged
+	user.
+
+	Thus considering the following use case:
+
+	1) there is only the root file system (/) or a file system is mounted on
+	   /home, but not on /home/$USER.
+	2) the attacker mounts a fake FUSE file system over its own home directory:
+
+	  ```
+	  user $ export _FUSE_COMMFD=0
+	  user $ fusermount $HOME -ononempty,fsname=/dev/sda1
+	  ```
+
+	  This will result in a mount entry in /proc/mounts looking like this:
+
+	  ```
+	  /dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
+	  ```
+	3) when the attacker now logs in with pam_setquota configured then
+	   pam_setquota will identify /dev/sda1 and the file system where
+	   to apply the user's quota on.
+
+	As a result an unprivileged user has full control over onto which block
+	device the quota is applied.
+	</quote>
+
+	If the user's $HOME is on a separate partition, setting a quota on the
+	user's $HOME does not really make sense, so this patch skips mountpoints
+	equal to the user's $HOME, preventing the above mentioned bug as
+	a side-effect (or vice-versa).
+
+	Reported-by: Matthias Gerstner <mgerstner@suse.de>
+	Resolves: https://github.com/linux-pam/linux-pam/pull/230
+
+2020-05-25  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_debug: do not invoke pam_get_user and do not set PAM_USER.
+	pam_debug used to invoke pam_get_user and set PAM_USER to "nobody" when
+	pam_get_user returns an empty string as the user name.  When either of
+	these functions returned an error value, it used to return that error
+	value.  This hasn't been documented, and I couldn't find any rationale
+	for this behaviour.
+
+	* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Do not invoke
+	pam_get_user and pam_set_item.
+
+2020-05-24  Yi-Jyun Pan  <pan93412@gmail.com>
+
+	Translated using Weblate (Chinese (Traditional))
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_TW/
+
+2020-05-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules: downgrade syslog level for errors related to pam_get_user.
+	* modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
+	the syslog level for diagnostics of errors returned by
+	pam_modutil_getpwnam for users returned by pam_get_user
+	from LOG_ERR to LOG_NOTICE.
+	* modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
+	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
+	* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
+	* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+	* modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
+	* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+	* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+	* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+	* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
+	pam_sm_close_session): Likewise.
+	* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
+	the syslog level for diagnostics of errors returned by
+	pam_modutil_getpwnam for users returned by pam_get_user
+	from LOG_WARNING to LOG_NOTICE.
+
+	Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules: downgrade syslog level for pam_get_user errors.
+	* modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade
+	the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE.
+	* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
+	* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
+	* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
+	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+	* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
+	* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+	* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
+	* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
+	* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
+	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
+	* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+	* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+	* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
+	* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise.
+	* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+	* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate,
+	pam_sm_acct_mgmt): Likewise.
+	* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
+	* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
+	pam_sm_close_session): Likewise.
+	* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
+	Downgrade the syslog level for pam_get_user errors from LOG_WARNING
+	to LOG_NOTICE.
+	* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
+
+	Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: add a test for return values.
+	* modules/pam_localuser/tst-pam_localuser-retval.c: New file.
+	* modules/pam_localuser/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_localuser_retval_LDADD): New variables.
+
+	pam_localuser: refactor pam_sm_authenticate.
+	* modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New
+	function.
+	(pam_sm_authenticate): Use it.
+
+2020-05-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: downgrade syslog level for errors related to user input.
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade
+	the syslog level for errors related to pam_get_user from LOG_ERR to
+	LOG_NOTICE.
+
+	Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: re-format pam_sm_* function declarations.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: remove unused includes.
+	Also, remove unused MODULE_NAME macro.
+
+	* modules/pam_localuser/pam_localuser.c: Stop including unused header
+	files.
+	(MODULE_NAME): Remove.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: forward error values returned by pam_get_user.
+	Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
+	pam_get_user is guaranteed to return one of the following values:
+	PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
+
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
+	replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
+	PAM_SERVICE_ERR.
+	* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
+	new return values.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+	Give the application a chance to handle PAM_INCOMPLETE.
+
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+	PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns
+	PAM_CONV_AGAIN.
+	* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
+	it.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: open the passwd file after user name validation.
+	Since user name is untrusted input, it should be validated earlier
+	rather than later.
+
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open
+	the passwd file after user name validation.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: use BUFSIZ as the line buffer size.
+	As BUFSIZ is the buffer size used in stdio, it must be an efficient size
+	for the line buffer.  Also, it's larger than LINE_MAX used as the line
+	buffer size before this change, effectively raising the maximum user
+	name length supported by this module.
+
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace
+	LINE_MAX with BUFSIZ.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: handle long lines in passwd files properly.
+	Before this change, a long line in the passwd file used to be treated as
+	several lines which could potentially result to false match and,
+	consequently, to incorrect PAM_SUCCESS return value.
+
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle
+	long lines in passwd files properly.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: get rid of a temporary buffer.
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
+	copy the user name into a temporary buffer, use the user name itself in
+	comparisons.
+
+	pam_localuser: log unrecognized options.
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log
+	unrecognized options.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
+	When passwd file cannot be opened or the user name either cannot be
+	obtained or is not valid, return PAM_SERVICE_ERR instead of
+	PAM_SYSTEM_ERR.
+
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+	PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: reject user names that are too long.
+	Too long user names used to be truncated which could potentially result
+	to false match and, consequently, to incorrect PAM_SUCCESS return value.
+
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+	PAM_SERVICE_ERR if the user name is too long.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_localuser: reject user names containing a colon.
+	"root:x" is not a local user name even if the passwd file contains
+	a line starting with "root:x:".
+
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
+	PAM_PERM_DENIED if the user name contains a colon.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_mkhomedir: add a test for return values.
+	* modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: New file.
+	* modules/pam_mkhomedir/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_mkhomedir_retval_LDADD): New variables.
+
+	pam_faildelay: add a test for return values.
+	* modules/pam_faildelay/tst-pam_faildelay-retval.c: New file.
+	* modules/pam_faildelay/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_faildelay_retval_LDADD): New variables.
+
+	pam_rootok: add a test for return values.
+	* modules/pam_rootok/tst-pam_rootok-retval.c: New file.
+	* modules/pam_rootok/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_rootok_retval_LDADD): New variables.
+
+	pam_nologin: add a test for return values.
+	* modules/pam_nologin/tst-pam_nologin-retval.c: New file.
+	* modules/pam_nologin/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_nologin_retval_LDADD): New variables.
+
+	pam_echo: add a test for return values.
+	* modules/pam_echo/tst-pam_echo-retval.c: New file.
+	* modules/pam_echo/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_echo_retval_LDADD): New variables.
+
+	pam_warn: add a test for return values.
+	* modules/pam_warn/tst-pam_warn-retval.c: New file.
+	* modules/pam_warn/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_warn_retval_LDADD): New variables.
+
+	pam_debug: add a test for return values.
+	* modules/pam_debug/tst-pam_debug-retval.c: New file.
+	* modules/pam_debug/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_debug_retval_LDADD): New variables.
+
+	pam_permit: add a test for return values.
+	* modules/pam_permit/tst-pam_permit-retval.c: New file.
+	* modules/pam_permit/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_permit_retval_LDADD): New variables.
+
+	pam_deny: add a test for return values.
+	* modules/pam_deny/tst-pam_deny-retval.c: New file.
+	* modules/pam_deny/Makefile.am (TESTS): Add $(check_PROGRAMS).
+	(check_PROGRAMS, tst_pam_deny_retval_LDADD): New variables.
+
+2020-05-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Introduce test_assert.h.
+	Introduce a new internal header file for definitions of handy macros
+	providing convenient assertion testing functionality.
+
+	* libpam/include/test_assert.h: New file.
+	* libpam/Makefile.am (noinst_HEADERS): Add include/test_assert.h.
+
+2020-05-21  Andreas Henriksson  <andreas+fedora@fatal.se>
+
+	Translated using Weblate (Swedish)
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sv/
+
+2020-05-17  Dmitry V. Levin  <ldv@altlinux.org>
+
+	doc: fix the description of stack jump effects.
+	Every stack jump, besides the jump itself, has a side effect which is
+	one of 'ignore', 'ok', or 'bad'.  Unfortunately, the side effect is far
+	from obvious because it depends on the PAM function call, and the
+	documentation that contradicts the implementation does not help either.
+
+	* doc/man/pam.conf-syntax.xml (actionN): Rewrite the description
+	of stack jump effects to match the implementation.
+
+	Fixes: 871a6e14d65c3c446ae0af51166dabc7a47a2b56
+
+2020-05-17  Weblate (bot)  <noreply@weblate.org>
+	    Allan Nordhøy  <epost@anotheragency.no>

+	    Dmitry V. Levin  <ldv@altlinux.org>
+
+	Translations update from Weblate (#227)
+	* Translated using Weblate (Norwegian Bokmål)

+	

+	Currently translated at 99.1% (121 of 122 strings)

+	

+	Translation: linux-pam/master

+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nb_NO/

+	

+	* Translated using Weblate (Catalan)

+	

+	Currently translated at 98.3% (120 of 122 strings)

+	

+	Translation: linux-pam/master

+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/

+
+2020-05-16  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules: do not check user name for emptyness before passing it to pam_modutil_getpwnam
+	pam_modutil_getpwnam is perfectly capable of handling empty strings as
+	user names, no need to double check that.
+
+	* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
+	the user name for emptyness before passing it to pam_modutil_getpwnam.
+	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+	* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
+	* modules/pam_shells/pam_shells.c (perform_check): Likewise.
+	* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
+	* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
+	* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+
+2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_usertype: Document return values forwarded from pam_get_user.
+	* modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document
+	PAM_BUF_ERR and PAM_CONV_ERR return values.
+
+2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_usertype: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+	Give the application a chance to handle PAM_INCOMPLETE.
+
+	* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Return
+	PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
+	PAM_CONV_AGAIN.
+	* modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document it.
+
+2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_faillock: Document return values forwarded from pam_get_user.
+	* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document
+	PAM_BUF_ERR and PAM_CONV_ERR return values.
+
+2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_faillock: return PAM_INCOMPLETE when pam_get_user returns PAM_CONV_AGAIN
+	Give the application a chance to handle PAM_INCOMPLETE.
+
+	* modules/pam_faillock/pam_faillock.c (get_pam_user): Return
+	PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
+	PAM_CONV_AGAIN.
+	* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.
+
+2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_securetty: forward error values returned by pam_get_user.
+	Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
+	pam_get_user is guaranteed to return one of the following values:
+	PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
+
+	* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Do not
+	replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
+	PAM_SERVICE_ERR.
+	* modules/pam_securetty/pam_securetty.8.xml (RETURN VALUES): Document
+	new return values.
+
+2020-05-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules: do not check user name for NULL if pam_get_user returned PAM_SUCCESS
+	If pam_get_user returned PAM_SUCCESS, the user name is guaranteed
+	to be a valid C string, no need to double check that.
+
+	* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
+	for NULL the user name returned by pam_get_user when the latter returned
+	PAM_SUCCESS.
+	* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
+	* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise.
+	* modules/pam_filter/pam_filter.c (process_args): Likewise.
+	* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
+	* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
+	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
+	* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
+	* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise.
+	* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
+	* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
+	* modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise.
+	* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
+	* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
+	* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise.
+	* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
+	* modules/pam_shells/pam_shells.c (perform_check): Likewise.
+	* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
+	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
+	* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
+	* modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise.
+	* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
+	* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
+	* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
+	* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
+	* modules/pam_wheel/pam_wheel.c (perform_check): Likewise.
+	* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt):
+	Likewise.
+
+2020-05-14  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_umask: Document return values forwarded from pam_get_user.
+	* modules/pam_umask/pam_umask.8.xml (RETURN VALUES): Document
+	PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
+
+	pam_exec: Document return values forwarded from pam_get_user.
+	* modules/pam_exec/pam_exec.8.xml (RETURN VALUES): Document
+	PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
+
+2020-05-13  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Deprecate pam_cracklib, pam_tally, and pam_tally2.
+	Deprecate pam_cracklib, there are two better alternatives to this
+	obsolete module: pam_passwdqc from passwdqc project and pam_pwquality
+	from libpwquality project.
+
+	Deprecate pam_tally and pam_tally2 in favour of pam_faillock.
+
+	* configure.ac: Implement --enable-cracklib=check that enables build
+	of pam_cracklib when libcrack is available.
+	Disable build of pam_cracklib, pam_tally, and pam_tally2 by default.
+	* NEWS: Mention this change.
+	* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add
+	--enable-tally, --enable-tally2, and --enable-cracklib=check
+	to check build of these deprecated modules.
+
+2020-05-13  Dmitry V. Levin  <ldv@altlinux.org>
+
+	NEWS: update.
+
+2020-05-12  Thorsten Kukuk  <5908016+thkukuk@users.noreply.github.com>
+
+	Use correct path for pam_namespace.service file (#223)
+
+2020-05-09  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_setquota: fix return value when the user is unknown.
+	Following the bad example in pam_mkhomedir module, from the very
+	beginning pam_setquota module used to return PAM_CRED_INSUFFICIENT
+	when pam_modutil_getpwnam() returned an error.  Fix this now
+	by changing the return value to PAM_USER_UNKNOWN.
+
+	* modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Return
+	PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
+	* modules/pam_setquota/pam_setquota.8.xml (PAM_CRED_INSUFFICIENT):
+	Replace with PAM_USER_UNKNOWN.
+
+2020-05-09  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_mkhomedir: fix return value when the user is unknown.
+	From the very beginning pam_mkhomedir module used to return
+	PAM_CRED_INSUFFICIENT when getpwnam() or pam_modutil_getpwnam()
+	returned an error.  Fix this now by changing the return value
+	to PAM_USER_UNKNOWN.
+
+	* modules/pam_mkhomedir/mkhomedir_helper.c (main): Return
+	PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
+	* modules/pam_mkhomedir/pam_mkhomedir.c (pam_sm_open_session): Likewise.
+	* modules/pam_mkhomedir/pam_mkhomedir.8.xml (PAM_CRED_INSUFFICIENT):
+	Remove.
+
+2020-05-06  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_get_user: do not override valid values returned by the conversation function
+	When the conversation function returned a value different from
+	PAM_CONV_AGAIN and provided no response, pam_get_user used to replace
+	the return value with PAM_CONV_ERR.  Fix this and replace the return
+	value only if it was PAM_SUCCESS.
+
+	* libpam/pam_item.c (pam_get_user): Do not override valid values
+	returned by the conversation function.
+
+2020-05-06  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_get_user: filter conversation function return values.
+	Do not assume that the conversation function provided by the application
+	strictly follows the return values guidelines, replace undocumented
+	return values with PAM_CONV_ERR.
+
+	* libpam/pam_item.c (pam_get_user): If the value returned by the
+	conversation function is not one of PAM_SUCCESS, PAM_BUF_ERR,
+	PAM_CONV_AGAIN, or PAM_CONV_ERR, replace it with PAM_CONV_ERR.
+
+2020-05-06  Dmitry V. Levin  <ldv@altlinux.org>
+
+	man: document other valid pam_get_user return values.
+	* doc/man/pam_get_user.3.xml (pam_get_user-return_values): Add
+	PAM_BUF_ERR, PAM_ABORT, and PAM_CONV_AGAIN.
+
+2020-05-06  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_get_user: consistently return PAM_SYSTEM_ERR if user specified a NULL pointer
+	pam_get_user returns PAM_SYSTEM_ERR in case of pamh == NULL.
+	In case of user == NULL, however, it used to return PAM_PERM_DENIED,
+	and in case of NULL conversation function it used to return
+	PAM_SERVICE_ERR.
+
+	According to the documentation, PAM_SYSTEM_ERR shall be returned
+	if a NULL pointer was submitted.
+
+	Fix this inconsistency and return PAM_SYSTEM_ERR in each of these
+	programming error cases.
+
+	* libpam/pam_item.c (pam_get_user): Return PAM_SYSTEM_ERR instead of
+	PAM_PERM_DENIED if user == NULL.  Return PAM_SYSTEM_ERR instead of
+	PAM_SERVICE_ERR if pamh->pam_conversation == NULL.
+
+2020-05-06  Weblate (bot)  <noreply@weblate.org>
+
+	Translations update from Weblate.
+	* Translated using Weblate (Spanish)

+	

+	Currently translated at 81.9% (100 of 122 strings)

+	

+	* Translated using Weblate (Portuguese)

+	

+	Currently translated at 100.0% (122 of 122 strings)

+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	doc: remove references to PAM_SM_* macros.
+	Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
+	Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
+	from Linux-PAM), PAM_SM_* macros have no effect.
+
+	modules: remove PAM_SM_* macros.
+	Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
+	Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
+	from Linux-PAM), PAM_SM_* macros have no effect.
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_usertype: do not override the default prompt.
+	Following the bad example in pam_succeed_if module, from the very
+	beginning pam_usertype used to override the default prompt used by
+	pam_get_user() with "login: ".  Fix this now.
+
+	* modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Do not
+	request PAM_USER_PROMPT item, invoke pam_get_user() with the default
+	prompt.
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_succeed_if: do not override the default prompt.
+	From the very beginning pam_succeed_if used to override the default
+	prompt used by pam_get_user() with "login: ".  Fix this now.
+
+	* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Do not
+	request PAM_USER_PROMPT item, invoke pam_get_user() with the default
+	prompt.
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: rename TESTS to dist_check_SCRIPTS.
+	... and remove $(TESTS) from EXTRA_DIST.
+
+	The change is performed automatically using the following script:
+	  sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \
+	         -e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: rename man_MANS to dist_man_MANS.
+	... and remove $(MANS) from EXTRA_DIST.
+
+	The change is performed automatically using the following script:
+	  sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_namespace: cleanup pam_namespace.service installation.
+	* modules/pam_namespace/Makefile.am (service_DATA): New variable.
+	(install-data-local): Remove all commands related to servicedir.
+	(uninstall-local): Remove.
+
+	Fixes: 59812d1cf ("pam_namespace: secure tmp-inst directories")
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: add dist_ prefix to *_DATA.
+	... and remove $(DATA) from EXTRA_DIST.
+
+	The change is performed automatically using the following script:
+	  sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_timestamp/Makefile.am: rename noinst_PROGRAMS to check_PROGRAMS
+	... and remove nodist_TESTS.
+
+	* modules/pam_timestamp/Makefile.am (nodist_TESTS): Remove.
+	(TESTS): Replace $(nodist_TESTS) with $(check_PROGRAMS).
+	(noinst_PROGRAMS): Rename to check_PROGRAMS.
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_timestamp/Makefile.am: rename dist_TESTS to dist_check_SCRIPTS
+	... and remove it from EXTRA_DIST
+
+	* modules/pam_timestamp/Makefile.am (EXTRA_DIST): Remove $(dist_TESTS).
+	(dist_TESTS): Rename to dist_check_SCRIPTS.
+	(TESTS): Replace $(dist_TESTS) with $(dist_check_SCRIPTS).
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_namespace/Makefile.am: add dist_ prefix to secureconf_SCRIPTS
+	... and remove $(SCRIPTS) from EXTRA_DIST.
+
+	* modules/pam_namespace/Makefile.am (EXTRA_DIST): Remove $(SCRIPTS).
+	(secureconf_SCRIPTS): Rename to dist_secureconf_SCRIPTS.
+
+2020-05-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Translated using Weblate (Russian)
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+2020-05-03  Yuri Chornoivan  <yurchor@ukr.net>
+
+	Translated using Weblate (Ukrainian)
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-05-03  Oğuz Ersen  <oguzersen@protonmail.com>
+
+	Translated using Weblate (Turkish)
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-05-03  Julien Humbert  <julroy67@gmail.com>
+
+	Translated using Weblate (French)
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-05-03  scootergrisen  <scootergrisen@gmail.com>
+
+	Translated using Weblate (Danish)
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-05-03  Piotr Drąg  <piotrdrag@gmail.com>
+
+	Translated using Weblate (Polish)
+	Currently translated at 100.0% (122 of 122 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-04-30  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Update .po and .pot files after adding pam_faillock.
+
+	pam_faillock: Correct the grammar of translated strings.
+	Also make the message the same as in pam_tally2.
+
+	pam_faillock: Add conf option to use a different config file.
+
+	pam_faillock: New module for locking after multiple auth failures.
+
+2020-04-29  Weblate (bot)  <noreply@weblate.org>
+	    Alesker Abdullayev - FEDORA Azerbaijan  <tech@abdullaeff.com>

+	    Allan Nordhøy  <epost@anotheragency.no>
+
+	Translations update from Weblate (#215)
+	Updated translation using Weblate

+	

+	* Translated using Weblate (Azerbaijani)

+	

+	Currently translated at 15.8% (19 of 120 strings)

+	

+	* Translated using Weblate (Norwegian Bokmål)

+	

+	Currently translated at 100.0% (120 of 120 strings)

+
+2020-04-28  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: rework vendordir substitution.
+	Since Make.xml.rules is the only place where XSLTPROC_CUSTOM was used,
+	remove stereotypic definitions from other Makefiles, this way we no
+	longer have to worry about vendordir being used somewhere else in
+	documentation files.
+
+	Likewise, define VENDORDIR in config.h and remove stereotypic
+	-DVENDORDIR= additions from other Makefiles, this way we no longer
+	have to worry about VENDORDIR being used somewhere else in the code.
+
+	* configure.ac (AM_CONDITIONAL): Remove HAVE_VENDORDIR.
+	(AC_DEFINE_UNQUOTED): Add VENDORDIR.
+	(AC_SUBST): Remove VENDORDIR, add STRINGPARAM_VENDORDIR.
+	* Make.xml.rules.in: Replace $(XSLTPROC_CUSTOM) with
+	@STRINGPARAM_VENDORDIR@.
+	* doc/man/Makefile.am (XSLTPROC_CUSTOM): Remove.
+	* libpam/Makefile.am [HAVE_VENDORDIR]: Remove.
+	* modules/pam_securetty/Makefile.am [HAVE_VENDORDIR]: Remove.
+	(XSLTPROC_CUSTOM): Remove.
+	* modules/pam_securetty/pam_securetty.c: Move definitions of local
+	macros after config.h to benefit from macros defined there.
+
+2020-04-28  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Make.xml.rules: prepare for configure substitutions.
+	* Make.xml.rules: Rename to ...
+	* Make.xml.rules.in: ... new file.
+	* Makefile.am (EXTRA_DIST): Remove Make.xml.rules.
+	* configure.ac (AC_CONFIG_FILES): Add Make.xml.rules.
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_namespace: replace namespace.init with $(SCRIPTS) in EXTRA_DIST.
+	As namespace.init is listed in secureconf_SCRIPTS which is part of
+	generated SCRIPTS variable.
+
+	* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.init
+	with $(SCRIPTS).
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_env: remove environment from EXTRA_DIST.
+	* modules/pam_env/Makefile.am (EXTRA_DIST): Remove environment as it is
+	listed in sysconf_DATA which is part of DATA which is already listed in
+	EXTRA_DIST.
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: remove $(secureconf_DATA) from EXTRA_DIST.
+	Since the whole $(DATA) is listed in EXTRA_DIST, $(secureconf_DATA)
+	can be safely de-listed.
+
+	* modules/pam_access/Makefile.am (EXTRA_DIST): Remove
+	$(secureconf_DATA).
+	* modules/pam_env/Makefile.am: Likewise.
+	* modules/pam_group/Makefile.am: Likewise.
+	* modules/pam_limits/Makefile.am: Likewise.
+	* modules/pam_namespace/Makefile.am: Likewise.
+	* modules/pam_sepermit/Makefile.am: Likewise.
+	* modules/pam_time/Makefile.am: Likewise.
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: replace README with $(DATA) in EXTRA_DIST.
+	Since the GNU Automake distributes README files by default, the only
+	reason why README had to be listed in EXTRA_DIST was to make these
+	README files generated.
+
+	Since README is also listed in noinst_DATA, we can safely replace
+	README in EXTRA_DIST with $(DATA), this also opens the way for
+	further EXTRA_DIST cleanup.
+
+	* modules/*/Makefile.am (EXTRA_DIST): Replace README with $(DATA).
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: reorder lines to promote uniformity.
+	This is essentially a no-op change that makes modules/*/Makefile.am
+	files less divergent.
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: move README prerequisites rule from modules/*/Makefile.am to Make.xml.rules
+	As the rule is now the same in every modules/*/Makefile.am file,
+	move it to Make.xml.rules.
+
+	* Make.xml.rules (README): New prerequisites rule.
+	* modules/pam_access/Makefile.am (README): Remove rule.
+	* modules/pam_cracklib/Makefile.am (README): Likewise.
+	* modules/pam_debug/Makefile.am (README): Likewise.
+	* modules/pam_deny/Makefile.am (README): Likewise.
+	* modules/pam_echo/Makefile.am (README): Likewise.
+	* modules/pam_env/Makefile.am (README): Likewise.
+	* modules/pam_exec/Makefile.am (README): Likewise.
+	* modules/pam_faildelay/Makefile.am (README): Likewise.
+	* modules/pam_filter/Makefile.am (README): Likewise.
+	* modules/pam_ftp/Makefile.am (README): Likewise.
+	* modules/pam_group/Makefile.am (README): Likewise.
+	* modules/pam_issue/Makefile.am (README): Likewise.
+	* modules/pam_keyinit/Makefile.am (README): Likewise.
+	* modules/pam_lastlog/Makefile.am (README): Likewise.
+	* modules/pam_limits/Makefile.am (README): Likewise.
+	* modules/pam_listfile/Makefile.am (README): Likewise.
+	* modules/pam_localuser/Makefile.am (README): Likewise.
+	* modules/pam_loginuid/Makefile.am (README): Likewise.
+	* modules/pam_mail/Makefile.am (README): Likewise.
+	* modules/pam_mkhomedir/Makefile.am (README): Likewise.
+	* modules/pam_motd/Makefile.am (README): Likewise.
+	* modules/pam_namespace/Makefile.am (README): Likewise.
+	* modules/pam_nologin/Makefile.am (README): Likewise.
+	* modules/pam_permit/Makefile.am (README): Likewise.
+	* modules/pam_pwhistory/Makefile.am (README): Likewise.
+	* modules/pam_rhosts/Makefile.am (README): Likewise.
+	* modules/pam_rootok/Makefile.am (README): Likewise.
+	* modules/pam_securetty/Makefile.am (README): Likewise.
+	* modules/pam_selinux/Makefile.am (README): Likewise.
+	* modules/pam_sepermit/Makefile.am (README): Likewise.
+	* modules/pam_setquota/Makefile.am (README): Likewise.
+	* modules/pam_shells/Makefile.am (README): Likewise.
+	* modules/pam_succeed_if/Makefile.am (README): Likewise.
+	* modules/pam_tally/Makefile.am (README): Likewise.
+	* modules/pam_tally2/Makefile.am (README): Likewise.
+	* modules/pam_time/Makefile.am (README): Likewise.
+	* modules/pam_timestamp/Makefile.am (README): Likewise.
+	* modules/pam_tty_audit/Makefile.am (README): Likewise.
+	* modules/pam_umask/Makefile.am (README): Likewise.
+	* modules/pam_unix/Makefile.am (README): Likewise.
+	* modules/pam_userdb/Makefile.am (README): Likewise.
+	* modules/pam_usertype/Makefile.am (README): Likewise.
+	* modules/pam_warn/Makefile.am (README): Likewise.
+	* modules/pam_wheel/Makefile.am (README): Likewise.
+	* modules/pam_xauth/Makefile.am (README): Likewise.
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: list prerequisites of README target uniformly.
+	There is no need to list prerequisites of README targets manually as
+	all README targets depend on $(XMLS).
+
+	The change is performed automatically using the following script:
+	  sed -i 's/^README: pam_.*/README: $(XMLS)/' modules/*/Makefile.am
+
+	* modules/pam_access/Makefile.am (README): Replace pam_access.8.xml
+	and access.conf.5.xml with $(XMLS).
+	* modules/pam_cracklib/Makefile.am (README): Replace pam_cracklib.8.xml
+	with $(XMLS).
+	* modules/pam_debug/Makefile.am (README): Replace pam_debug.8.xml
+	with $(XMLS).
+	* modules/pam_deny/Makefile.am (README): Replace pam_deny.8.xml
+	with $(XMLS).
+	* modules/pam_echo/Makefile.am (README): Replace pam_echo.8.xml
+	with $(XMLS).
+	* modules/pam_env/Makefile.am (README): Replace pam_env.8.xml and
+	pam_env.conf.5.xml with $(XMLS).
+	* modules/pam_exec/Makefile.am (README): Replace pam_exec.8.xml
+	with $(XMLS).
+	* modules/pam_faildelay/Makefile.am (README): Replace
+	pam_faildelay.8.xml with $(XMLS).
+	* modules/pam_filter/Makefile.am (README): Replace pam_filter.8.xml
+	with $(XMLS).
+	* modules/pam_ftp/Makefile.am (README): Replace pam_ftp.8.xml with
+	$(XMLS).
+	* modules/pam_group/Makefile.am (README): Replace pam_group.8.xml
+	and group.conf.5.xml with $(XMLS).
+	* modules/pam_issue/Makefile.am (README): Replace pam_issue.8.xml
+	with $(XMLS).
+	* modules/pam_keyinit/Makefile.am (README): Replace pam_keyinit.8.xml
+	with $(XMLS).
+	* modules/pam_lastlog/Makefile.am (README): Replace pam_lastlog.8.xml
+	with $(XMLS).
+	* modules/pam_limits/Makefile.am (README): Replace pam_limits.8.xml
+	and limits.conf.5.xml with $(XMLS).
+	* modules/pam_listfile/Makefile.am (README): Replace pam_listfile.8.xml
+	with $(XMLS).
+	* modules/pam_localuser/Makefile.am (README): Replace
+	pam_localuser.8.xml with $(XMLS).
+	* modules/pam_loginuid/Makefile.am (README): Replace pam_loginuid.8.xml
+	with $(XMLS).
+	* modules/pam_mail/Makefile.am (README): Replace pam_mail.8.xml
+	with $(XMLS).
+	* modules/pam_mkhomedir/Makefile.am (README): Replace
+	pam_mkhomedir.8.xml with $(XMLS).
+	* modules/pam_motd/Makefile.am (README): Replace pam_motd.8.xml
+	with $(XMLS).
+	* modules/pam_namespace/Makefile.am (README): Replace
+	pam_namespace.8.xml, namespace.conf.5.xml,
+	and pam_namespace_helper.8.xml with $(XMLS).
+	* modules/pam_nologin/Makefile.am (README): Replace pam_nologin.8.xml
+	with $(XMLS).
+	* modules/pam_permit/Makefile.am (README): Replace pam_permit.8.xml
+	with $(XMLS).
+	* modules/pam_pwhistory/Makefile.am (README): Replace
+	pam_pwhistory.8.xml with $(XMLS).
+	* modules/pam_rhosts/Makefile.am (README): Replace pam_rhosts.8.xml
+	with $(XMLS).
+	* modules/pam_rootok/Makefile.am (README): Replace pam_rootok.8.xml
+	with $(XMLS).
+	* modules/pam_securetty/Makefile.am (README): Replace
+	pam_securetty.8.xml with $(XMLS).
+	* modules/pam_selinux/Makefile.am (README): Replace pam_selinux.8.xml
+	with $(XMLS).
+	* modules/pam_sepermit/Makefile.am (README): Replace pam_sepermit.8.xml
+	with $(XMLS).
+	* modules/pam_setquota/Makefile.am (README): Replace pam_setquota.8.xml
+	with $(XMLS).
+	* modules/pam_shells/Makefile.am (README): Replace pam_shells.8.xml
+	with $(XMLS).
+	* modules/pam_succeed_if/Makefile.am (README): Replace
+	pam_succeed_if.8.xml with $(XMLS).
+	* modules/pam_tally/Makefile.am (README): Replace pam_tally.8.xml
+	with $(XMLS).
+	* modules/pam_tally2/Makefile.am (README): Replace pam_tally2.8.xml
+	with $(XMLS).
+	* modules/pam_time/Makefile.am (README): Replace pam_time.8.xml and
+	time.conf.5.xml with $(XMLS).
+	* modules/pam_timestamp/Makefile.am (README): Replace
+	pam_timestamp.8.xml with $(XMLS).
+	* modules/pam_tty_audit/Makefile.am (README): Replace
+	pam_tty_audit.8.xml with $(XMLS).
+	* modules/pam_umask/Makefile.am (README): Replace pam_umask.8.xml
+	with $(XMLS).
+	* modules/pam_unix/Makefile.am (README): Replace pam_unix.8.xml
+	with $(XMLS).
+	* modules/pam_userdb/Makefile.am (README): Replace pam_userdb.8.xml
+	with $(XMLS).
+	* modules/pam_usertype/Makefile.am (README): Replace pam_usertype.8.xml
+	with $(XMLS).
+	* modules/pam_warn/Makefile.am (README): Replace pam_warn.8.xml
+	with $(XMLS).
+	* modules/pam_wheel/Makefile.am (README): Replace pam_wheel.8.xml
+	with $(XMLS).
+	* modules/pam_xauth/Makefile.am (README): Replace pam_xauth.8.xml
+	with $(XMLS).
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: list secureconf_DATA files in EXTRA_DIST uniformly
+	The change was prepared using the following script:
+	  git grep -l secureconf_DATA modules/*/Makefile.am |while read m; do
+	    t="$(sed '/^secureconf_DATA = /!d;s///;q' -- "$m")"
+	    sed -i "/^EXTRA_DIST =/ s/\\<$t\\>/\$(secureconf_DATA)/" -- "$m"
+	  done
+
+	* modules/pam_access/Makefile.am (EXTRA_DIST): Replace access.conf with
+	$(secureconf_DATA).
+	* modules/pam_env/Makefile.am (EXTRA_DIST): Replace pam_env.conf with
+	$(secureconf_DATA).
+	* modules/pam_group/Makefile.am (EXTRA_DIST): Replace group.conf with
+	$(secureconf_DATA).
+	* modules/pam_limits/Makefile.am (EXTRA_DIST): Replace limits.conf with
+	$(secureconf_DATA).
+	* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace namespace.conf
+	with $(secureconf_DATA).
+	* modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace sepermit.conf
+	with $(secureconf_DATA).
+	* modules/pam_time/Makefile.am (EXTRA_DIST): Replace time.conf with
+	$(secureconf_DATA).
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: list manual pages in EXTRA_DIST uniformly.
+	List in EXTRA_DIST those manual pages that are listed in man_MANS
+	as $(MANS).
+
+	* modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace pam_cracklib.8
+	with $(MANS).
+	* modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace pam_keyinit.8
+	with $(MANS).
+	* modules/pam_selinux/Makefile.am (EXTRA_DIST): Replace pam_selinux.8
+	with $(MANS).
+	* modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace pam_sepermit.8
+	and sepermit.conf.5 with $(MANS).
+	* modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace
+	pam_tty_audit.8 with $(MANS).
+	* modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace pam_userdb.8 with
+	$(MANS).
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: list tests in EXTRA_DIST uniformly.
+	The change was prepared using the following script:
+	  git grep -l '^TESTS = tst-pam_' modules/ |while read m; do
+	    t="$(sed '/^TESTS = tst-pam_/!d;s/^TESTS = //;q' -- "$m")"
+	    sed -i "/^EXTRA_DIST =/ s/$t\\>/\$(TESTS)/" -- "$m"
+	  done
+
+	* modules/pam_access/Makefile.am (EXTRA_DIST): Replace tst-pam_access
+	with $(TESTS).
+	* modules/pam_cracklib/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_cracklib with $(TESTS).
+	* modules/pam_debug/Makefile.am (EXTRA_DIST): Replace tst-pam_debug with
+	$(TESTS).
+	* modules/pam_deny/Makefile.am (EXTRA_DIST): Replace tst-pam_deny with
+	$(TESTS).
+	* modules/pam_echo/Makefile.am (EXTRA_DIST): Replace tst-pam_echo with
+	$(TESTS).
+	* modules/pam_env/Makefile.am (EXTRA_DIST): Replace tst-pam_env with
+	$(TESTS).
+	* modules/pam_exec/Makefile.am (EXTRA_DIST): Replace tst-pam_exec with
+	$(TESTS).
+	* modules/pam_faildelay/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_faildelay with $(TESTS).
+	* modules/pam_filter/Makefile.am (EXTRA_DIST): Replace tst-pam_filter
+	with $(TESTS).
+	* modules/pam_ftp/Makefile.am (EXTRA_DIST): Replace tst-pam_ftp with
+	$(TESTS).
+	* modules/pam_group/Makefile.am (EXTRA_DIST): Replace tst-pam_group with
+	$(TESTS).
+	* modules/pam_issue/Makefile.am (EXTRA_DIST): Replace tst-pam_issue with
+	$(TESTS).
+	* modules/pam_keyinit/Makefile.am (EXTRA_DIST): Replace tst-pam_keyinit
+	with $(TESTS).
+	* modules/pam_lastlog/Makefile.am (EXTRA_DIST): Replace tst-pam_lastlog
+	with $(TESTS).
+	* modules/pam_limits/Makefile.am (EXTRA_DIST): Replace tst-pam_limits
+	with $(TESTS).
+	* modules/pam_listfile/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_listfile with $(TESTS).
+	* modules/pam_localuser/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_localuser with $(TESTS).
+	* modules/pam_loginuid/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_loginuid with $(TESTS).
+	* modules/pam_mail/Makefile.am (EXTRA_DIST): Replace tst-pam_mail with
+	$(TESTS).
+	* modules/pam_mkhomedir/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_mkhomedir with $(TESTS).
+	* modules/pam_motd/Makefile.am (EXTRA_DIST): Replace tst-pam_motd with
+	$(TESTS).
+	* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_namespace with $(TESTS).
+	* modules/pam_nologin/Makefile.am (EXTRA_DIST): Replace tst-pam_nologin
+	with $(TESTS).
+	* modules/pam_permit/Makefile.am (EXTRA_DIST): Replace tst-pam_permit
+	with $(TESTS).
+	* modules/pam_pwhistory/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_pwhistory with $(TESTS).
+	* modules/pam_rhosts/Makefile.am (EXTRA_DIST): Replace tst-pam_rhosts
+	with $(TESTS).
+	* modules/pam_rootok/Makefile.am (EXTRA_DIST): Replace tst-pam_rootok
+	with $(TESTS).
+	* modules/pam_securetty/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_securetty with $(TESTS).
+	* modules/pam_sepermit/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_sepermit with $(TESTS).
+	* modules/pam_setquota/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_setquota with $(TESTS).
+	* modules/pam_shells/Makefile.am (EXTRA_DIST): Replace tst-pam_shells
+	with $(TESTS).
+	* modules/pam_stress/Makefile.am (EXTRA_DIST): Replace tst-pam_stress
+	with $(TESTS).
+	* modules/pam_succeed_if/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_succeed_if with $(TESTS).
+	* modules/pam_tally/Makefile.am (EXTRA_DIST): Replace tst-pam_tally with
+	$(TESTS).
+	* modules/pam_tally2/Makefile.am (EXTRA_DIST): Replace tst-pam_tally2
+	with $(TESTS).
+	* modules/pam_time/Makefile.am (EXTRA_DIST): Replace tst-pam_time with
+	$(TESTS).
+	* modules/pam_tty_audit/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_tty_audit with $(TESTS).
+	* modules/pam_umask/Makefile.am (EXTRA_DIST): Replace tst-pam_umask with
+	$(TESTS).
+	* modules/pam_userdb/Makefile.am (EXTRA_DIST): Replace tst-pam_userdb
+	with $(TESTS).
+	* modules/pam_usertype/Makefile.am (EXTRA_DIST): Replace
+	tst-pam_usertype with $(TESTS).
+	* modules/pam_warn/Makefile.am (EXTRA_DIST): Replace tst-pam_warn with
+	$(TESTS).
+	* modules/pam_wheel/Makefile.am (EXTRA_DIST): Replace tst-pam_wheel with
+	$(TESTS).
+	* modules/pam_xauth/Makefile.am (EXTRA_DIST): Replace tst-pam_xauth with
+	$(TESTS).
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_namespace: simplify distribution of manual pages.
+	* modules/pam_namespace/Makefile.am: Merge MAN5 and MAN8 into man_MANS.
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/*/Makefile.am: remove manual pages from noinst_DATA.
+	Manual pages already belong to man_MANS, listing them also
+	in noinst_DATA does not help in any way.
+
+	* modules/pam_cracklib/Makefile.am (noinst_DATA): Remove pam_cracklib.8.
+	* modules/pam_selinux/Makefile.am (noinst_DATA): Remove pam_selinux.8.
+	* modules/pam_sepermit/Makefile.am (noinst_DATA): Remove pam_sepermit.8
+	and sepermit.conf.5.
+	* modules/pam_userdb/Makefile.am (noinst_DATA): Remove pam_userdb.8.
+
+2020-04-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	configure: fix dlopen check.
+	* configure.ac: Check for the library providing dlopen using
+	AC_SEARCH_LIBS instead of AC_CHECK_LIB to handle the case when
+	dlopen is a part of libc.
+
+	configure: add --disable-tally and --disable-tally2 options.
+	* configure.ac (AC_ARG_ENABLE): Add tally and tally2.
+	(AM_CONDITIONAL): Add COND_BUILD_PAM_TALLY and COND_BUILD_PAM_TALLY2.
+	* modules/Makefile.am [COND_BUILD_PAM_TALLY] (MAYBE_PAM_TALLY): Define.
+	[COND_BUILD_PAM_TALLY2] (MAYBE_PAM_TALLY2): Likewise.
+	(SUBDIRS): Replace pam_tally with $(COND_BUILD_PAM_TALLY), pam_tally2
+	with $(COND_BUILD_PAM_TALLY2).
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: move pam_selinux and pam_sepermit build conditions to modules/Makefile.am
+	* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBSELINUX with
+	COND_BUILD_PAM_SELINUX and COND_BUILD_PAM_SEPERMIT.
+	* modules/Makefile.am [COND_BUILD_PAM_SELINUX] (MAYBE_PAM_SELINUX):
+	Define.
+	[COND_BUILD_PAM_SEPERMIT] (MAYBE_PAM_SEPERMIT): Likewise.
+	(SUBDIRS): Replace pam_selinux with $(MAYBE_PAM_SELINUX),
+	pam_sepermit with MAYBE_PAM_SEPERMIT.
+	* modules/pam_selinux/Makefile.am: Assume HAVE_LIBSELINUX.
+	* modules/pam_sepermit/Makefile.am: Likewise.
+
+	build: simplify the check for unshare function.
+	* configure.ac (AC_CHECK_FUNCS): Do not set UNSHARE when checking for
+	unshare function.
+	(COND_BUILD_PAM_NAMESPACE): Check for $ac_cv_func_unshare instead of
+	$UNSHARE.
+
+	build: move pam_namespace build condition to modules/Makefile.am.
+	* configure.ac (AM_CONDITIONAL): Replace HAVE_UNSHARE with
+	COND_BUILD_PAM_NAMESPACE.
+	* modules/Makefile.am [COND_BUILD_PAM_NAMESPACE] (MAYBE_PAM_NAMESPACE):
+	Define.
+	(SUBDIRS): Replace pam_namespace with $(MAYBE_PAM_NAMESPACE).
+	* modules/pam_namespace/Makefile.am: Assume HAVE_UNSHARE.
+
+	build: move pam_userdb build condition to modules/Makefile.am.
+	* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBDB with
+	COND_BUILD_PAM_USERDB.
+	* modules/Makefile.am [COND_BUILD_PAM_USERDB] (MAYBE_PAM_USERDB):
+	Define.
+	(SUBDIRS): Replace pam_userdb with $(MAYBE_PAM_USERDB).
+	* modules/pam_userdb/Makefile.am: Assume HAVE_LIBDB.
+
+	build: remove unused HAVE_LIBCRACK.
+	* configure.ac (AC_DEFINE): Remove unused HAVE_LIBCRACK.
+
+	build: move pam_cracklib build condition to modules/Makefile.am.
+	* configure.ac (AM_CONDITIONAL): Replace HAVE_LIBCRACK with
+	COND_BUILD_PAM_CRACKLIB.
+	* modules/Makefile.am [COND_BUILD_PAM_CRACKLIB] (MAYBE_PAM_CRACKLIB):
+	Define.
+	(SUBDIRS): Replace pam_cracklib with $(MAYBE_PAM_CRACKLIB).
+	* modules/pam_cracklib/Makefile.am: Assume HAVE_LIBCRACK.
+
+	build: remove unused HAVE_KEY_MANAGEMENT.
+	* configure.ac (AC_DEFINE, AC_SUBST): Remove unused HAVE_KEY_MANAGEMENT.
+	(AC_CHECK_DECL): Remove unused ENOKEY.
+
+	build: move pam_keyinit build condition to modules/Makefile.am.
+	* configure.ac (AM_CONDITIONAL): Replace HAVE_KEY_MANAGEMENT with
+	COND_BUILD_PAM_KEYINIT.
+	* modules/Makefile.am [COND_BUILD_PAM_KEYINIT] (MAYBE_PAM_KEYINIT):
+	Define.
+	(SUBDIRS): Replace pam_keyinit with $(MAYBE_PAM_KEYINIT).
+	* modules/pam_keyinit/Makefile.am: Assume HAVE_KEY_MANAGEMENT.
+
+	build: remove unused AC_DEFINE([HAVE_AUDIT_TTY_STATUS])
+	* configure.ac (AC_DEFINE): Remove unused HAVE_AUDIT_TTY_STATUS.
+
+	build: move pam_tty_audit build condition to modules/Makefile.am.
+	* configure.ac (AM_CONDITIONAL): Replace HAVE_AUDIT_TTY_STATUS with
+	COND_BUILD_PAM_TTY_AUDIT.
+	* modules/Makefile.am [COND_BUILD_PAM_TTY_AUDIT] (MAYBE_PAM_TTY_AUDIT):
+	Define.
+	(SUBDIRS): Replace pam_tty_audit with $(MAYBE_PAM_TTY_AUDIT).
+	* modules/pam_tty_audit/Makefile.am: Assume HAVE_AUDIT_TTY_STATUS.
+
+	configure.ac: sort COND_BUILD_* conditionals.
+	... and move them closer to the end of configure.ac.
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/Makefile.am: sort SUBDIRS.
+	Also list one element of SUBDIRS per line for the ease of maintenance.
+
+	* modules/Makefile.am (SUBDIRS): List one per line, sort.
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	ci: add gcc-10 jobs.
+	* .github/workflows/ci.yml (gcc10-x86_64, gcc10-x86, gcc10-x32):
+	New jobs.
+	* .travis.yml (matrix): Add gcc-10 jobs on x86_64, x86, x32,
+	and ppc64le.
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_issue: fix potential read out of bounds.
+	Reported by gcc-10 -Warray-bounds:
+
+	In file included from /usr/include/string.h:494,
+	                 from modules/pam_issue/pam_issue.c:19:
+	In function 'strncat',
+	    inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:197:3:
+	/usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [260, 389] from the object at 'uts' is out of the bounds of referenced subobject 'version' with type 'char[65]' at offset 195 [-Werror=array-bounds]
+	  136 |   return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+	      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	In file included from modules/pam_issue/pam_issue.c:26:
+	modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+	/usr/include/x86_64-linux-gnu/sys/utsname.h:59:10: note: subobject 'version' declared here
+	   59 |     char version[_UTSNAME_VERSION_LENGTH];
+	      |          ^~~~~~~
+	In file included from /usr/include/string.h:494,
+	                 from modules/pam_issue/pam_issue.c:19:
+	In function 'strncat',
+	    inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:188:3:
+	/usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [65, 389] from the object at 'uts' is out of the bounds of referenced subobject 'sysname' with type 'char[65]' at offset 0 [-Werror=array-bounds]
+	  136 |   return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+	      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	In file included from modules/pam_issue/pam_issue.c:26:
+	modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+	/usr/include/x86_64-linux-gnu/sys/utsname.h:51:10: note: subobject 'sysname' declared here
+	   51 |     char sysname[_UTSNAME_SYSNAME_LENGTH];
+	      |          ^~~~~~~
+	In file included from /usr/include/string.h:494,
+	                 from modules/pam_issue/pam_issue.c:19:
+	In function 'strncat',
+	    inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:194:3:
+	/usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [195, 389] from the object at 'uts' is out of the bounds of referenced subobject 'release' with type 'char[65]' at offset 130 [-Werror=array-bounds]
+	  136 |   return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+	      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	In file included from modules/pam_issue/pam_issue.c:26:
+	modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+	/usr/include/x86_64-linux-gnu/sys/utsname.h:57:10: note: subobject 'release' declared here
+	   57 |     char release[_UTSNAME_RELEASE_LENGTH];
+	      |          ^~~~~~~
+	In file included from /usr/include/string.h:494,
+	                 from modules/pam_issue/pam_issue.c:19:
+	In function 'strncat',
+	    inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:191:3:
+	/usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [130, 389] from the object at 'uts' is out of the bounds of referenced subobject 'nodename' with type 'char[65]' at offset 65 [-Werror=array-bounds]
+	  136 |   return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+	      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	In file included from modules/pam_issue/pam_issue.c:26:
+	modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+	/usr/include/x86_64-linux-gnu/sys/utsname.h:54:10: note: subobject 'nodename' declared here
+	   54 |     char nodename[_UTSNAME_NODENAME_LENGTH];
+	      |          ^~~~~~~~
+	In file included from /usr/include/string.h:494,
+	                 from modules/pam_issue/pam_issue.c:19:
+	In function 'strncat',
+	    inlined from 'read_issue_quoted' at modules/pam_issue/pam_issue.c:200:3:
+	/usr/include/x86_64-linux-gnu/bits/string_fortified.h:136:10: error: '__builtin___strncat_chk' offset [325, 389] from the object at 'uts' is out of the bounds of referenced subobject 'machine' with type 'char[65]' at offset 260 [-Werror=array-bounds]
+	  136 |   return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
+	      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	In file included from modules/pam_issue/pam_issue.c:26:
+	modules/pam_issue/pam_issue.c: In function 'read_issue_quoted':
+	/usr/include/x86_64-linux-gnu/sys/utsname.h:62:10: note: subobject 'machine' declared here
+	   62 |     char machine[_UTSNAME_MACHINE_LENGTH];
+	      |          ^~~~~~~
+
+	* modules/pam_issue/pam_issue.c (read_issue_quoted): Rewrite to avoid
+	strncat from potentially not null-terminated string buffer fields
+	of struct utsname.
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_motd: fix NULL dereference when at least one of motd directories is not available
+	* modules/pam_motd/pam_motd.c
+	(try_to_display_directories_with_overrides): Do not assign -1U to
+	dirscans_sizes[i] when scandir(motd_dir_path_split[i]) returns an error.
+
+	Resolves: https://bugzilla.altlinux.org/38389
+	Fixes: d57ab221 ("pam_motd: Cleanup the code and avoid unnecessary logging")
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_motd: cleanup calloc invocations.
+	Apply the following calloc invocation idiom:
+	  ptr = calloc(nmemb, sizeof(*ptr));
+
+	* modules/pam_motd/pam_motd.c (pam_split_string,
+	try_to_display_directories_with_overrides): Cleanup calloc invocations.
+
+	Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_motd: fix NULL dereference on error path.
+	* modules/pam_motd/pam_motd.c
+	(try_to_display_directories_with_overrides): Do not access
+	elements of dirscans_sizes array if dirscans_sizes == NULL
+	due to an earlier memory allocation error.
+
+	Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_motd: remove redundant return statement.
+	* modules/pam_motd/pam_motd.c
+	(try_to_display_directories_with_overrides): Remove return statement
+	at the end of the function returning void.
+
+	Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_motd: remove redundant prefix from syslog messages.
+	pam_syslog already does all the prefixing we need.
+
+	* modules/pam_motd/pam_motd.c (pam_split_string,
+	try_to_display_directories_with_overrides): Remove "pam_motd: " prefix
+	from strings passed to pam_syslog.
+
+	Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_motd: fix memory leak.
+	pam_motd used to leak memory allocated for each motd file
+	successfully opened in try_to_display_directories_with_overrides.
+
+	* modules/pam_motd/pam_motd.c
+	(try_to_display_directories_with_overrides): Free abs_path.
+
+	Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_motd: fix misleading error diagnostics.
+	Do not invoke calloc with the first argument equal to zero as the return
+	value can be NULL which is undistinguishable from memory allocation
+	error.
+
+	* modules/pam_motd/pam_motd.c
+	(try_to_display_directories_with_overrides): Skip if there are no
+	directory entries (dirscans_size_total == 0).
+
+	Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_motd: do not zero the memory allocated by calloc.
+	As dirnames_all is allocated with calloc, zeroing it out is pointless.
+
+	* modules/pam_motd/pam_motd.c
+	(try_to_display_directories_with_overrides): Remove redundant zeroing
+	of dirnames_all.
+
+	Fixes: f9c9c721 ("pam_motd: Support multiple motd paths specified, with filename overrides (#69)")
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: cleanup: do not add -DWITH_SELINUX to CFLAGS.
+	As WITH_SELINUX is already AC_DEFINE'd in configure.ac,
+	there is no point in adding -DWITH_SELINUX to CFLAGS.
+
+	* libpam/Makefile.am [HAVE_LIBSELINUX] (AM_CFLAGS): Do not add
+	-DWITH_SELINUX.
+	* modules/pam_rootok/Makefile.am: Likewise.
+	* modules/pam_unix/Makefile.am: Likewise.
+
+2020-04-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: cleanup: replace "test ! -z" with "test -n"
+	* configure.ac: replace "test ! -z" with "test -n".
+
+2020-04-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_filter: fix potential off-by-one heap buffer overflow.
+	Reported by gcc-10 -Wstringop-overflow:
+
+	In file included from /usr/include/string.h:494,
+	                 from modules/pam_filter/pam_filter.c:14:
+	In function 'strcpy',
+	    inlined from 'process_args' at modules/pam_filter/pam_filter.c:137:2,
+	    inlined from 'need_a_filter.isra' at modules/pam_filter/pam_filter.c:618:12:
+	/usr/include/x86_64-linux-gnu/bits/string_fortified.h:90:10: warning: '__builtin_memcpy' writing 6 bytes into a region of size 5 [-Wstringop-overflow=]
+	   90 |   return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
+	      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	modules/pam_filter/pam_filter.c: In function 'need_a_filter.isra':
+	modules/pam_filter/pam_filter.c:128:21: note: at offset 0 to an object with size 5 allocated by 'malloc' here
+	  128 |  levp[0] = (char *) malloc(size);
+	      |                     ^~~~~~~~~~~~
+
+	* modules/pam_filter/pam_filter.c (process_args): Fix off-by-one heap
+	buffer overflow in case of a filter without arguments (argc == 0).
+
+2020-04-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_setquota: remove PAM_EXTERN and PAM_STATIC parts.
+	In other modules they were removed by commit Linux-PAM-1.3.0~14.
+
+	* modules/pam_setquota/pam_setquota.c: Remove PAM_EXTERN and PAM_STATIC
+	parts.
+
+2020-04-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_setquota: fix more harmless compilation warnings.
+	On ppc64le the compiler complains with the following diagnostics:
+
+	pam_setquota.c: In function 'debug':
+	pam_setquota.c:48:59: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+	   48 |   pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+	      |                                                        ~~~^
+	      |                                                           |
+	      |                                                           long long unsigned int
+	      |                                                        %lu
+	......
+	   51 |              p->dqb_bsoftlimit, p->dqb_bhardlimit,
+	      |              ~~~~~~~~~~~~~~~~~
+	      |               |
+	      |               __u64 {aka const long unsigned int}
+	pam_setquota.c:48:75: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 7 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+	   48 |   pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+	      |                                                                        ~~~^
+	      |                                                                           |
+	      |                                                                           long long unsigned int
+	      |                                                                        %lu
+	......
+	   51 |              p->dqb_bsoftlimit, p->dqb_bhardlimit,
+	      |                                 ~~~~~~~~~~~~~~~~~
+	      |                                  |
+	      |                                  __u64 {aka const long unsigned int}
+	pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 8 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+	   48 |   pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+	      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	......
+	   52 |              p->dqb_isoftlimit, p->dqb_ihardlimit,
+	      |              ~~~~~~~~~~~~~~~~~
+	      |               |
+	      |               __u64 {aka const long unsigned int}
+	pam_setquota.c:49:46: note: format string is defined here
+	   49 |                               "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+	      |                                           ~~~^
+	      |                                              |
+	      |                                              long long unsigned int
+	      |                                           %lu
+	pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 9 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+	   48 |   pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+	      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	......
+	   52 |              p->dqb_isoftlimit, p->dqb_ihardlimit,
+	      |                                 ~~~~~~~~~~~~~~~~~
+	      |                                  |
+	      |                                  __u64 {aka const long unsigned int}
+	pam_setquota.c:49:62: note: format string is defined here
+	   49 |                               "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+	      |                                                           ~~~^
+	      |                                                              |
+	      |                                                              long long unsigned int
+	      |                                                           %lu
+	pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 10 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+	   48 |   pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+	      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	......
+	   53 |              p->dqb_btime, p->dqb_itime);
+	      |              ~~~~~~~~~~~~
+	      |               |
+	      |               __u64 {aka const long unsigned int}
+	pam_setquota.c:49:73: note: format string is defined here
+	   49 |                               "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+	      |                                                                      ~~~^
+	      |                                                                         |
+	      |                                                                         long long unsigned int
+	      |                                                                      %lu
+	pam_setquota.c:48:31: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 11 has type '__u64' {aka 'const long unsigned int'} [-Wformat=]
+	   48 |   pam_syslog(pamh, LOG_DEBUG, "%s device=%s bsoftlimit=%llu bhardlimit=%llu "
+	      |                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	......
+	   53 |              p->dqb_btime, p->dqb_itime);
+	      |                            ~~~~~~~~~~~~
+	      |                             |
+	      |                             __u64 {aka const long unsigned int}
+	pam_setquota.c:49:84: note: format string is defined here
+	   49 |                               "isoftlimit=%llu ihardlimit=%llu btime=%llu itime=%llu",
+	      |                                                                                 ~~~^
+	      |                                                                                    |
+	      |                                                                                    long long unsigned int
+	      |                                                                                 %lu
+
+	* modules/pam_setquota/pam_setquota.c (debug): Cast fields of type __u64
+	to unsigned long long.
+
+2020-04-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_timestamp: include "config.h" in hmacsha1.c as the first header.
+	This ensures "config.h" is included before any system header
+	which fixes the following bug reported by ALT diagnostics:
+
+	verify-elf: ERROR: ./lib/security/pam_timestamp.so: uses non-LFS functions: __fxstat open
+
+	* modules/pam_timestamp/hmacsha1.c: Include "config.h".
+
+2020-04-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	libpamc.h: include "config.h" as the first header.
+	This ensures "config.h" is included before any system header included by
+	libpamc.h, which fixes the following bug reported by ALT diagnostics:
+
+	verify-elf: ERROR: ./lib/libpamc.so.0.82.1: uses non-LFS functions: __xstat readdir
+
+	* libpamc/libpamc.h: Include "config.h".
+
+2020-04-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_setquota: apply WARN_CFLAGS.
+	All other modules already build with WARN_CFLAGS.
+
+	* modules/pam_setquota/Makefile.am (AM_CFLAGS): Add $(WARN_CFLAGS).
+
+2020-04-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_setquota: fix harmless compilation warnings.
+	Fix -Wunused-variable compilation warnings:
+
+	pam_setquota.c: In function 'pam_sm_open_session':
+	pam_setquota.c:173:9: warning: unused variable 'ep' [-Wunused-variable]
+	  173 |   char *ep, *val, *mntdevice = NULL;
+	      |         ^~
+	pam_setquota.c:172:17: warning: unused variable 'ul' [-Wunused-variable]
+	  172 |   unsigned long ul;
+	      |                 ^~
+
+	Fix -Wunused-parameter compilation warnings:
+
+	pam_setquota.c: In function 'pam_sm_open_session':
+	pam_setquota.c:169:60: warning: unused parameter 'flags' [-Wunused-parameter]
+	 169 | PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
+	     |                                                        ~~~~^~~~~
+	pam_setquota.c: In function 'pam_sm_close_session':
+	pam_setquota.c:382:40: warning: unused parameter 'pamh' [-Wunused-parameter]
+	 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+	     |                          ~~~~~~~~~~~~~~^~~~
+	pam_setquota.c:382:50: warning: unused parameter 'flags' [-Wunused-parameter]
+	 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+	     |                                              ~~~~^~~~~
+	pam_setquota.c:382:61: warning: unused parameter 'argc' [-Wunused-parameter]
+	 382 | int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+	     |                                                         ~~~~^~~~
+	pam_setquota.c:383:39: warning: unused parameter 'argv' [-Wunused-parameter]
+	 383 |                          const char **argv) {
+	     |                          ~~~~~~~~~~~~~^~~~
+
+	* modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Mark
+	'flags' parameter as unused.  Remove unused 'ep' and 'ul' variables.
+	(pam_sm_close_session): Mark all parameters as unused.
+
+2020-04-18  Oğuz Ersen  <oguzersen@protonmail.com>
+
+	Translated using Weblate (Turkish)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+	Resolves: https://github.com/linux-pam/linux-pam/pull/214
+
+2020-04-17  Sven Hartge  <sven@svenhartge.de>
+
+	pam_setquota: new module to set or modify disk quotas on session start.
+	This makes disk quotas usable with central user databases, such as MySQL or
+	LDAP.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/92
+
+2020-04-15  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_access, pam_issue: do not assume that getdomainname always exists.
+	* modules/pam_access/pam_access.c (netgroup_match): Place the code
+	that calls getdomainname under HAVE_GETDOMAINNAME guard.
+	* modules/pam_issue/pam_issue.c (read_issue_quoted): Likewise.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/43
+
+2020-04-13  Oğuz Ersen  <oguzersen@protonmail.com>
+
+	Translated using Weblate (Turkish)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-04-13  Ankit Behera  <proneon267@gmail.com>
+
+	Translated using Weblate (Odia)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/or/
+
+2020-04-12  Topi Miettinen  <toiwoton@gmail.com>
+
+	pam_unix: modernize example in manual page.
+	According to crypt(5), md5 should not be used for new hashes. Let's
+	give a modern example with yescrypt.
+
+2020-04-10  Robert Antoni Buj Gelonch  <robert.buj@gmail.com>
+
+	Translated using Weblate (Catalan)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ca/
+	Resolves: https://github.com/linux-pam/linux-pam/pull/207
+
+2020-04-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	travis: remove faulty jobs.
+	* .travis.yml: Remove faulty gcc-9 jobs on aarch64 and s390x,
+	gcc-9 became uninstallable on these platforms several days ago
+	and hasn't been fixed yet.
+
+2020-04-07  Lucas Ramage  <oxr463@gmx.us>
+
+	pam_access: add an example of using groups in access.conf to permit access
+	Resolves: https://github.com/linux-pam/linux-pam/issues/65
+	Resolves: https://github.com/linux-pam/linux-pam/pull/199
+
+2020-04-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	github: add CI action.
+	Somewhat similar to Travis CI, this runs "make distcheck" on Ubuntu
+	18.04 using gcc-9, gcc-8, gcc, clang-9, clang-8, and clang on x86_64,
+	x86, and x32 architectures.
+
+	Compared with Travis CI, GitHub Actions service currently provides
+	a significantly better parallelism as well as (unsurprisingly)
+	better integration with github.
+
+	However, GitHub Actions cannot replace Travis CI completely yet as
+	the latter can build on aarch64, s390x, and ppc64le architectures.
+
+	* .github/workflows/whitespace-errors-check.yml: Remove
+	* .github/workflows/ci.yml: New file.
+
+2020-04-07  scootergrisen  <scootergrisen@gmail.com>
+
+	Translated using Weblate (Danish)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-04-07  scootergrisen  <scootergrisen@gmail.com>
+
+	Translated using Weblate (Danish)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/da/
+
+2020-03-31  Petr Lautrbach  <plautrba@redhat.com>
+
+	pam_timestamp: Fix // in TIMESTAMPDIR.
+	_PATH_VARRUN already provides trailing slash for building paths
+
+	Fixes:
+	    $ strings /usr/lib64/security/pam_timestamp.so | grep /run/
+	    /var/run//pam_timestamp
+	    /var/run//pam_timestamp/_pam_timestamp_key
+
+2020-03-30  James Ralston  <ralston@pobox.com>
+
+	pam_unix: Return PAM_AUTHINFO_UNAVAIL when appropriate.
+	The pam_unix.so will never return PAM_AUTHINFO_UNAVAIL on systems
+	that use the unix_chkpwd helper.
+
+	The reason is that in unix_chkpwd.c, towards the end of main(), if
+	helper_verify_password() does not return PAM_SUCCESS, main() ignores
+	the actual error that helper_verify_password() returned and instead
+	returns PAM_AUTH_ERR.
+
+	This commit corrects this behavior.  Specifically, if
+	helper_verify_password() returns PAM_USER_UNKNOWN, which it does
+	when /etc/passwd entry indicates that shadow information is present
+	but the /etc/shadow entry is missing, the unix_chkpwd now exits
+	with PAM_AUTHINFO_UNAVAIL. For any other error from
+	helper_verify_password(), unix_chkpwd continues to exit with
+	PAM_AUTH_ERR.
+
+	* modules/pam_unix/unix_chkpwd.c (main): Return PAM_AUTHINFO_UNAVAIL
+	when helper_verify_password() returns PAM_USER_UNKNOWN.
+
+2020-03-28  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix various typos found using codespell tool.
+
+	po: semi-automatically fix translations of pam_get_authtok default prompts
+	Complements: 4daceedd ("pam_get_authtok: fix i18n of default prompts")
+
+2020-03-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	_pam_load_module: reduce redundancy.
+	* libpam/pam_handlers.c (_pam_load_module): Reorganize $ISA handling
+	to reduce redundancy.
+
+	Resolves: https://github.com/linux-pam/linux-pam/pull/198
+
+2020-03-24  blueskycs2c  <lili.ding@cs2c.com>
+
+	pam_time: add conffile option to specify an alternative configuration file
+	Resolves: https://github.com/linux-pam/linux-pam/pull/163
+	Resolves: https://github.com/linux-pam/linux-pam/pull/191
+
+2020-03-23  Alexander Zubkov  <green@qrator.net>
+
+	pam_exec: require user name to be ready for the command.
+	pam_exec module can be called when a user name has not been prompted
+	yet. And thus the command is called without a user name available.
+	This fix asks PAM for the user name to ensure it is ready or to force
+	the prompt.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/131
+	Resolves: https://github.com/linux-pam/linux-pam/pull/195
+
+2020-03-23  Christian Göttsche  <cgzones@googlemail.com>
+
+	pam_selinux: fall back to log to syslog if audit logging fails.
+	Resolves: https://github.com/linux-pam/linux-pam/pull/194
+
+	pam_selinux: sanitize asprintf argument on failure.
+
+	pam_selinux: print additional information on failures.
+
+	pam_selinux: convert send_audit_message to void function.
+	The result is nowhere checked and other logging functions like
+	pam_syslog are also not checked.
+
+	pam_selinux: fix indentation.
+
+2020-03-23  Christian Göttsche  <cgzones@googlemail.com>
+
+	pam_selinux: substitute legacy security_context_t type.
+	`security_context_t` is a legacy typedef to `char *`, substitute all usage.
+
+	See
+	  https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9
+	  https://github.com/SELinuxProject/selinux/blob/f8c110c8a615eb640510eab39640a0957a6ba19c/libselinux/include/selinux/selinux.h#L16
+
+2020-03-20  Jiri Grönroos  <jiri.gronroos@iki.fi>
+
+	Translated using Weblate (Finnish)
+	Currently translated at 90.8% (109 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fi/
+
+2020-03-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Translated using Weblate (Slovak)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+	Translated using Weblate (Czech)
+
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
+
+	Translated using Weblate (French)
+
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-20  Yuri Chornoivan  <yurchor@ukr.net>
+
+	Translated using Weblate (Ukrainian)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-03-20  Oğuz Ersen  <oguzersen@protonmail.com>
+
+	Translated using Weblate (Turkish)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-20  Geert Warrink  <geert.warrink@onsnet.nu>
+
+	Translated using Weblate (Dutch)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2020-03-20  Julien Humbert  <julroy67@gmail.com>
+
+	Translated using Weblate (French)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Translated using Weblate (Russian)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+	Translated using Weblate (Portuguese (Brazil))
+
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+	Translated using Weblate (Portuguese)
+
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+	Translated using Weblate (German)
+
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-20  Piotr Drąg  <piotrdrag@gmail.com>
+
+	Translated using Weblate (Polish)
+	Currently translated at 100.0% (120 of 120 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_userdb: use pam_str_skip_icase_prefix.
+	* modules/pam_userdb/pam_userdb.c: Include "pam_inline.h".
+	(_pam_parse, user_lookup): Use pam_str_skip_icase_prefix
+	instead of ugly strncasecmp invocations.
+
+	modules/pam_umask: use pam_str_skip_icase_prefix.
+	* modules/pam_umask/pam_umask.c: Include "pam_inline.h".
+	(parse_option, setup_limits_from_gecos): Use pam_str_skip_icase_prefix
+	instead of ugly strncasecmp invocations.
+
+	modules/pam_pwhistory: use pam_str_skip_icase_prefix.
+	* modules/pam_pwhistory/pam_pwhistory.c: Include "pam_inline.h".
+	(parse_option): Use pam_str_skip_icase_prefix instead of ugly
+	strncasecmp invocations.
+
+	modules/pam_exec: use pam_str_skip_icase_prefix.
+	* modules/pam_exec/pam_exec.c (call_exec): Use pam_str_skip_icase_prefix
+	instead of ugly strncasecmp invocations.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Introduce pam_str_skip_icase_prefix_len and pam_str_skip_icase_prefix.
+	Every time I see a code like
+	  if (strncasecmp(argv, "remember=", 9) == 0)
+	      options->remember = strtol(&argv[9], NULL, 10);
+	my eyes are bleeding.
+
+	Similar to pam_str_skip_prefix_len() and pam_str_skip_prefix(),
+	introduce a new helper inline function pam_str_skip_icase_prefix_len()
+	and a new macro pam_str_skip_icase_prefix() on top of it, to be used
+	in subsequent commits to cleanup the ugliness.
+
+	* libpam/include/pam_inline.h (pam_str_skip_icase_prefix_len): New
+	function.
+	(pam_str_skip_icase_prefix): New macro.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_xauth: use pam_str_skip_prefix.
+	* modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
+	(pam_sm_open_session, pam_sm_close_session): Use pam_str_skip_prefix
+	instead of ugly strncmp invocations.
+
+	modules/pam_wheel: use pam_str_skip_prefix.
+	* modules/pam_wheel/pam_wheel.c: Include "pam_inline.h".
+	(_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_len.
+	* modules/pam_unix/passverify.c: Include "pam_inline.h".
+	(verify_pwd_hash): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+	* modules/pam_unix/support.c: Include "pam_inline.h".
+	(_set_ctrl): Use pam_str_skip_prefix_len instead of hardcoding string
+	lengths.
+	* modules/pam_unix/md5_crypt.c: Include "pam_inline.h".
+	(crypt_md5): Use pam_str_skip_prefix_len.
+
+	squash! modules/pam_unix: use pam_str_skip_prefix and pam_str_skip_prefix_len
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_tty_audit: use pam_str_skip_prefix.
+	* modules/pam_tty_audit/pam_tty_audit.c: Include "pam_inline.h".
+	(pam_sm_open_session): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_timestamp: use pam_str_skip_prefix.
+	* modules/pam_timestamp/pam_timestamp.c: Include "pam_inline.h".
+	(check_tty, get_timestamp_name, pam_sm_authenticate): Use
+	pam_str_skip_prefix instead of ugly strncmp invocations.
+
+	modules/pam_tally: use pam_str_skip_prefix.
+	* modules/pam_tally/pam_tally.c: Include "pam_inline.h".
+	(tally_parse_args, getopts): Use pam_str_skip_prefix instead of ugly
+	strncmp invocations.
+
+	modules/pam_tally2: use pam_str_skip_prefix.
+	* modules/pam_tally2/pam_tally2.c: Include "pam_inline.h".
+	(tally_parse_args, getopts): Use pam_str_skip_prefix instead of ugly
+	strncmp invocations.
+
+	modules/pam_selinux: use pam_str_skip_prefix.
+	* modules/pam_selinux/pam_selinux.c: Include "pam_inline.h".
+	(compute_exec_context, compute_tty_context): Use pam_str_skip_prefix
+	instead of ugly strncmp invocations.
+
+	modules/pam_securetty: use pam_str_skip_prefix and pam_str_skip_prefix_len
+	* modules/pam_securetty/pam_securetty.c: Include "pam_inline.h".
+	(securetty_perform_check): Use pam_str_skip_prefix and
+	pam_str_skip_prefix_len instead of ugly strncmp invocations.
+
+	modules/pam_rhosts: use pam_str_skip_prefix.
+	* modules/pam_rhosts/pam_rhosts.c: Include "pam_inline.h".
+	(pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_nologin: use pam_str_skip_prefix.
+	* modules/pam_nologin/pam_nologin.c: Include "pam_inline.h".
+	(parse_args): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_namespace: use pam_str_skip_prefix.
+	* modules/pam_namespace/pam_namespace.c (root_shared): Use
+	pam_str_skip_prefix instead of ugly strncmp invocations.
+
+	modules/pam_motd: use pam_str_skip_prefix.
+	* modules/pam_motd/pam_motd.c: Include "pam_inline.h".
+	(pam_sm_open_session): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_mkhomedir: use pam_str_skip_prefix.
+	* modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_inline.h".
+	(_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_mail: use pam_str_skip_prefix.
+	* modules/pam_mail/pam_mail.c: Include "pam_inline.h".
+	(_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_localuser: use pam_str_skip_prefix.
+	* modules/pam_localuser/pam_localuser.c: Include "pam_inline.h".
+	(pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_listfile: use pam_str_skip_prefix.
+	* modules/pam_listfile/pam_listfile.c: Include "pam_inline.h".
+	(pam_sm_authenticate): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_limits: use pam_str_skip_prefix.
+	* modules/pam_limits/pam_limits.c: Include "pam_inline.h".
+	(_pam_parse, parse_kernel_limits): Use pam_str_skip_prefix instead of
+	ugly strncmp invocations.
+
+	modules/pam_lastlog: use pam_str_skip_prefix.
+	* modules/pam_lastlog/pam_lastlog.c: Include "pam_inline.h".
+	(_pam_auth_parse, get_tty): Use pam_str_skip_prefix instead of ugly
+	strncmp invocations.
+
+	modules/pam_issue: use pam_str_skip_prefix.
+	* modules/pam_issue/pam_issue.c: Include "pam_inline.h".
+	(pam_sm_authenticate, read_issue_quoted): Use pam_str_skip_prefix
+	instead of ugly strncmp invocations.
+
+	modules/pam_ftp: use pam_str_skip_prefix.
+	* modules/pam_ftp/pam_ftp.c: Include "pam_inline.h".
+	(_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+	modules/pam_env: use pam_str_skip_prefix.
+	* modules/pam_env/pam_env.c: Include "pam_inline.h".
+	(_pam_parse, _parse_line): Use pam_str_skip_prefix instead of ugly
+	strncmp invocations.
+
+	modules/pam_echo: use pam_str_skip_prefix.
+	* modules/pam_echo/pam_echo.c: Include "pam_inline.h".
+	(pam_echo): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+	modules/pam_cracklib: use pam_str_skip_prefix.
+	* modules/pam_cracklib/pam_cracklib.c: Include "pam_inline.h".
+	(_pam_parse): Use pam_str_skip_prefix instead of ugly strncmp
+	invocations.
+
+	modules/pam_access: use pam_str_skip_prefix.
+	* modules/pam_access/pam_access.c: Include "pam_inline.h".
+	(parse_args): Use pam_str_skip_prefix instead of ugly strncmp invocations.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Introduce pam_str_skip_prefix_len and pam_str_skip_prefix.
+	Every time I see a code like
+	  if (!strncmp(*argv,"user_readenv=",13))
+	    *user_readenv = atoi(13+*argv);
+	my eyes are bleeding.
+
+	Introduce a new helper inline function pam_str_skip_prefix_len() and
+	a new macro pam_str_skip_prefix() on top of it, to be used in subsequent
+	commits to cleanup the ugliness.
+
+	* libpam/include/pam_inline.h: Include <string.h>.
+	(pam_str_skip_prefix_len): New function.
+	(pam_str_skip_prefix): New macro.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Use PAM_ARRAY_SIZE.
+	Replace all instances of sizeof(x) / sizeof(*x) with PAM_ARRAY_SIZE(x)
+	which is less error-prone and implements an additional type check.
+
+	* libpam/pam_handlers.c: Include "pam_inline.h".
+	(_pam_open_config_file): Use PAM_ARRAY_SIZE.
+	* modules/pam_exec/pam_exec.c: Include "pam_inline.h".
+	(call_exec): Use PAM_ARRAY_SIZE.
+	* modules/pam_namespace/pam_namespace.c: Include "pam_inline.h".
+	(filter_mntopts): Use PAM_ARRAY_SIZE.
+	* modules/pam_timestamp/hmacfile.c: Include "pam_inline.h".
+	(testvectors): Use PAM_ARRAY_SIZE.
+	* modules/pam_xauth/pam_xauth.c: Include "pam_inline.h".
+	(run_coprocess, pam_sm_open_session): Use PAM_ARRAY_SIZE.
+	* tests/tst-pam_get_item.c: Include "pam_inline.h".
+	(main): Use PAM_ARRAY_SIZE.
+	* tests/tst-pam_set_item.c: Likewise.
+	* xtests/tst-pam_pwhistory1.c: Likewise.
+	* xtests/tst-pam_time1.c: Likewise.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Introduce pam_inline.h.
+	Introduce a new internal header file for definitions of handly inline
+	functions and macros providing some convenient functionality to libpam
+	and its modules.
+
+	* libpam/include/pam_cc_compat.h (PAM_SAME_TYPE): New macro.
+	* libpam/include/pam_inline.h: New file.
+	* libpam/Makefile.am (noinst_HEADERS): Add include/pam_inline.h.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_cracklib: fix parsing of options without arguments.
+	Prefix match for options without arguments such as use_first_pass
+	is not correct, there has to be an exact match for these options.
+
+	* modules/pam_cracklib/pam_cracklib.c (_pam_parse): Fix parsing
+	of reject_username, gecoscheck, enforce_for_root, use_authtok,
+	use_first_pass, and try_first_pass options.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	ci: enable -Werror for all builds.
+	The main purpose of fixing all compilation warnings in the current code
+	base was to enable -Werror in CI builds so that no new warnings would
+	creep in.
+
+	* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Add --enable-Werror.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	configure: implement --enable-Werror option.
+	When configure is invoked with --enable-Werror option,
+	-Werror compiler option is added to WARN_CFLAGS.
+
+	This new configure option is intended primarily for CI purposes.
+
+	* configure.ac (AC_ARG_ENABLE): Add Werror.  Forward -Werror
+	to JAPHAR_GREP_CFLAGS.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix remaining clang -Wcast-align compilation warnings.
+	Introduce DIAG_PUSH_IGNORE_CAST_ALIGN and DIAG_POP_IGNORE_CAST_ALIGN
+	macros, use them to silence remaining clang -Wcast-align compilation
+	warnings.
+
+	* libpam/include/pam_cc_compat.h (DIAG_PUSH_IGNORE_CAST_ALIGN,
+	DIAG_POP_IGNORE_CAST_ALIGN): New macros.
+	* modules/pam_access/pam_access.c: Include "pam_cc_compat.h".
+	(from_match, network_netmask_match): Wrap inet_ntop invocations
+	in DIAG_PUSH_IGNORE_CAST_ALIGN and DIAG_POP_IGNORE_CAST_ALIGN.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix most of clang -Wcast-align compilation warnings.
+	Unlike gcc, clang is not smart enough to infer the alignment
+	of structure fields, so add some alignment hints to the code.
+
+	* libpam/include/pam_cc_compat.h (PAM_ATTRIBUTE_ALIGNED): New macro.
+	* modules/pam_namespace/md5.h: Include "pam_cc_compat.h".
+	(struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field.
+	* modules/pam_namespace/md5.c [!(__i386__ || __x86_64__)]
+	(uint8_aligned): New type.
+	[!(__i386__ || __x86_64__)] (byteReverse): Use it instead of
+	unsigned char.
+	* modules/pam_timestamp/sha1.h: Include "pam_cc_compat.h".
+	(struct sha1_context): Add PAM_ATTRIBUTE_ALIGNED to pending field.
+	* modules/pam_unix/md5.h: Include "pam_cc_compat.h".
+	(struct MD5Context): Add PAM_ATTRIBUTE_ALIGNED to "in" field.
+	* modules/pam_unix/md5.c [!HIGHFIRST] (uint8_aligned): New type.
+	[!HIGHFIRST] (byteReverse): Use it instead of unsigned char.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_tally, modules/pam_tally2: fix compilation warnings.
+	Fix the following compilation warnings reported by gcc
+	when sizeof(time_t) > sizeof(long), e.g. on x32:
+
+	  modules/pam_tally/pam_tally.c:541:7: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+	    541 |     _("The account is temporarily locked (%ld seconds left)."),
+	        |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	  modules/pam_tally/pam_tally.c:546:40: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+	    546 |       "user %s (%lu) has time limit [%lds left]"
+	        |                                      ~~^
+	        |                                        |
+	        |                                        long int
+	        |                                      %lld
+	  ......
+	    549 |       oldtime+lock_time-time(NULL));
+	        |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	        |                        |
+	        |                        time_t {aka long long int}
+
+	  modules/pam_tally2/pam_tally2.c:592:27: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 5 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+	    592 |          pam_info(pamh, _("The account is temporarily locked (%ld seconds left)."),
+	        |                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	  modules/pam_tally2/pam_tally2.c:597:50: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Wformat=]
+	    597 |                 "user %s (%lu) has time limit [%lds left]"
+	        |                                                ~~^
+	        |                                                  |
+	        |                                                  long int
+	        |                                                %lld
+	  ......
+	    600 |                 oldtime+opts->lock_time-time(NULL));
+	        |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	        |                                        |
+	        |                                        time_t {aka long long int}
+
+	This change doesn't attempt to fix handling of 64-bit time_t on 32-bit
+	systems in these modules.
+
+	* modules/pam_tally/pam_tally.c (tally_check): Cast time_t expressions
+	to long int before passing them to pam_info and pam_syslog.
+	* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_timestamp: fix compilation warnings.
+	Fix the following compilation warnings reported by gcc on ilp32 platforms:
+
+	  modules/pam_timestamp/hmacfile.c: In function ‘testvectors’:
+	  modules/pam_timestamp/hmacfile.c:121:44: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
+	    121 |      printf("Incorrect result for vector %lu\n", i + 1);
+	        |                                          ~~^     ~~~~~
+	        |                                            |       |
+	        |                                            |       size_t {aka unsigned int}
+	        |                                            long unsigned int
+	        |                                          %u
+	  modules/pam_timestamp/hmacfile.c:128:30: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
+	    128 |    printf("Error in vector %lu.\n", i + 1);
+	        |                            ~~^      ~~~~~
+	        |                              |        |
+	        |                              |        size_t {aka unsigned int}
+	        |                              long unsigned int
+	        |                            %u
+	  In function ‘strncpy’,
+	    inlined from ‘pam_sm_open_session’ at modules/pam_timestamp/pam_timestamp.c:584:4:
+	  /usr/include/bits/string_fortified.h:106:10: warning: ‘__builtin___strncpy_chk’ output may be truncated copying between 1 and 4095 bytes from a string of length 4095 [-Wstringop-truncation]
+
+	* modules/pam_timestamp/hmacfile.c (testvectors): Cast the argument
+	of type size_t to unsigned long before passing it to printf.
+	* modules/pam_timestamp/pam_timestamp.c (pam_sm_open_session): Use
+	memcpy instead of strncpy as the source is not NUL-terminated, add an
+	extra check to ensure that iterator stays inside bounds.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_unix: fix gcc compilation warnings.
+	When setreuid() fails, there is no way to proceed any further: either
+	the process credentials are unchanged but inappropriate, or they are
+	in an inconsistent state and nothing good could be made out of it.
+	This fixes the following compilation warnings:
+
+	  modules/pam_unix/passverify.c:209:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:211:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:213:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:214:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:222:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:224:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:225:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:226:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:209:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:211:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:213:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:214:6: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:222:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:224:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:225:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+	  modules/pam_unix/passverify.c:226:5: warning: ignoring return value of 'setreuid', declared with attribute warn_unused_result [-Wunused-result]
+
+	* modules/pam_unix/passverify.c (get_account_info) [HELPER_COMPILE]:
+	Always check setreuid return code and return PAM_CRED_INSUFFICIENT
+	if setreuid failed.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_access: fix compilation warning.
+	Fix the following compilation warning reported by gcc
+	when HAVE_LIBAUDIT is not set:
+
+	  modules/pam_access/pam_access.c: In function ‘login_access’:
+	  modules/pam_access/pam_access.c:338:13: warning: variable ‘nonall_match’ set but not used [-Wunused-but-set-variable]
+	    338 |     int     nonall_match = NO;
+	        |             ^~~~~~~~~~~~
+
+	* modules/pam_access/pam_access.c (login_access): Enclose nonall_match
+	variable with HAVE_LIBAUDIT #ifdef's.
+
+2020-03-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	conf/pam_conv1: fix clang compilation warnings.
+	Fix the following compilation warnings reported by clang:
+
+	  pam_conv_y.y:12:23: warning: unused variable 'bisonid' [-Wunused-const-variable]
+	      static const char bisonid[]=
+	                        ^
+	  pam_conv_l.l:12:23: warning: unused variable 'lexid' [-Wunused-const-variable]
+	      static const char lexid[]=
+	                        ^
+
+	These static variables lost their meaning after repository conversion
+	from cvs to git and can be safely removed.
+
+	* conf/pam_conv1/pam_conv_l.l (lexid): Remove.
+	* conf/pam_conv1/pam_conv_y.y (bisonid): Remove.
+
+2020-03-18  Dmitry V. Levin  <ldv@altlinux.org>
+
+	modules/pam_timestamp: fix clang compilation warning.
+	modules/pam_timestamp/pam_timestamp.c:807:17: warning: logical not
+	      is only applied to the left hand side of this comparison
+	      [-Wlogical-not-parentheses]
+	                                        } else if (!timestamp_good(st.st...
+	                                                   ^
+
+	* modules/pam_timestamp/pam_timestamp.c (main): Change timestamp_good
+	return code check to a more traditional form.
+
+2020-03-18  Dmitry V. Levin  <ldv@altlinux.org>
+
+	github: check for whitespace errors on push and pull requests.
+	* .github/workflows/whitespace-errors-check.yml: New file.
+
+	modules/pam_timestamp: fix EXTRA_DIST.
+	* modules/pam_timestamp/Makefile.am (EXTRA_DIST): Replace "$(man_MANS)"
+	with "$(MANS)" as the former is conditional on HAVE_DOC.
+
+	modules/pam_namespace: fix EXTRA_DIST.
+	* modules/pam_namespace/Makefile.am (EXTRA_DIST): Replace
+	"$(MAN5) $(MAN8)" with "$(MANS)" as the former is conditional
+	on HAVE_DOC.
+
+2020-03-17  Christian Göttsche  <cgzones@googlemail.com>
+
+	pam_usertype: exclude man-page generation when configured with --disable-doc
+	* modules/pam_usertype/Makefile.am (man_MANS): Make conditional
+	on HAVE_DOC.
+
+	Resolves: https://github.com/linux-pam/linux-pam/pull/193
+
+2020-03-17  Christian Göttsche  <cgzones@googlemail.com>
+
+	pam_namespace: ignore pam_namespace_helper in git.
+	* modules/pam_namespace/.gitignore: New file.
+
+	Resolves: https://github.com/linux-pam/linux-pam/pull/192
+
+2020-03-13  Weblate  <noreply@weblate.org>
+
+	Update translation files.
+	Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-03-13  Ondrej Sulek  <feonsu@gmail.com>
+
+	Translated using Weblate (Slovak)
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/sk/
+
+2020-03-13  Yuri Chornoivan  <yurchor@ukr.net>
+
+	Translated using Weblate (Ukrainian)
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/uk/
+
+2020-03-13  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Translated using Weblate (Portuguese (Brazil))
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+	Translated using Weblate (Portuguese)
+
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt/
+
+	Translated using Weblate (German)
+
+	Currently translated at 91.4% (107 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-13  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Adjust README with instructions for package prerequsities.
+	Also remove obsolete static modules instructions
+
+2020-03-11  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_get_authtok: fix i18n of default prompts.
+	Change formatting of default prompts, making them translatable
+	to those languages that use a different word order.
+	From non-i18n perspective this change is essentially a no-op.
+
+	* libpam/pam_get_authtok.c (PROMPTCURRENT): Replace with
+	PROMPT_CURRENT_ARG and PROMPT_CURRENT_NOARG.
+	(PROMPT1): Replace with PROMPT_NEW_ARG and PROMPT_NEW_NOARG.
+	(PROMPT2): Replace with PROMPT_RETYPE_ARG and PROMPT_RETYPE_NOARG.
+	(pam_get_authtok_internal, pam_get_authtok_verify): Use new macros.
+	* po/Linux-PAM.pot: Regenerated.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/29
+
+2020-03-11  ikerexxe  <ipedrosa@redhat.com>
+
+	pam_selinux: check unknown object classes or permissions in current policy
+	Explanation: check whether unknown object classes or permissions are allowed or denied in the current policy
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680961
+
+2020-03-06  Weblate  <noreply@weblate.org>
+
+	Update translation files.
+	Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-03-06  Milo Casagrande  <milo@milo.name>
+
+	Translated using Weblate (Italian)
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/it/
+
+2020-03-06  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Translated using Weblate (Zulu)
+	Currently translated at 63.2% (74 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zu/
+
+	Translated using Weblate (Chinese (Traditional))
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_TW/
+
+	Translated using Weblate (Chinese (Simplified))
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/zh_CN/
+
+	Translated using Weblate (Tamil)
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ta/
+
+	Translated using Weblate (Sinhala)
+
+	Currently translated at 65.8% (77 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/si/
+
+	Translated using Weblate (Russian)
+
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ru/
+
+	Translated using Weblate (Portuguese (Brazil))
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pt_BR/
+
+	Translated using Weblate (Kazakh)
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/kk/
+
+	Translated using Weblate (Japanese)
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/ja/
+
+	Translated using Weblate (Hungarian)
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hu/
+
+	Translated using Weblate (Hindi)
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/hi/
+
+	Translated using Weblate (Spanish)
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/es/
+
+	Translated using Weblate (German)
+
+	Currently translated at 81.1% (95 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/de/
+
+2020-03-06  Oğuz Ersen  <oguzersen@protonmail.com>
+
+	Translated using Weblate (Turkish)
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-06  Geert Warrink  <geert.warrink@onsnet.nu>
+
+	Translated using Weblate (Dutch)
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/nl/
+
+2020-03-06  Julien Humbert  <julroy67@gmail.com>
+
+	Translated using Weblate (French)
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-06  Piotr Drąg  <piotrdrag@gmail.com>
+
+	Translated using Weblate (Polish)
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+	Translated using Weblate (Polish)
+
+	Currently translated at 100.0% (117 of 117 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-06  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Add missing file to EXTRA_DIST.
+	* tests/Makefile.am: Add confdir to EXTRA_DIST.
+
+	New API call pam_start_confdir()
+	To load PAM stack configurations from specified directory
+
+2020-03-05  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix remaining references to sourceforge.net.
+	Linux-PAM moved to github long time ago, update the remaining
+	bug tracking references to point to github issues tracker.
+
+	* README: Refer to https://github.com/linux-pam/linux-pam/issues
+	instead of sourceforge.net.
+	* po/Makevars: Refer to https://github.com/linux-pam/linux-pam/issues
+	instead of http://sourceforge.net/projects/pam .
+	* po/Linux-PAM.pot: Regenerated.
+
+2020-03-05  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_unix: fix --disable-nis compilation warnings.
+	When the build is configured using --disable-nis option, gcc complains:
+
+	pam_unix_passwd.c: In function '_do_setpass':
+	pam_unix_passwd.c:398:8: warning: unused variable 'master' [-Wunused-variable]
+
+	support.c: In function '_unix_getpwnam':
+	support.c:305:21: warning: parameter 'nis' set but not used [-Wunused-but-set-parameter]
+
+	* modules/pam_unix/pam_unix_passwd.c (_do_setpass): Move the definition
+	of "master" variable to [HAVE_NIS].
+	* modules/pam_unix/support.c (_unix_getpwnam) [!(HAVE_YP_GET_DEFAULT_DOMAIN
+	&& HAVE_YP_BIND && HAVE_YP_MATCH && HAVE_YP_UNBIND)]: Do not assign
+	the unused parameter but mark it as used.
+
+2020-03-05  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Sort NEWS entries.
+	* NEWS (1.4.0): Sort module-related news entries.
+
+2020-03-05  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix whitespace issues.
+	Remove trailing whitespace introduced by commit
+	f9c9c72121eada731e010ab3620762bcf63db08f.
+	Remove blank lines at EOF introduced by commit
+	65d6735c5949ec233df9813f734e918a93fa36cf.
+
+	This makes the project free of warnings reported by
+	git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
+
+	* doc/custom-html.xsl: Remove blank line at EOF.
+	* doc/custom-man.xsl: Likewise.
+	* modules/pam_motd/pam_motd.c: Remove trailing whitespace.
+
+2020-03-04  ed@s5h.net  <ed@s5h.net>
+
+	Adding package dependency hints to README.
+
+2020-03-04  Mark Wutzke  <mark.wutzke@alliedtelesis.co.nz>
+
+	Use cached 'crypt' library result correctly.
+	Configure script incorrectly used a non-cached variable (ac_lib) in the
+	cached code path. This results in no -lcrypt being defined resulting in
+	link errors on a re-build.
+
+	Update configure.ac to use ac_cv_search_crypt (via ac_res) to setup the
+	correct library arguments.
+
+2020-03-03  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Prepare for the 1.4.0 release.
+
+	Updated LINGUAS to remove completely untranslated languages.
+	Updated pot and po files
+
+2020-03-03  Tomáš Mráz  <tmraz@redhat.com>
+
+	Translated using Weblate (Czech)
+	Currently translated at 100.0% (116 of 116 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/cs/
+
+2020-03-03  Oğuz Ersen  <oguzersen@protonmail.com>
+
+	Translated using Weblate (Turkish)
+	Currently translated at 100.0% (121 of 121 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/tr/
+
+2020-03-03  Julien Humbert  <julroy67@gmail.com>
+
+	Translated using Weblate (French)
+	Currently translated at 100.0% (121 of 121 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/fr/
+
+2020-03-03  Piotr Drąg  <piotrdrag@gmail.com>
+
+	Translated using Weblate (Polish)
+	Currently translated at 100.0% (121 of 121 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+	Translated using Weblate (Polish)
+
+	Currently translated at 100.0% (121 of 121 strings)
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/pl/
+
+2020-03-03  Jean-Baptiste Holcroft  <jean-baptiste@holcroft.fr>
+
+	Deleted translation using Weblate (Cornish)
+	Deleted translation using Weblate (German (Low))
+
+	Deleted translation using Weblate (Angika)
+
+	Deleted translation using Weblate (English (United Kingdom))
+
+	Deleted translation using Weblate (Asturian)
+
+	Deleted translation using Weblate (bal (generated))
+
+	Deleted translation using Weblate (Bodo)
+
+	Deleted translation using Weblate (Breton)
+
+	Deleted translation using Weblate (Cornish)
+
+	Deleted translation using Weblate (Cornish)
+
+	Deleted translation using Weblate (ilo (generated))
+
+	Deleted translation using Weblate (Maithili)
+
+	Deleted translation using Weblate (Pedi)
+
+	Deleted translation using Weblate (Tibetan)
+
+	Deleted translation using Weblate (Twi)
+
+	Deleted translation using Weblate (wba (generated))
+
+2020-03-03  Weblate  <noreply@weblate.org>
+
+	Update translation files.
+	Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
+
+	Translation: linux-pam/master
+	Translate-URL: https://translate.fedoraproject.org/projects/linux-pam/master/
+
+2020-02-27  Iker Pedrosa  <ikerpedrosam@gmail.com>
+
+	pam_tty_audit: if kernel audit is disabled return PAM_IGNORE.
+	If kernel audit is disabled the socket open will return

+	EPROTONOSUPPORT.

+	Return PAM_IGNORE from pam_tty_audit and log a warning

+	in this situation so login is not blocked by the module.
+
+2020-02-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD
+	When pam_modutil_sanitize_helper_fds() is invoked with
+	PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
+	or stderr, it closes the read end of the newly created dummy pipe.
+	The negative side effect of this approach is that any write to such
+	descriptor triggers a SIGPIPE.  Avoid this by closing the write end of
+	the dummy pipe and using its read end as a dummy pipe descriptor for
+	output.  Any read from such descriptor returns 0, and any write just
+	fails with EBADF, which should work better with unprepared writers.
+
+	* libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
+	(redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
+
+	Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
+
+2020-02-26  TBK  <tbk@jjtc.eu>
+
+	libpamc: Use ISO C99 uintX_t types instead of u_intX_t.
+	u_intX_t is a glibcism this fixes the issue of compiling against musl libc.
+
+2020-02-25  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_group, pam_time: Fix regression in documentation from last change.
+	* modules/pam_group/group.conf.5.xml: Replace bare & with &amp;.
+	* modules/pam_time/time.conf.5.xml: Likewise.
+
+2020-02-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_limits: Document the unwanted effect of set_all with systemd.
+
+	misc_conv: Use PAM_MAX_RESP_SIZE to limit the length of the input.
+
+	pam_group, pam_time: Fix logical error with multiple ! operators.
+	* modules/pam_group/group.conf.5.xml: Document what logic list means.
+	* modules/pam_time/time.conf.5.xml: Likewise.
+	* modules/pam_group/pam_group.c (logic_field): Clear the not operator for the
+	  further operations.
+	* modules/pam_time/pam_time.c (logic_field): Likewise.
+
+2020-02-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_shells: Recognize /bin/sh as the default shell.
+	If the shell is empty in /etc/passwd entry it means /bin/sh.
+
+	* modules/pam_shells/pam_shells.c (perform_check): Use /bin/sh as default shell.
+
+2020-02-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_env: Change the default to not read the user .pam_environment file.
+	* modules/pam_env/pam_env.8.xml: Document the change.
+	* modules/pam_env/pam_env.c: Set DEFAULT_USER_READ_ENVFILE to 0.
+
+2020-02-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_env: code cleanups.
+	Raise BUF_SIZE to 8192 bytes.
+
+	* modules/pam_env/pam_env.c (_parse_env_file): Ignore lines starting with '='.
+	  (_assemble_line): Detect long lines and binary files.
+	  (_check_var): Avoid overwriting global variable.
+	  (_expand_arg): Avoid repeated strlen calls.
+
+2020-02-18  Topi Miettinen  <toiwoton@gmail.com>
+
+	pam_namespace: secure tmp-inst directories.
+	When using polyinstantiation for /tmp and/or /var/tmp, pam_namespace
+	creates subdirectories with fixed name tmp-inst. These paths should be
+	secured as early as possible to avoid that somehow these directories
+	could created and controlled by for example a malicious user or
+	service.
+
+	Ship a systemd service, which creates the directories early in
+	boot sequence with correct permissions and ownership.
+
+	Closes #111.
+
+2020-02-18  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Fix warnings from the recent PR merges.
+	* modules/pam_succeed_if/pam_succeed_if.c: Fix const issues.
+	* modules/pam_usertype/pam_usertype.c: Avoid maybe used uninitialized warning.
+
+2020-02-18  Pavel Březina  <pbrezina@redhat.com>
+
+	pam_unix: add nullresetok option to allow reset blank passwords.
+	Adding nullresetok to auth phase of pam_unix module will allow users
+	with blank password to authenticate in order to immediatelly change
+	their password even if nullok is not set.
+
+	This allows to have blank password authentication disabled but still
+	allows administrator to create new user accounts with expired blank
+	password that must be change on the first login.
+
+2020-02-18  Serghei Anicheev  <serghei.anicheev@gmail.com>
+
+	pam_succeed_if: Add list support for group membership checks.
+	Examples:

+		account    requisite    pam_succeed_if.so user ingroup group1:group2

+		OR

+		account    requisite    pam_succeed_if.so user notingroup group1:group2

+		OR

+		account    requisite    pam_succeed_if.so user ingroup wheel

+		OR

+		account    requisite    pam_succeed_if.so user notingroup wheel

+	

+	Can be very convenient to grant access based on complex group memberships (LDAP, etc)

+
+2020-02-18  MIZUTA Takeshi  <mizuta.takeshi@fujitsu.com>
+
+	Remove redundant header file inclusion.
+	There are some source code including the same header file redundantly.
+	We remove these redundant header file inclusion.
+
+2020-01-29  edneville  <ed-github@s5h.net>
+
+	pam_tally[2]: Updating man pages to indicate account leakage without silent
+	* modules/pam_tally/pam_tally.8.xml: Mention account leakage without silent

+	* modules/pam_tally2/pam_tally2.8.xml: Mention account leakage without silent

+
+2020-01-29  Jakub Wilk  <jwilk@jwilk.net>
+
+	pam_keyinit.8: add missing comma.
+
+2020-01-28  Pavel Březina  <pbrezina@redhat.com>
+
+	pam_usertype: new module to tell if uid is in login.defs ranges.
+	This module will check if the user account type is system or regular based
+	on its uid. To evaluate the condition it will use 0-99 reserved range
+	together with `SYS_UID_MIN` and `SYS_UID_MAX` values from `/etc/login.defs`.
+
+	If these values are not set, it uses configure-time defaults
+	`--with-sys-uid-min` and `--with-uid-min` (according to `login.defs` man page
+	`SYS_UID_MAX` defaults to `UID_MIN - 1`.
+
+	This information can be used to skip specific module in pam stack
+	based on the account type. `pam_succeed_if uid < 1000` is used at the moment
+	however it does not reflect changes to `login.defs`.
+
+2020-01-27  Fabrice Fontaine  <fontaine.fabrice@gmail.com>
+
+	configure.ac: add --enable-doc option.
+	Allow the user to disable documentation through --disable-doc (enabled
+	by default), this is especially useful when cross-compiling for embedded
+	targets
+
+2020-01-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix remaining -Wcast-qual compilation warnings.
+	Introduce a new internal header file with definitions of
+	DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL macros,
+	use them to temporary silence -Wcast-qual compilation warnings
+	in various modules.
+
+	* libpam/include/pam_cc_compat.h: New file.
+	* libpam/Makefile.am (noinst_HEADERS): Add include/pam_cc_compat.h.
+	* modules/pam_mkhomedir/pam_mkhomedir.c: Include "pam_cc_compat.h".
+	(create_homedir): Wrap execve invocation in DIAG_PUSH_IGNORE_CAST_QUAL
+	and DIAG_POP_IGNORE_CAST_QUAL.
+	* modules/pam_namespace/pam_namespace.c: Include "pam_cc_compat.h".
+	(pam_sm_close_session): Wrap the cast that discards ‘const’ qualifier
+	in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+	* modules/pam_tty_audit/pam_tty_audit.c: Include "pam_cc_compat.h".
+	(nl_send): Wrap the cast that discards ‘const’ qualifier in
+	DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+	* modules/pam_unix/pam_unix_acct.c: Include "pam_cc_compat.h".
+	(_unix_run_verify_binary): Wrap execve invocation in
+	DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+	* modules/pam_unix/pam_unix_passwd.c: Include "pam_cc_compat.h".
+	(_unix_run_update_binary): Wrap execve invocation in
+	DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+	* modules/pam_unix/passverify.c: Include "pam_cc_compat.h".
+	(unix_update_shadow): Wrap the cast that discards ‘const’ qualifier
+	in DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+	* modules/pam_unix/support.c: Include "pam_cc_compat.h".
+	(_unix_run_helper_binary): Wrap execve invocation in
+	DIAG_PUSH_IGNORE_CAST_QUAL and DIAG_POP_IGNORE_CAST_QUAL.
+	* modules/pam_xauth/pam_xauth.c: Include "pam_cc_compat.h".
+	(run_coprocess): Wrap execv invocation in DIAG_PUSH_IGNORE_CAST_QUAL
+	and DIAG_POP_IGNORE_CAST_QUAL.
+
+2020-01-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	_pam_mkargv: add const qualifier to the first argument.
+	Also fix the following compilation warning:
+
+	tests/tst-pam_mkargv.c:21:22: warning: initialization discards ‘const’
+	qualifier from pointer target type [-Wdiscarded-qualifiers]
+	   char *argvstring = "user = XENDT\\userα user=XENDT\\user1";
+	                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+	* libpam/pam_misc.c (_pam_mkargv): Add const qualifier to the first
+	argument.
+	* libpam/pam_private.h (_pam_mkargv): Likewise.
+	* tests/tst-pam_mkargv.c (main): Convert argvstring from a pointer into
+	a static const string, make argvresult array static const.
+
+2020-01-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Fix miscellaneous const issues.
+	* libpam/pam_modutil_searchkey.c: Avoid assigning empty string literal to
+	non-const char *.
+	* modules/pam_filter/pam_filter.c: Avoid using const char **.
+	* modules/pam_mkhomedir/pam_mkhomedir.c: Properly cast out const for execve().
+	* modules/pam_namespace/pam_namespace.c: Properly cast out const from pam data.
+	* modules/pam_tally2/pam_tally2.c: String literal must be assigned to
+	const char *.
+
+2020-01-17  Björn Esser  <besser82@fedoraproject.org>
+
+	pam_unix: Return NULL instead of calling crypt_md5_wrapper().
+	If the call to the crypt(3) function failed for some reason during
+	hashing a new login passphrase, the wrapper function for computing
+	a hash with the md5crypt method was called internally by the pam_unix
+	module in previous versions of linux-pam.
+
+	With CVE-2012-3287 in mind, the md5crypt method is not considered to
+	be a safe nor recommended hashing method for a new login passphrase
+	since at least 2012.  Thus pam_unix should error out in case of a
+	failure in crypt(3) instead of silently computing a hashed passphrase
+	using a potentially unsafe method.
+
+	* modules/pam_unix/pam_unix.8.xml: Update documentation.
+	* modules/pam_unix/passverify.c (create_password_hash): Return NULL
+	on error instead of silently invoke crypt_md5_wrapper().
+
+2020-01-15  Hulto  <jack.m.mckenna@gmail.com>
+
+	Changed variable salt to hash.
+	helper_verify_password's variable salt is not just the salt but the whole hash. Renamed for clarity and conformity with the rest of the code.
+
+2020-01-15  Josef Moellers  <jmoellers@suse.de>
+
+	Add two missing va_end() calls According to the man pages, "Each invocation of va_start() must be matched by a corresponding invocation of va_end() in the same function."
+
+2020-01-15  Steve Langasek  <steve.langasek@canonical.com>
+
+	Further grammar fixes.
+
+	Bug-Debian: https://bugs.debian.org/651560
+
+2020-01-15  Steve Langasek  <steve.langasek@canonical.com>
+
+	Miscellaneous spelling fixes.
+
+	Miscellaneous grammar fixes.
+
+2020-01-10  Andreas Henriksson  <andreas@fatal.se>
+
+	pam_umask: document the 'nousergroups' option.
+	Add a short description of the nousergroups to the pam_umask(8)
+	man-page.
+
+2020-01-10  Andreas Henriksson  <andreas@fatal.se>
+
+	pam_umask: add new 'nousergroups' module argument.
+	This is particularly useful when pam has been built with the new
+	--enable-usergroups configure switch, allowing users to override
+	the default-enabled state and disabling usergroups at runtime.
+
+	This is synonymous but opposite to current and previous pam_umask
+	default that could be changed to enabled at runtime with the usergroups
+	argument.
+
+2020-01-10  Andreas Henriksson  <andreas@fatal.se>
+
+	pam_umask: build-time usergroups option default.
+	This change adds a configure option to set the default value of the
+	usergroups option (of the pam_umask module) at build-time.
+
+	Distributions usually makes the decision if usergroups should be used or
+	not. This allows them to control the built-in default value, without
+	having to ship the value in a config file (cluttering up the view
+	of actually relevant user/system configuration overrides).
+
+2020-01-02  msalle  <mischa.salle@gmail.com>
+
+	pam_access: Fix (IPv6) address prefix size matching.
+	IPv6 address prefix sizes larger than 128 (i.e. not larger or equal to) should

+	be discarded. Additionally, for IPv4 addresses, the largest valid prefix size

+	should be 32.

+	

+	Fixes #161
+
+2019-12-18  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Do not use CFLAGS for warning flags set from configure.
+	To be able to set CFLAGS from make command-line but not to lose the
+	warning flags.
+
+	* configure.ac: Put warning flags to WARN_CFLAGS instead of CFLAGS.
+	* */Makefile.am: Apply WARN_CFLAGS to AM_CFLAGS.
+
+2019-12-17  Balint Reczey  <balint.reczey@canonical.com>
+
+	Return only PAM_IGNORE or error from pam_motd.
+	Follow-up for c81280b16e1831ab0bdd0383486c7e2d1eaf1b5e.

+	* modules/pam_motd/pam_motd.c: Return PAM_IGNORE if pam_putenv succeeds.

+	* modules/pam_motd/pam_motd.8.xml: Document additional possible return values of the module.
+
+2019-12-16  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Add initial Travis CI support.
+	This runs "make distcheck" using gcc-9, gcc-8, gcc-7, and clang
+	on x86_64, x86, x32, aarch64, s390x, and ppc64le architectures.
+
+	* .travis.yml: New file.
+	* ci/install-dependencies.sh: Likewise.
+	* ci/run-build-and-tests.sh: Likewise.
+
+	Resolves: https://github.com/linux-pam/linux-pam/issues/28
+
+2019-12-16  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_pwhistory: fix build when -lxcrypt is not available.
+	When xcrypt.h is available but -lxcrypt is not, pam_pwhistory fails to
+	build with the following diagnostics:
+	    modules/pam_pwhistory/opasswd.c:111: undefined reference to `xcrypt_r'
+
+	Fix this by using the same check for xcrypt as in other modules.
+
+	* modules/pam_pwhistory/opasswd.c: Replace HAVE_XCRYPT_H with
+	HAVE_LIBXCRYPT.
+
+2019-12-16  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Fix or suppress various warnings when compiling with -Wall -Wextra.
+	* conf/pam_conv1/Makefile.am: Add -Wno-unused-function -Wno-sign-compare to CFLAGS.
+	* doc/specs/Makefile.am: Likewise.
+
+	* libpamc/include/security/pam_client.h: Explicitly compare old_p with NULL.
+
+	* modules/pam_access/pam_access.c: Avoid double const.
+
+	* modules/pam_filter/pam_filter.c: Avoid arbitrary constants. Avoid strncpy()
+	without copying the NUL byte.
+
+	* modules/pam_group/pam_group.c: Mark switch fallthrough with comment.
+	* modules/pam_time/pam_time.c: Likewise.
+
+	* modules/pam_limits/pam_limits.c: Remove unused units variable.
+
+	* modules/pam_listfile/pam_listfile.c: Avoid unnecessary strncpy, use pointers.
+
+	* modules/pam_rootok/pam_rootok.c (log_callback): Mark unused parameter.
+
+	* modules/pam_selinux/pam_selinux.c: Use string_to_security_class() instead
+	of hardcoded value.
+
+	* modules/pam_sepermit/pam_sepermit.c: Properly cast when comparing.
+
+	* modules/pam_succeed_if/pam_succeed_if.c: Mark unused parameters.
+
+	* modules/pam_unix/pam_unix_passwd.c: Remove unused variables and properly
+	cast for comparison.
+
+	* modules/pam_unix/support.c: Remove unused function.
+
+2019-12-04  Balint Reczey  <balint@balintreczey.hu>
+
+	pam_motd: Export MOTD_SHOWN=pam after showing MOTD.
+	This is a useful indication for update-motd profile.d snippet which can

+	also try to show MOTD when it is not already shown.

+	

+	The use-case for that is showing MOTD in shells in containers without

+	PAM being involved.

+	

+	* modules/pam_motd/pam_motd.c: Export MOTD_SHOWN=pam after showing MOTD

+	* modules/pam_motd/pam_motd.8.xml: Mention setting MOTD_SHOWN=pam in the man page

+
+2019-11-28  ppkarwasz  <piotr.github@karwasz.org>
+
+	Adds an auth module to pam_keyinit (#150)
+	Adds an auth module to pam_keyinit, whose implementation of

+	pam_sm_setcred

+	is identical to the implementation of pam_sm_open_session.

+	

+	It is useful with PAM applications, which call pam_setcred,

+	before calling pam_open_session.

+	

+	*  modules/pam_keyinit/pam_keyinit.c: Add an auth module to pam_keyinit.

+	

+	* modules/pam_keyinit/pam_keyinit.8.xml: Update the manpage

+	to describe the new functionality.

+
+2019-11-28  Sophie Herold  <sophie@hemio.de>
+
+	Lower "bad username" log priority (#154)
+	* modules/pam_unix/pam_unix_auth.c: Use LOG_NOTICE instead of LOG_ERR.

+	* modules/pam_unix/pam_unix_passwd.c: Likewise.

+	* modules/pam_umask/pam_umask.c: Likewise.
+
+2019-11-04  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
+	* modules/pam_namespace/namespace.conf.5.xml: Add documentation for the
+	noexec, nosuid, and nodev flags support.
+	* modules/pam_namespace/pam_namespace.c (filter_mntopts): New function to
+	filter out the flags.
+	(parse_method): Call the function.
+	(ns_setup): Apply the flags to the tmpfs mount.
+	* modules/pam_namespace/pam_namespace.h: Add mount_flags to polydir_s struct.
+
+2019-11-04  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Optimize the checkgrouplist function.
+	There is no point in rising the allocation size by doubling when
+	we can allocate required memory size at once in the second pass.
+
+	* libpam/pam_modutil_ingroup.c (checkgrouplist): Allocate some reasonable
+	default size in first pass and required size in the second pass.
+
+2019-10-15  MIZUTA Takeshi  <mizuta.takeshi@fujitsu.com>
+
+	doc: fix module type written in MODULE TYPES PROVIDED.
+
+2019-10-14  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Add logging useful for debugging problems.
+	Two messages added about obtaining the username are guarded
+	by the debug option as these should not be normally
+	logged - they can be useful for debugging but they do not
+	indicate any special condition.
+
+	The message about authenticating user with blank password is
+	still just LOG_DEBUG priority but it is logged unconditionally
+	because it is somewhat extraordinary condition to have an user
+	with blank password.
+
+	* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
+	  D() macro calls which are not enabled on production builds with
+	  regular pam_syslog() calls.
+
+2019-10-10  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Fix the spelling of Jan Rękorajski's name.
+
+2019-10-08  MIZUTA Takeshi  <mizuta.takeshi@fujitsu.com>
+
+	doc: fix typo in manpage.
+
+2019-10-03  MIZUTA Takeshi  <mizuta.takeshi@fujitsu.com>
+
+	pam_mkhomedir: Add debug option to pam_mkhomedir(8) man page.
+
+2019-09-23  Marek Černocký  <marek@manet.cz>
+
+	Fixed missing quotes in configure script.
+
+2019-09-16  Thorsten Kukuk  <5908016+thkukuk@users.noreply.github.com>
+
+	Add support for a vendor directory and libeconf (#136)
+	With this, it is possible for Linux distributors to store their

+	supplied default configuration files somewhere below /usr, while

+	/etc only contains the changes made by the user. The new option

+	--enable-vendordir defines where Linux-PAM should additional look

+	for pam.d/*, login.defs and securetty if this files are not in /etc.

+	libeconf is a key/value configuration file reading library, which

+	handles the split of configuration files in different locations

+	and merges them transparently for the application.
+
+2019-09-12  Carlos Santos  <casantos@redhat.com>
+
+	pam_lastlog: document the 'unlimited' option.
+
+2019-09-12  Carlos Santos  <casantos@redhat.com>
+
+	pam_lastlog: prevent crash due to reduced 'fsize' limit.
+	It a reduced fsize limit is set in /etc/security/limits.conf and
+	pam_limits is in use pam_lastlog may cause a crash, e.g.
+
+	    ----- begin /etc/pam.d/su ----
+	    auth        sufficient   pam_rootok.so
+	    auth        required     pam_wheel.so use_uid
+	    auth        required     pam_env.so
+	    auth        required     pam_unix.so nullok
+	    account     required     pam_unix.so
+	    password    required     pam_unix.so nullok
+	    session     required     pam_limits.so
+	    session     required     pam_env.so
+	    session     required     pam_unix.so
+	    session     optional     pam_lastlog.so
+	    ----- end /etc/pam.d/su -----
+
+	    ----- begin /etc/security/limits.d/fsize.conf -----
+	    * soft fsize 1710
+	    * hard fsize 1710
+	    ----- end /etc/security/limits.d/fsize.conf -----
+
+	    # id user1
+	    uid=1000(user1) gid=1000(user1) groups=1000(user1)
+	    # su - user1
+	    Last login: Wed Sep 11 01:52:44 UTC 2019 on console
+	    $ exit
+	    # id user2
+	    uid=60000(user2) gid=60000(user2) groups=60000(user2)
+	    # su - user2
+	    File size limit exceeded
+
+	This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
+	attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
+
+	In order to fix this, and an 'unlimited' option, which leads to saving
+	the 'fsize' limit and set it to unlimited before writing lastlog. After
+	that, restore the saved value. If 'fsize' is already unlimited nothing
+	is done.
+
+	Failing to set the 'fsize' limit is not a fatal error.  With luck the
+	configured limit will suffice, so we try to write lastlog anyway, even
+	under the risk of dying due to a SIGXFSZ.
+
+	Failing to restore the 'fsize' limit is a fatal error, since we don't
+	want to keep it unlimited.
+
+2019-09-11  ed  <ed@s5h.net>
+
+	pam_unix_sess.c add uid for opening session.
+	This adds the UID of the target user to the session open log.
+
+	Also fixing tabulation in pam_unix_sess.c.
+
+2019-09-09  lifecrisis  <15251574+lifecrisis@users.noreply.github.com>
+
+	Fix the man page for "pam_fail_delay()"
+	This man page contained the incorrect statement that setting the
+	PAM_FAIL_DELAY item to NULL would disable any form of delay on
+	authentication failure.
+
+	I removed the incorrect statement and added a paragraph explaining
+	how an application should properly avoid delays.
+
+	Closes #137.
+
+2019-09-06  lifecrisis  <15251574+lifecrisis@users.noreply.github.com>
+
+	Fix a typo.
+	There is an extra space where there should not be one.
+
+2019-09-06  lifecrisis  <15251574+lifecrisis@users.noreply.github.com>
+
+	Update a function comment.
+	The function comment for "_pam_await_timer()" does not mention the
+	intended behavior of prioritizing the "PAM_FAIL_DELAY" item.
+
+	I updated the comment to make this intention clear.
+
+2019-09-02  Matt Cowell  <matt.cowell@nokia.com>
+
+	pwhistory: fix read of uninitialized data and memory leak when modifying opasswd
+	The glibc implementation of getline/getdelim does not guarantee a NUL
+	terminator in lineptr if getline returns failure (-1).  This occurs when
+	the opasswd file exists but is empty.  Since strdup is called
+	immediately afterwards, this causes strdup to read uninitialized memory
+	and possibly buffer overrun / crash.
+
+	This also fixes a memory leak which always occurs when reading the last
+	line of the opasswd file.  Since the strdup is called before checking
+	the return code from getline, getdelim, or fgets+strlen, it will
+	duplicate and never free either:
+	- The last successfully read line (for getline or getdelim)
+	- Uninitialized data (if the file is empty)
+	- A 0 byte string (for fgets+strlen)
+
+	Fix by always checking the return code of getline, getdelim, or
+	fgets+strlen before calling strdup.
+
+2019-08-26  Christophe Besson  <cbesson@redhat.com>
+
+	libpam/pam_modutil_sanitize.c: optimize the way to close fds.
+
+2019-08-07  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_tty_audit: Manual page clarification about password logging.
+	* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
+	can be sometimes logged even when the option is not set.
+
+2019-08-07  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_get_authtok_verify: Avoid duplicate password verification.
+	If password was already verified by previous modules in the stack
+	it does not need to be verified by pam_get_authtok_verify either.
+
+	* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
+	  appropriately.
+	  (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
+	  set it when the password is verified.
+	* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
+	* libpam/pam_start.c (pam_start): Initialize authtok_verified.
+
+2019-07-16  2*yo  <yohann@lepage.info>
+
+	Mention that ./autogen.sh is needeed to be run if you check out the sources from git
+
+2019-06-27  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Correct MAXPASS define name in the previous two commits.
+	* modules/pam_unix/pam_unix_passwd.c: Change MAX_PASS to MAXPASS.
+	* modules/pam_unix/support.c: Likewise.
+
+2019-06-27  Florian Best  <best@univention.de>
+
+	Restrict password length when changing password.
+
+	Trim password at PAM_MAX_RESP_SIZE chars.
+	Issue #118: Protect against Denial of Service attacks.
+	To prevent hashsum generation via crypt of very long passwords the
+	password is now stripped to 512 characters. This is equivalent behavior
+	to unix_chkpwd.
+
+2019-05-23  Olaf Mandel  <o.mandel@menlosystems.com>
+
+	pam_succeed_if: Request user data only when needed.
+	Allow for conditions that just check the user field to also work for
+	users not known to the system. Before this caused a PAM_USER_UNKNOWN
+	even if no extra data for an existing user was needed. E.g.
+
+	    auth sufficient pam_succeed_if.so user = NotKnownToSystem
+
+	modules/pam_succeed_if/pam_succeed_if.c (evaluate): Change the pwd
+	parameter to an input/output parameter. Lazily request pwd with
+	pam_modutil_getpwnam() if needed and return PAM_USER_UNKNOWN on failure.
+
+	modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Don't
+	request the pwd if !use_uid anymore and shift the output from audit to
+	after the evaluate() call. Also make sure not to give the normal failure
+	message if the lazy pwd loading failed.
+
+2019-02-26  Maciej S. Szmigiero  <mail@maciej.szmigiero.name>
+
+	pam_tally2: Remove unnecessary fsync()
+	pam_tally2 does fsync() after writing to a tally file.
+	This causes hard drive cache flushes on every failed SSH login on many
+	(if not most) filesystems.
+	And an internet-exposed machine can have a lot of these failed logins.
+
+	This operation however doesn't seem to be necessary - the pam_tally2
+	module does not do any operation which would need explicit post-crash
+	ordering, it just does simple file reads and writes.
+	And doing a fsync() after them doesn't close any race if the system happens
+	to crash between a write being posted and its fsync() completion.
+
+	Let's remove this operation to get rid of all these extra cache flushes.
+
+2019-02-19  vkwitshana  <vkwitshana@gmail.com>
+
+	Fixed a grammer mistake.
+
+2019-01-10  Christopher Head  <chead@chead.ca>
+
+	Fix documentation for pam_wheel.
+	By default, pam_wheel checks for applicant membership in the wheel group
+	for *all* access requests, regardless of whether the target user is root
+	or non-root. Only if root_only is provided does it limit the membership
+	check to cases when the target user is root. Update the documentation to
+	reflect this.
+
+2019-01-10  Louis Sautier  <sautier.louis@gmail.com>
+
+	Fix a typo in the documentation.
+
+2019-01-10  Nir Soffer  <nsoffer@redhat.com>
+
+	pam_lastlog: Improve silent option documentation.
+	The silent option explicitly silents only the last login message and not
+	bad logins. Add a note to the manual to make this clear.
+
+	* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
+
+2019-01-10  Nir Soffer  <nsoffer@redhat.com>
+
+	pam_lastlog: Respect PAM_SILENT flag.
+	pam_lastlog module will not log info about failed login if the session
+	was opened with PAM_SILENT flag.
+
+	Example use case enabled by this change:
+
+	    sudo --non-interactive program
+
+	If this command is run by another program expecting specific output from
+	the command run by sudo, the unexpected info about failed logins will
+	break this program.
+
+	* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
+	  (_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
+
+2019-01-04  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Fix regressions from the last commits.
+	* configure.ac: Test for logwtmp needs -lutil in LIBS.
+	* modules/Makefile.am: Fix indentation of variable assignments causing
+	  creation of incorrect Makefile.
+
+2019-01-04  Rosen Penev  <rosenp@gmail.com>
+
+	Replace strndupa with strncpy.
+	glibc only. A static string is better.
+
+2019-01-04  Yousong Zhou  <yszhou4tech@gmail.com>
+
+	build: ignore pam_lastlog when logwtmp is not available.
+	* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
+	* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
+
+	build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
+	* configure.ac: check for ruserok and ruserok_af
+	* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
+	* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
+
+2018-12-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_motd: Cleanup the code and avoid unnecessary logging.
+	The pam_motd module will not log if the default motd.d directories
+	are missing.
+
+	Also cleanup some code cleanliness issues and fix compilation
+	warnings.
+
+	* modules/pam_motd/pam_motd.c: Constification of constant strings.
+	  (try_to_display_directory): Removed unused function.
+	  (pam_split_string): Replace uint with unsigned int. Fix warnings.
+	  (compare_strings): Fix warnings by proper constification.
+	  (try_to_display_directories_with_overrides): Cleanups. Switch
+	  off the logging if the motd.d directories are missing and they
+	  are default ones.
+	  (pam_sm_open_session): Cleanup warnings. Pass the information
+	  to try_to_display_directories_with_overrides() that non-default
+	  motd options are used.
+
+2018-12-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
+	* modules/pam_lastlog/pam_lastlog.8.xml: Add the documentation of the
+	  LASTLOG_UID_MAX option.
+	* modules/pam_lastlog/pam_lastlog.c: New function get_lastlog_uid_max().
+	  (last_login_date): Check the uid against the get_lastlog_uid_max().
+	  (pam_authenticate): Likewise.
+
+2018-12-11  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Move the duplicated search_key function to pam_modutil.
+	* libpam/pam_modutil_searchkey.c: New source file with pam_modutil_search_key().
+	* libpam/Makefile.am: Add the pam_modutil_searchkey.c.
+	* libpam/include/security/pam_modutil.h: Add the pam_modutil_search_key() prototype.
+	* libpam/libpam.map: Add the pam_modutil_search_key() into a new version.
+	* modules/pam_faildelay/pam_faildelay.c: Drop search_key() and use
+	  pam_modutil_search_key().
+	* modules/pam_umask/pam_umask.c: Likewise.
+	* modules/pam_unix/support.c: Likewise.
+
+2018-11-27  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Use pam_syslog instead of helper_log_err.
+	* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
+	 PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
+	* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
+	* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
+	 to verify_pwd_hash() call.
+
+2018-11-27  Björn Esser  <besser82@fedoraproject.org>
+
+	pam_unix: Report unusable hashes found by checksalt to syslog.
+	libxcrypt can be build-time configured to support (or not support)
+	various hashing methods.  Future versions will also have support for
+	runtime configuration by the system's vendor and/or administrator.
+
+	For that reason adminstrator should be notified by pam if users cannot
+	log into their account anymore because of such a change in the system's
+	configuration of libxcrypt.
+
+	Also check for malformed hashes, like descrypt hashes starting with
+	"$2...", which might have been generated by unsafe base64 encoding
+	functions as used in glibc <= 2.16.
+	Such hashes are likely to be rejected by many recent implementations
+	of libcrypt.
+
+	* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
+	hashes found by checksalt to syslog.
+
+2018-11-27  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Revert "pam_unix: Add crypt_default method, if supported."
+	This reverts commit ad435b386b22b456724dc5c5b8d9f2d1beffc558.
+
+2018-11-27  Björn Esser  <besser82@fedoraproject.org>
+
+	pam_unix: Add crypt_default method, if supported.
+	libxcrypt since v4.4.0 supports a default method for its
+	gensalt function on most system configurations.  As the
+	default method is to be considered the strongest available
+	hash method, it should be preferred over all other hash
+	methods supported by pam.
+
+	* modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default.
+	* modules/pam_unix/passverify.c: Add crypt_default method.
+	* modules/pam_unix/support.h: Likewise.
+
+2018-11-26  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Revert part of the commit 4da9febc.
+	pam_unix: Do not return a hard failure on invalid or disabled salt
+	as in some cases the failure actually is not interesting and can
+	broke things such as password-less sudo.
+
+	* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
+	  of disabled or invalid salt.
+
+2018-11-23  Björn Esser  <besser82@fedoraproject.org>
+
+	pam_unix: Add support for (gost-)yescrypt hashing methods.
+	libxcrypt (v4.2 and later) has added support for the yescrypt
+	hashing method; gost-yescrypt has been added in v4.3.
+
+	* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
+	* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
+	* modules/pam_unix/pam_unix_auth.c: Likewise.
+	* modules/pam_unix/pam_unix_passwd.c: Likewise.
+	* modules/pam_unix/pam_unix_sess.c: Likewise.
+	* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
+	* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
+	* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
+	* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
+
+2018-11-22  Björn Esser  <besser82@fedoraproject.org>
+
+	pam_unix: Fix closing curly brace. (#77)
+	This has been overlooked during review of commit dce80b3f11b3.
+
+	* modules/pam_unix/support.c (_set_ctrl): Fix closing curly brace.
+
+	Closes: https://github.com/linux-pam/linux-pam/issues/77
+
+2018-11-22  Björn Esser  <besser82@fedoraproject.org>
+
+	pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
+	libxcrypt v4.3 has added the crypt_checksalt function to whether
+	the prefix at the begining of a given hash string refers to a
+	supported hashing method.
+
+	Future revisions of this function will add support to check whether
+	the hashing method, the prefix refers to, was disabled or considered
+	deprecated by the system's factory presets or system administrator.
+	Furthermore it will be able to detect whether the parameters, which
+	are used by the corresponding hashing method, being encoded in the
+	hash string are not considered to be strong enough anymore.
+
+	*modules/pam_unix/passverify.c: Add support for crypt_checksalt.
+
+2018-11-22  Björn Esser  <besser82@fedoraproject.org>
+
+	pam_unix: Prefer a gensalt function, that supports auto entropy.
+	* modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
+	* modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
+	* modules/pam_unix/support.c: Fix sanitizing of rounds parameter.
+
+2018-11-21  Robert Fairley  <rfairley@users.noreply.github.com>
+
+	pam_motd: Fix segmentation fault when no motd_dir specified (#76)
+	This fixes a regression introduced by #69, where motd_path was set

+	to NULL and passed into strdup() if the motd_dir argument was

+	not specified in the configuration file. This caused a segmentation

+	fault.

+	

+	* modules/pam_motd/pam_motd.c: fix checks for NULL in arguments

+	* xtests/Makefile.am: add test scripts and config file

+	* xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh

+	* xtests/tst-pam_motd4.pamd: create

+	* xtests/tst-pam_motd4.sh: create
+
+2018-11-19  Robert Fairley  <rfairley@users.noreply.github.com>
+
+	pam_motd: Support multiple motd paths specified, with filename overrides (#69)
+	Adds specifying multiple paths to motd files and motd.d

+	directories to be displayed. A colon-separated list of

+	paths is specified as arguments motd and motd_dir to the

+	pam_motd module.

+	

+	This gives packages several options to install motd files to.

+	By default, the paths are, with highest priority first:

+	/etc/motd

+	/run/motd

+	/usr/lib/motd

+	/etc/motd.d/

+	/run/motd.d/

+	/usr/lib/motd.d/

+	

+	Which is equivalent to the following arguments:

+	motd=/etc/motd:/run/motd:/usr/lib/motd

+	motd_dir=/etc/motd.d:/run/motd.d:/usr/lib/motd.d

+	

+	Files with the same filename in a lower-priority directory,

+	as specified by the order in the colon-separated list, are

+	overridden, meaning PAM will not display them.

+	

+	This allows a package to contain motd files under

+	/usr/lib instead of the host configuration in /etc.

+	A service may also write a dynamically generated motd in

+	/run/motd.d/ and have PAM display it without needing a

+	symlink from /etc/motd.d/ installed.

+	

+	Closes #68

+	

+	* modules/pam_motd/pam_motd.8.xml: update documentation

+	* modules/pam_motd/pam_motd.c: add specifying multiple motd paths

+	* xtests/.gitignore: add generated test script

+	* xtests/Makefile.am: add test source, scripts and config files

+	* xtests/tst-pam_motd.c: create

+	* xtests/tst-pam_motd.sh: create

+	* xtests/tst-pam_motd1.pamd: create

+	* xtests/tst-pam_motd1.sh: create

+	* xtests/tst-pam_motd2.pamd: create

+	* xtests/tst-pam_motd2.sh: create

+	* xtests/tst-pam_motd3.pamd: create

+	* xtests/tst-pam_motd3.sh: create
+
+2018-11-16  Björn Esser  <besser82@fedoraproject.org>
+
+	pam_unix: Use bcrypt b-variant for computing new hashes.
+	Bcrypt hashes used the "$2a$" prefix since 1997.
+	However, in 2011 an implementation bug was discovered in bcrypt
+	affecting the handling of characters in passphrases with the 8th
+	bit set.
+
+	Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
+	for a behavior that exactly matches crypt_blowfish's "$2y$", and
+	the crypt_blowfish implementation supports it as well since v1.1.
+
+	That said new computed bcrypt hashes should use the "$2b$" prefix.
+
+	* modules/pam_unix/passverify.c: Use bcrypt b-variant.
+
+2018-06-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_tally, pam_tally2: fix grammar and spelling (#54)
+	* modules/pam_tally/pam_tally.c (tally_check): Replace
+	"Account is temporary locked" with "The account is temporarily locked"
+	in translated messages.
+	* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+	* po/Linux-PAM.pot: Update pam_tally and pam_tally2 messages.
+
+	Closes: https://github.com/linux-pam/linux-pam/issues/54
+
+2018-06-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix grammar of messages printed via pam_prompt.
+	Turn into proper sentences those messages that are printed without
+	further modifications using pam_prompt in contexts where proper
+	sentences are expected.
+
+	* libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix grammar
+	of the message passed to pam_error.
+	* modules/pam_limits/pam_limits.c (pam_sm_open_session): Likewise.
+	* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix
+	grammar of error messages passed to pam_error.
+	* modules/pam_mail/pam_mail.c (report_mail): Fix grammar of a message
+	passed to pam_info.
+	* modules/pam_timestamp/pam_timestamp.c (verbose_success): Likewise.
+	* modules/pam_selinux/pam_selinux.c (config_context, send_text): Fix
+	grammar of messages passed to pam_prompt.
+	* modules/pam_tally/pam_tally.c (tally_check): Fix grammar of messages
+	passed to pam_info.
+	* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
+	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Fix grammar
+	of messages passed to _make_remark.
+	* modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass,
+	pam_sm_chauthtok): Likewise.
+	* po/Linux-PAM.pot: Regenerate.
+
+2018-06-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_stress: do not mark messages for translation.
+	pam_stress is not a regular module that needs to be translated.
+	Besides that, its messages are not easy to understand
+	and even harder to translate properly.
+
+	* modules/pam_stress/pam_stress.c (pam_sm_chauthtok): Do not mark
+	messages for translation.
+	* po/Linux-PAM.pot: Remove pam_stress messages.
+
+2018-05-31  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
+	The last use of these macros was removed by commit Linux-PAM-1.3.0~5
+	so their definitions should go as well.
+
+	* modules/pam_unix/pam_unix_auth.c (_UNIX_AUTHTOK): Remove.
+	* modules/pam_unix/pam_unix_passwd.c (_UNIX_OLD_AUTHTOK,
+	_UNIX_NEW_AUTHTOK): Likewise.
+
+	Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
+	direct pam_prompt() calls.")
+
+2018-05-31  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_unix: remove obsolete _unix_read_password prototype.
+	The function was removed by commit Linux-PAM-1.3.0~5
+	so the function prototype should go as well.
+
+	* modules/pam_unix/support.h (_unix_read_password): Remove.
+
+	Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
+	direct pam_prompt() calls.")
+
+2018-05-18  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Release version 1.3.1.
+
+	Add xz compression.
+
+2018-05-16  Allison Karlitskaya  <allison.karlitskaya@redhat.com>
+
+	pam_motd: add support for a motd.d directory (#48)
+	Add a new feature to pam_motd to allow packages to install their own

+	message files in a "motd.d" directory, to be displayed after the primary

+	motd.

+	

+	Add an option motd_d= to specify the location of this directory.

+	

+	Modify the defaults, in the case where no options are given, to display

+	both /etc/motd and /etc/motd.d.

+	

+	Fixes #47

+	

+	 * modules/pam_motd/pam_motd.c: add support for motd.d

+	 * modules/pam_motd/pam_motd.8.xml: update the manpage
+
+2018-05-02  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_umask: Fix documentation to align with order of loading umask.
+	* modules/pam_umask/pam_umask.8.xml: Document the real order of loading
+	umask.
+
+2018-04-10  Joey Chagnon  <joeychagnon@users.noreply.github.com>
+
+	Fix missing word in documentation.
+	*  doc/man/pam_get_user.3.xml: Fix it.
+
+2017-11-10  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_tally2 --reset: avoid creating a missing tallylog file.
+	There is no need for pam_tally2 in --reset=0 mode to create a missing
+	tallylog file because its absence has the same meaning as its existence
+	with the appropriate entry reset.
+
+	This was not a big deal until useradd(8) from shadow suite release 4.5
+	started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM
+	configuration.
+
+	The positive effect of this change is noticeable when using tools like
+	cpio(1) that cannot archive huge sparse files efficiently.
+
+	* modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat
+	cline_filename when cline_reset == 0, exit early if the file is missing.
+
+2017-11-10  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_mkhomedir: Allow creating parent of homedir under /
+	* modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not
+	skip creating the directory if we are under /.
+
+2017-10-09  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_tty_audit: Fix regression introduced by adding the uid range support.
+	* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and
+	remove unneeded code carried from pam_limits.
+	(pam_sm_open_session): When multiple enable/disable options are present do not
+	stop after first match.
+
+2017-09-06  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_access: Add note about spaces around ':' in access.conf(5)
+	* modules/pam_access/access.conf.5.xml: Add note about spaces around ':'
+
+	Workaround formatting problem in pam(8)
+	* doc/man/pam.8.xml: Workaround formatting problem.
+
+2017-07-12  Peter Urbanec  <peterurbanec@users.noreply.github.com>
+
+	pam_unix: Check return value of malloc used for setcred data (#24)
+	Check the return value of malloc and if it failed print debug info, send

+	a syslog message and return an error code.

+	

+	The test in AUTH_RETURN for ret_data not being NULL becomes redundant.

+
+2017-07-10  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_cracklib: Drop unused prompt macros.
+	* modules/pam_cracklib/pam_cracklib.c: Drop the unused macros.
+
+2017-06-28  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_tty_audit: Support matching users by uid range.
+	* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to
+	parse the uid range.
+	(pam_sm_open_session): Call parse_uid_range() and behave according to its result.
+	* modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching.
+
+2017-05-31  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_access: support parsing files in /etc/security/access.d/*.conf.
+	* modules/pam_access/pam_access.c (login_access): Return NOMATCH if
+	there was no match in the parsed file.
+	(pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB
+	subdirectory and call login_access() on the individual files matched.
+	* modules/pam_access/pam_access.8.xml: Document the addition.
+	* modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition.
+
+2017-04-11  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_localuser: Correct the example in documentation.
+	* modules/pam_localuser/pam_localuser.8.xml: The example configuration
+	  does something different.
+
+	pam_localuser: Correct documentation of return value.
+	* modules/pam_localuser/pam_localuser.8.xml: The module returns
+	  PAM_PERM_DENIED when the user is not listed.
+
+2017-03-10  Saul Johnson  <saul.a.johnson@gmail.com>
+
+	Make maxclassrepeat=1 behavior consistent with docs (#9)
+	* modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0.
+
+2017-02-09  Josef Moellers  <jmoellers@suse.de>
+
+	Properly test for strtol() failure to find any digits.
+	* modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set
+	to beginning and not NULL.
+
+2017-01-19  Daniel Abrecht  <daniel.abrecht@hotmail.com>
+
+	pam_exec: fix a potential null pointer dereference.
+	Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS
+	but the response is set to NULL.
+
+	* modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa
+	with a null pointer.
+
+	Closes: https://github.com/linux-pam/linux-pam/pull/2
+
+2016-12-07  Antonio Ospite  <ao2@ao2.it>
+
+	Add missing comma in the limits.conf.5 manpage.
+	* modules/pam_limits/limits.conf.5.xml: add a missing comma
+
+2016-11-14  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Regular links doesn't work with -no-numbering -no-references.
+	* configure.ac: Use elinks instead of links.
+
+2016-11-01  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_access: First check for the (group) match.
+	The (group) match is performed first to allow for groups
+	containing '@'.
+
+	* modules/pam_access/pam_access.c (user_match): First check for the (group) match.
+
+2016-10-17  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_ftp: Properly use the first name from the supplied list.
+	* modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list
+	of anonymous users if user name matches.
+	(pam_sm_authenticate): Free the returned value allocated in lookup().
+
+2016-09-12  Bartos-Elekes Zsolt  <muszi@kite.hu>
+
+	pam_issue: Fix no prompting in parse escape codes mode.
+	* modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().
+
+2016-06-30  Maxin B. John  <maxin.john@intel.com>
+
+	xtests: remove bash dependency.
+	There are no bash specific syntax in the xtest scripts. So, remove
+	the bash dependency.
+
+2016-06-30  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Unification and cleanup of syslog log levels.
+	* libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
+	* libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
+	* modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
+	* modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
+	* modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
+	* modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
+	* modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
+	* modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
+	* modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
+	  with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
+	  with LOG_ERR.
+	* modules/pam_limits/pam_limits.c: User login limit messages are syslogged
+	  with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
+	  LOG_ERR.
+	* modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
+	  with LOG_NOTICE.
+	* modules/pam_namespace/pam_namespace.c: Make memory allocation failures
+	  LOG_CRIT.
+	* modules/pam_nologin/pam_nologin.c: Make memory allocation failures
+	  LOG_CRIT, other errors LOG_ERR.
+	* modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
+	  with LOG_NOTICE, non-memory errors with LOG_ERR.
+	* modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
+	* modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
+	  LOG_ERR.
+	* modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
+	* modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
+	  LOG_CRIT.
+	* modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
+	* modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
+	  other errors LOG_ERR.
+	* modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
+	* modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
+	* modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
+	  max retries ignorance by application likewise.
+	* modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
+	* modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
+	  with LOG_NOTICE.
+	* modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
+
+2016-06-14  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_timestamp: fix typo in strncmp usage.
+	Before this fix, a typo in check_login_time resulted to ruser and
+	struct utmp.ut_user being compared by the first character only,
+	which in turn could lead to a too low timestamp value being assigned
+	to oldest_login, effectively causing bypass of check_login_time.
+
+	* modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
+	in strncmp usage.
+
+	Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
+
+2016-05-30  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Correct the examples in pam_fail_delay(3) man page.
+	doc/man/pam_fail_delay.3.xml: Correct the examples.
+
+2016-05-11  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Remove spaces in examples for access.conf.
+	The spaces are ignored only with the default listsep. To remove confusion
+	if non-default listsep is used they are removed from the examples.
+
+	* modules/pam_access/access.conf: Remove all spaces around ':' in examples.
+	* modules/pam_access/access.conf.5.xml: Likewise.
+
+2016-05-05  Mike Frysinger  <vapier@gentoo.org>
+
+	build: avoid non-portable == with "test" (ticket #60)
+	POSIX says test only accepts =. Some shells (including bash) accept ==,
+	but we should still stick to = for portability.
+
+	* configure.ac: Replace == with = in "test" invocations.
+
+2016-04-28  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Release version 1.3.0.
+	* NEWS: add changes for 1.3.0.
+	* configure.ac: bump version number.
+	* libpam/Makefile.am: bump revision of libpam.so version.
+
+2016-04-28  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Updated translations from Zanata.
+	* po/*.po: Updated translations from Zanata.
+
+2016-04-19  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_wheel: Correct the documentation of the root_only option.
+	* modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the
+	root_only option.
+
+	pam_unix: Document that MD5 password hash is used to store old passwords.
+	modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
+	to store the old passwords when remember option is set.
+
+2016-04-14  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Project registered at Zanata (fedora.zanata.org) for translations.
+	* zanata.xml: Configuration file for zanata client.
+	* po/LINGUAS: Update languages as supported by Zanata.
+	* po/Linux-PAM.pot: Updated from sources.
+	* po/*.po: Updated from sources.
+
+2016-04-06  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.
+	We have to drop support for not_set_pass option which is not much useful
+	anyway. Instead we get proper support for authtok_type option.
+
+	* modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
+	pe
+	option.
+	* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
+	sword()
+	call with equivalent pam_get_authtok() call.
+	* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
+	support for not_set_pass.
+	* modules/pam_unix/support.c (_unix_read_password): Remove.
+	* modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
+
+2016-04-06  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_get_authtok(): Add authtok_type support to current password prompt.
+	* libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password,
+	use different prompt for current password allowing for authtok_type to be
+	displayed to the user.
+
+2016-04-04  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Make password expiration messages more user-friendly.
+	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
+	expiration messages more user-friendly.
+
+2016-04-04  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	innetgr may not be there so make sure that when innetgr is not present then we inform about it and not use it. [ticket#46]
+	* modules/pam_group/pam_group.c: ditto
+	* modules/pam_succeed_if/pam_succeed_if.c: ditto
+	* modules/pam_time/pam_time.c: ditto
+
+	build: fix build when crypt() is not part of crypt_libs [ticket#46]
+	* configure.ac: Don't set empty -l option in crypt check
+
+	build: use $host_cpu for lib64 directory handling [ticket#46]
+	* configure.ac: use $host_cpu for lib64 directory handling.
+
+2016-04-01  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix whitespace issues.
+	Remove blank lines at EOF introduced by commit
+	a684595c0bbd88df71285f43fb27630e3829121e,
+	making the project free of warnings reported by
+	git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
+
+	* libpam/pam_dynamic.c: Remove blank line at EOF.
+	* modules/pam_echo/pam_echo.c: Likewise.
+	* modules/pam_keyinit/pam_keyinit.c: Likewise.
+	* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
+	* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+	* modules/pam_rhosts/pam_rhosts.c: Likewise.
+	* modules/pam_sepermit/pam_sepermit.c: Likewise.
+	* modules/pam_stress/pam_stress.c: Likewise.
+
+2016-04-01  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Use TI-RPC functions if we compile and link against libtirpc. The old SunRPC functions don't work with IPv6.
+	* configure.ac: Set and restore CPPFLAGS
+	* modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
+	  rpcb_getaddr if available.
+
+2016-03-29  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	PAM_EXTERN isn't needed anymore, but don't remove it to not break lot of external code using it.
+	* libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility
+
+	Remove "--enable-static-modules" option and support from  Linux-PAM. It was never official supported and was broken since years.
+	* configure.ac: Remove --enable-static-modules option.
+	* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
+	* doc/man/pam_sm_authenticate.3.xml: Likewise.
+	* doc/man/pam_sm_chauthtok.3.xml: Likewise.
+	* doc/man/pam_sm_close_session.3.xml: Likewise.
+	* doc/man/pam_sm_open_session.3.xml: Likewise.
+	* doc/man/pam_sm_setcred.3.xml: Likewise.
+	* libpam/Makefile.am: Remove STATIC_MODULES cases.
+	* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
+	* libpam/pam_dynamic.c: Likewise.
+	* libpam/pam_handlers.c: Likewise.
+	* libpam/pam_private.h: Likewise.
+	* libpam/pam_static.c: Remove file.
+	* libpam/pam_static_modules.h: Remove header file.
+	* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
+	* modules/pam_cracklib/pam_cracklib.c: Likewise.
+	* modules/pam_debug/pam_debug.c: Likewise.
+	* modules/pam_deny/pam_deny.c: Likewise.
+	* modules/pam_echo/pam_echo.c: Likewise.
+	* modules/pam_env/pam_env.c: Likewise.
+	* modules/pam_exec/pam_exec.c: Likewise.
+	* modules/pam_faildelay/pam_faildelay.c: Likewise.
+	* modules/pam_filter/pam_filter.c: Likewise.
+	* modules/pam_ftp/pam_ftp.c: Likewise.
+	* modules/pam_group/pam_group.c: Likewise.
+	* modules/pam_issue/pam_issue.c: Likewise.
+	* modules/pam_keyinit/pam_keyinit.c: Likewise.
+	* modules/pam_lastlog/pam_lastlog.c: Likewise.
+	* modules/pam_limits/pam_limits.c: Likewise.
+	* modules/pam_listfile/pam_listfile.c: Likewise.
+	* modules/pam_localuser/pam_localuser.c: Likewise.
+	* modules/pam_loginuid/pam_loginuid.c: Likewise.
+	* modules/pam_mail/pam_mail.c: Likewise.
+	* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
+	* modules/pam_motd/pam_motd.c: Likewise.
+	* modules/pam_namespace/pam_namespace.c: Likewise.
+	* modules/pam_nologin/pam_nologin.c: Likewise.
+	* modules/pam_permit/pam_permit.c: Likewise.
+	* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+	* modules/pam_rhosts/pam_rhosts.c: Likewise.
+	* modules/pam_rootok/pam_rootok.c: Likewise.
+	* modules/pam_securetty/pam_securetty.c: Likewise.
+	* modules/pam_selinux/pam_selinux.c: Likewise.
+	* modules/pam_sepermit/pam_sepermit.c: Likewise.
+	* modules/pam_shells/pam_shells.c: Likewise.
+	* modules/pam_stress/pam_stress.c: Likewise.
+	* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
+	* modules/pam_tally/pam_tally.c: Likewise.
+	* modules/pam_tally2/pam_tally2.c: Likewise.
+	* modules/pam_time/pam_time.c: Likewise.
+	* modules/pam_timestamp/pam_timestamp.c: Likewise.
+	* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
+	* modules/pam_umask/pam_umask.c: Likewise.
+	* modules/pam_userdb/pam_userdb.c: Likewise.
+	* modules/pam_warn/pam_warn.c: Likewise.
+	* modules/pam_wheel/pam_wheel.c: Likewise.
+	* modules/pam_xauth/pam_xauth.c: Likewise.
+	* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
+	* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
+	* modules/pam_unix/pam_unix_auth.c: Likewise.
+	* modules/pam_unix/pam_unix_passwd.c: Likewise.
+	* modules/pam_unix/pam_unix_sess.c: Likewise.
+	* modules/pam_unix/pam_unix_static.c: Removed.
+	* modules/pam_unix/pam_unix_static.h: Removed.
+	* po/POTFILES.in: Remove removed files.
+	* tests/tst-dlopen.c: Remove PAM_STATIC part.
+
+2016-03-24  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Fix check for libtirpc and enhance check for libnsl to include new libnsl.
+	* configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
+	* modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
+
+2016-03-23  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Remove YP dependencies from pam_access, they were never used and such not needed.
+	* modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
+	* modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
+	  it will never be used.
+
+2016-03-04  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Add checks for localtime() returning NULL.
+	* modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r
+	returning NULL.
+	* modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning
+	NULL.
+
+2016-03-04  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Silence warnings and fix a minor bug.
+	Fixes a minor bug in behavior when is_selinux_enabled()
+	returned negative value.
+
+	* modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro.
+	(unix_update_shadow): Safe cast forwho to non-const char *.
+	* modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
+
+2016-02-17  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_env: Document the /etc/environment file.
+	* modules/pam_env/Makefile.am: Add the environment.5 soelim stub.
+	* modules/pam_env/pam_env.8.xml: Add environ(7) reference.
+	* modules/pam_env/pam_env.conf.5.xml: Add environment alias name.
+	Add a paragraph about /etc/environment. Add environ(7) reference.
+
+	pam_unix: Add no_pass_expiry option to ignore password expiration.
+	* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
+	* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
+	is on and return value data is not set to PAM_SUCCESS then ignore
+	PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
+	* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
+	return value data.
+	(pam_sm_setcred): Test for likeauth option and use the return value data
+	only if set.
+	* modules/pam_unix/support.h: Add the no_pass_expiry option.
+
+2016-01-25  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_unix: Change the salt length for new hashes to 16 characters.
+	* modules/pam_unix/passverify.c (create_password_hash): Change the
+	salt length for new hashes to 16 characters.
+
+2015-12-17  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Relax the conditions for fatal failure on auditing.
+	The PAM library calls will not fail anymore for any uid if the return
+	value from the libaudit call is -EPERM.
+
+	* libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.
+
+2015-12-16  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_tally2: Optionally log the tally count when checking.
+	* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
+	(tally_check): Always log the tally count with debug option.
+
+2015-10-02  Jakub Hrozek  <jakub.hrozek@posteo.se>
+
+	Docfix: pam handle is const in pam_syslog() and pam_vsyslog()
+	* doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().
+
+2015-09-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_loginuid: Add syslog message if required auditd is not detected.
+	* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message
+	if required auditd is not detected.
+
+2015-09-04  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Allow links to be used instead of w3m for documentation regeneration.
+	* configure.ac: If w3m is not found check for links.
+
+	Add missing space in pam_misc_setenv man page.
+	* doc/man/pam_misc_setenv.3.xml: Add a missing space.
+
+2015-08-12  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_rootok: use rootok permission instead of passwd permission in SELinux check.
+	* modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of
+	passwd permission.
+
+2015-08-05  Amarnath Valluri  <amarnath.valluri@intel.com>
+
+	pam_timestamp: Avoid leaking file descriptor.
+	* modules/pam_timestamp/hmacsha1.c(hmac_key_create):
+	    close 'keyfd' when failed to own it.
+
+2015-06-22  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Release version 1.2.1.
+	Security fix: CVE-2015-3238
+
+	If the process executing pam_sm_authenticate or pam_sm_chauthtok method
+	of pam_unix is not privileged enough to check the password, e.g.
+	if selinux is enabled, the _unix_run_helper_binary function is called.
+	When a long enough password is supplied (16 pages or more, i.e. 65536+
+	bytes on a system with 4K pages), this helper function hangs
+	indefinitely, blocked in the write(2) call while writing to a blocking
+	pipe that has a limited capacity.
+	With this fix, the verifiable password length will be limited to
+	PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
+
+	* NEWS: Update
+	* configure.ac: Bump version
+	* modules/pam_exec/pam_exec.8.xml: document limitation of password length
+	* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
+	* modules/pam_unix/pam_unix.8.xml: document limitation of password length
+	* modules/pam_unix/pam_unix_passwd.c: limit password length
+	* modules/pam_unix/passverify.c: Likewise
+	* modules/pam_unix/passverify.h: Likewise
+	* modules/pam_unix/support.c: Likewise
+
+2015-04-27  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Update NEWS file.
+
+	Release version 1.2.0.
+	* NEWS: Update
+	* configure.ac: Bump version
+	* libpam/Makefile.am: Bump version of libpam
+	* libpam_misc/Makefile.am: Bump version of libpam_misc
+	* po/*: Regenerate po files
+
+	Fix some grammatical errors in documentation. Patch by Louis Sautier.
+	* doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
+	* doc/man/pam.3.xml: Likewise.
+	* doc/man/pam_acct_mgmt.3.xml: Likewise.
+	* doc/man/pam_chauthtok.3.xml: Likewise.
+	* doc/man/pam_sm_chauthtok.3.xml: Likewise.
+	* modules/pam_limits/limits.conf.5.xml: Likewise.
+	* modules/pam_mail/pam_mail.8.xml: Likewise.
+	* modules/pam_rhosts/pam_rhosts.c: Likewise.
+	* modules/pam_shells/pam_shells.8.xml: Likewise.
+	* modules/pam_tally/pam_tally.8.xml: Likewise.
+	* modules/pam_tally2/pam_tally2.8.xml: Likewise.
+	* modules/pam_unix/pam_unix.8.xml: Likewise.
+
+2015-04-23  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Add "quiet" option to pam_unix to suppress informential info messages from session.
+	* modules/pam_unix/pam_unix.8.xml: Document new option.
+	* modules/pam_unix/support.h: Add quiet option.
+	* modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
+	 'quiet' option is set.
+
+2015-04-07  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Use crypt_r if available in pam_userdb and in pam_unix.
+	* modules/pam_unix/passverify.c (create_password_hash): Call crypt_r()
+	instead of crypt() if available.
+	* modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r()
+	instead of crypt() if available.
+
+2015-03-25  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Support alternative "vendor configuration" files as fallback to /etc (Ticket#34, patch from ay Sievers <kay@vrfy.org>)
+	* doc/man/pam.8.xml: document additonal config directory
+	* libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory
+	* libpam/pam_private.h: adjust defines
+
+	pam_env: expand @{HOME} and @{SHELL} and enhance documentation (Ticket#24 and #29)
+	* modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries
+	* modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL}
+	* modules/pam_env/pam_env.8.xml: Enhance documentation
+
+2015-03-24  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Clarify pam_access docs re PAM service names and X $DISPLAY value testing. (Ticket #39)
+	* modules/pam_access/access.conf.5.xml
+	* modules/pam_access/pam_access.8.xml
+
+	Don't use sudo directory, the timestamp format is different (Ticket#32)
+	* modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
+
+	Enhance group.conf examples (Ticket#35)
+	* modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
+
+	Document timestampdir option (Ticket#33)
+	* modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
+
+	Adjust documentation (Ticket#36)
+	* libpam/pam_delay.c: Change 25% in comment to 50% as used in code.
+	* doc/man/pam_fail_delay.3.xml: Change 25% to 50%
+
+2015-02-18  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Updated translations from Transifex.
+	* po/*.po: Updated translations from Transifex.
+
+2015-01-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: raise gettext version requirement.
+	Raise gettext requirement to the latest oldstable version 0.18.3.
+	This fixes the following automake warning:
+
+	configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
+	configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
+	configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.
+
+	* configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3.
+	* po/Makevars: Update from gettext-0.18.3.
+
+2015-01-07  Ronny Chevalier  <chevalier.ronny@gmail.com>
+
+	build: adjust automake warning flags.
+	Enable all automake warning flags except for the portability issues,
+	since non portable features are used among the makefiles.
+
+	* configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.
+
+2015-01-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: rename configure.in to configure.ac.
+	This fixes the following automake warning:
+	aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
+
+	* configure.in: Rename to configure.ac.
+
+2015-01-07  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Remove unmodified GNU gettext files installed by autopoint.
+	These files are part of GNU gettext; we have not modified them, they are
+	installed by autopoint which is called by autoreconf, so they had to be
+	removed from this repository along with ABOUT-NLS, config.rpath, and
+	mkinstalldirs files that were removed by commit
+	Linux-PAM-1_1_5-7-g542ec8b.
+
+	* po/Makefile.in.in: Remove.
+	* po/Rules-quot: Likewise.
+	* po/boldquot.sed: Likewise.
+	* po/en@boldquot.header: Likewise.
+	* po/en@quot.header: Likewise.
+	* po/insert-header.sin: Likewise.
+	* po/quot.sed: Likewise.
+	* po/remove-potcdate.sin: Likewise.
+	* po/.gitignore: Ignore these files.
+
+2015-01-06  Ronny Chevalier  <chevalier.ronny@gmail.com>
+
+	Update .gitignore.
+	* .gitignore: Ignore *.log and *.trs files.
+
+2015-01-02  Luke Shumaker  <lukeshu@sbcglobal.net>
+
+	libpam: Only print "Password change aborted" when it's true.
+	pam_get_authtok() may be used any time that a password needs to be entered,
+	unlike pam_get_authtok_{no,}verify(), which may only be used when
+	changing a password; yet when the user aborts, it prints "Password change
+	aborted." whether or not that was the operation being performed.
+
+	This bug was non-obvious because none of the modules distributed with
+	Linux-PAM use it for anything but changing passwords; pam_unix has its
+	own utility function that it uses instead.  As an example, the
+	nss-pam-ldapd package uses it in pam_sm_authenticate().
+
+	libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the
+	password is trying to be changed before printing a message about the
+	password change being aborted.
+
+2014-12-10  Dmitry V. Levin  <ldv@altlinux.org>
+
+	build: extend cross compiling check to cover CPPFLAGS (ticket #21)
+	Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in
+	case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS,
+	and BUILD_LDFLAGS variables introduced earlier to override CC,
+	CFLAGS, and LDFLAGS, respectively.
+
+	* configure.in (BUILD_CPPFLAGS): Define.
+	* doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@.
+
+2014-12-09  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Do not use yywrap (ticket #42)
+	Our scanners do not really use yywrap.  Explicitly disable yywrap
+	so that no references to yywrap will be generated and no LEXLIB
+	would be needed.
+
+	* conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove.
+	* conf/pam_conv1/pam_conv_l.l: Enable noyywrap option.
+	* doc/specs/Makefile.am (padout_LDADD): Remove.
+	* doc/specs/parse_l.l: Enable noyywrap option.
+
+2014-12-09  Kyle Manna  <kyle@kylemanna.com>
+
+	doc: fix a trivial typo in pam_authenticate return values (ticket #38)
+	* doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL.
+
+2014-12-08  Ronny Chevalier  <chevalier.ronny@gmail.com>
+
+	doc: fix typo in pam_authenticate.3.xml.
+	* doc/man/pam_authenticate.3.xml: Fix typo.
+
+2014-10-17  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_succeed_if: Fix copy&paste error in rhost and tty values.
+	modules/pam_succeed_if/pam_succeed_if.c (evaluate): Use PAM_RHOST
+	and PAM_TTY properly for the rhost and tty values.
+
+2014-10-17  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_succeed_if: Use long long type for numeric values.
+	The currently used long with additional conversion to int is
+	too small for uids and gids.
+
+	modules/pam_succeed_if/pam_succeed_if.c (evaluate_num): Replace
+	strtol() with strtoll() and int with long long in the parameters
+	of comparison functions.
+
+2014-09-05  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Add grantor field to audit records of libpam.
+	The grantor field gives audit trail of PAM modules which granted access
+	for successful return from libpam calls. In case of failed return
+	the grantor field is set to '?'.
+	libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
+	libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
+	libpam/pam_password.c (pam_chauthtok): Likewise.
+	libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
+	libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
+	add grantor= field to the message if grantors is set.
+	(_pam_list_grantors): New function creating the string with grantors list.
+	(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
+	to list the grantors from the handler list.
+	(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
+	(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
+	libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
+	(_pam_clear_grantors): New function to clear grantor field of handler.
+	(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
+	Call _pam_auditlog() when appropriate.
+	libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
+	or just "?" to avoid confusing audit trail.
+	(_pam_add_handler): Test for NULL return from extract_modulename().
+	Clear grantor field of handler.
+	libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
+	parameter to _pam_auditlog().
+
+2014-08-26  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_mkhomedir: Drop superfluous stat() call.
+	modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Drop superfluous
+	stat() call.
+
+	pam_exec: Do not depend on open() returning STDOUT_FILENO.
+	modules/pam_exec/pam_exec.c (call_exec): Move the descriptor to
+	STDOUT_FILENO if needed.
+
+2014-08-25  Robin Hack  <rhack@redhat.com>
+
+	pam_keyinit: Check return value of setregid.
+	modules/pam_keyinit/pam_keyinit.c (pam_sm_open_session): Log if setregid() fails.
+
+	pam_filter: Avoid leaking descriptors when fork() fails.
+	modules/pam_filter/pam_filter.c (set_filter): Close descriptors when fork() fails.
+
+2014-08-14  Robin Hack  <rhack@redhat.com>
+
+	pam_echo: Avoid leaking file descriptor.
+	modules/pam_echo/pam_echo.c (pam_echo): Close fd in error cases.
+
+2014-08-13  Robin Hack  <rhack@redhat.com>
+
+	pam_tty_audit: Silence Coverity reporting uninitialized use.
+	modules/pam_tty_audit/pam_tty_audit.c (nl_recv): Initialize also
+	msg_flags.
+
+2014-08-13  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_tally2: Avoid uninitialized use of fileinfo.
+	Problem found by Robin Hack <rhack@redhat.com>.
+	modules/pam_tally2/pam_tally2.c (get_tally): Do not depend on file size
+	just try to read it.
+
+	pam_access: Avoid uninitialized access of line.
+	* modules/pam_access/pam_access.c (login_access): Reorder condition
+	so line is not accessed when uninitialized.
+
+2014-08-05  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_lastlog: Properly clean up last_login structure before use.
+	modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login
+	structure before use.
+
+2014-07-21  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file.
+	* modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields
+	in opasswd entry and return error.
+	* modules/pam_unix/passverify.c (save_old_password): Test for missing fields
+	in opasswd entry and skip it.
+
+2014-06-30  Dmitry V. Levin  <ldv@altlinux.org>
+
+	doc: add missing build dependencies for soelim stubs.
+	* doc/man/Makefile.am [ENABLE_REGENERATE_MAN]: Add dependencies for
+	pam_verror.3, pam_vinfo.3, pam_vprompt.3, and pam_vsyslog.3 soelim stubs.
+
+2014-06-23  Dmitry V. Levin  <ldv@altlinux.org>
+
+	doc: fix install in case of out of tree build (ticket #31)
+	* doc/adg/Makefile.am (install-data-local, releasedocs): Fall back
+	to srcdir if documentation files haven't been found in builddir.
+	(releasedocs): Treat missing documentation files as an error.
+	* doc/mwg/Makefile.am: Likewise.
+	* doc/sag/Makefile.am: Likewise.
+
+2014-06-19  Dmitry V. Levin  <ldv@altlinux.org>
+
+	doc: fix installation of adg-*.html and mwg-*.html files (ticket #31)
+	Fix a typo due to which sag-*.html files might be installed instead of
+	adg-*.html and mwg-*.html files.
+
+	* doc/adg/Makefile.am (install-data-local): Install adg-*.html instead
+	of sag-*.html.
+	* doc/mwg/Makefile.am (install-data-local): Install mwg-*.html instead
+	of sag-*.html.
+
+	Patch-by: Mike Frysinger <vapier@gentoo.org>
+
+2014-06-19  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_limits: nofile refers to file descriptors not files.
+	modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit.
+	modules/pam_limits/limits.conf: Likewise.
+
+	pam_limits: clarify documentation of maxlogins and maxsyslogins limits.
+	modules/pam_limits/limits.conf.5.xml: clarify documentation of
+	maxlogins and maxsyslogins limits.
+
+	pam_unix: Check for NULL return from Goodcrypt_md5().
+	modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for
+	NULL return from Goodcrypt_md5().
+
+	pam_unix: check for NULL return from malloc()
+	* modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().
+
+2014-05-22  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_loginuid: Document one more possible case of PAM_IGNORE return.
+	modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case
+	of PAM_IGNORE return value.
+
+	pam_loginuid: Document other possible return values.
+	modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return
+	values.
+
+2014-03-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_timestamp: fix potential directory traversal issue (ticket #27)
+	pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
+	the timestamp pathname it creates, so extra care should be taken to
+	avoid potential directory traversal issues.
+
+	* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
+	"." and ".." tty values as invalid.
+	(get_ruser): Treat "." and ".." ruser values, as well as any ruser
+	value containing '/', as invalid.
+
+	Fixes CVE-2014-2583.
+
+	Reported-by: Sebastian Krahmer <krahmer@suse.de>
+
+2014-03-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_userdb: document that .db suffix should not be used.
+	modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix
+	should not be used and correct the example.
+
+2014-03-11  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_selinux: canonicalize user name.
+	SELinux expects canonical user name for example without domain component.
+
+	* modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().
+
+2014-01-28  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Change tarball name back to "Linux-PAM"
+	As a side effect of commit Linux-PAM-1_1_8-11-g3fa23ce, tarball name
+	changed accidentally from "Linux-PAM" to "linux-pam".
+	This change brings it back to "Linux-PAM".
+
+	* configure.in (AC_INIT): Explicitly specify TARNAME argument.
+
+2014-01-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Introduce pam_modutil_sanitize_helper_fds.
+	This change introduces pam_modutil_sanitize_helper_fds - a new function
+	that redirects standard descriptors and closes all other descriptors.
+
+	pam_modutil_sanitize_helper_fds supports three types of input and output
+	redirection:
+	- PAM_MODUTIL_IGNORE_FD: do not redirect at all.
+	- PAM_MODUTIL_PIPE_FD: redirect to a pipe.  For stdin, it is implemented
+	  by creating a pipe, closing its write end, and redirecting stdin to
+	  its read end.  Likewise, for stdout/stderr it is implemented by
+	  creating a pipe, closing its read end, and redirecting to its write
+	  end.  Unlike stdin redirection, stdout/stderr redirection to a pipe
+	  has a side effect that a process writing to such descriptor should be
+	  prepared to handle SIGPIPE appropriately.
+	- PAM_MODUTIL_NULL_FD: redirect to /dev/null.  For stdin, it is
+	  implemented via PAM_MODUTIL_PIPE_FD because there is no functional
+	  difference.  For stdout/stderr, it is classic redirection to
+	  /dev/null.
+
+	PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel
+	security restrictions, but when the helper process might be writing to
+	the corresponding descriptor and termination of the helper process by
+	SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD.
+
+	* libpam/pam_modutil_sanitize.c: New file.
+	* libpam/Makefile.am (libpam_la_SOURCES): Add it.
+	* libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd,
+	pam_modutil_sanitize_helper_fds): New declarations.
+	* libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface.
+	* modules/pam_exec/pam_exec.c (call_exec): Use
+	pam_modutil_sanitize_helper_fds.
+	* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise.
+	* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
+	* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
+	Likewise.
+	* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
+	* modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise.
+	* modules/pam_unix/support.h (MAX_FD_NO): Remove.
+
+2014-01-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_xauth: avoid potential SIGPIPE when writing to xauth process.
+	Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.
+
+	* modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
+	close the read end of input pipe after writing to its write end.
+
+2014-01-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_loginuid: log significant loginuid write errors.
+	* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
+	during /proc/self/loginuid update that are not ignored.
+
+2014-01-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix gratuitous use of strdup and x_strdup.
+	There is no need to copy strings passed as arguments to execve,
+	the only potentially noticeable effect of using strdup/x_strdup
+	would be a malformed argument list in case of memory allocation error.
+
+	Also, x_strdup, being a thin wrapper around strdup, is of no benefit
+	when its argument is known to be non-NULL, and should not be used in
+	such cases.
+
+	* modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup
+	instead of x_strdup, the latter is of no benefit in this case.
+	* modules/pam_ftp/pam_ftp.c (lookup): Likewise.
+	* modules/pam_userdb/pam_userdb.c (user_lookup): Likewise.
+	* modules/pam_userdb/pam_userdb.h (x_strdup): Remove.
+	* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use
+	x_strdup for strings passed as arguments to execve.
+	* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
+	* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise.
+	* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
+	(_unix_verify_password): Use strdup instead of x_strdup, the latter
+	is of no benefit in this case.
+	* modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for
+	strings passed as arguments to execv.
+
+2014-01-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_userdb: fix password hash comparison.
+	Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
+	passwords support in pam_userdb, hashes are compared case-insensitively.
+	This bug leads to accepting hashes for completely different passwords in
+	addition to those that should be accepted.
+
+	Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
+	modern password hashes with different lengths and settings, did not
+	update the hash comparison accordingly, which leads to accepting
+	computed hashes longer than stored hashes when the latter is a prefix
+	of the former.
+
+	* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
+	hash whose length differs from the stored hash length.
+	Compare computed and stored hashes case-sensitively.
+	Fixes CVE-2013-7041.
+
+	Bug-Debian: http://bugs.debian.org/731368
+
+2014-01-24  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_xauth: log fatal errors preventing xauth process execution.
+	* modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe()
+	and fork() calls.
+
+2014-01-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_loginuid: cleanup loginuid buffer initialization.
+	* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid
+	buffer initialization closer to its first use.
+
+2014-01-22  Dmitry V. Levin  <ldv@altlinux.org>
+
+	libpam_misc: fix an inconsistency in handling memory allocation errors.
+	When misc_conv fails to allocate memory for pam_response array, it
+	returns PAM_CONV_ERR.  However, when read_string fails to allocate
+	memory for a response string, it loses the response string and silently
+	ignores the error, with net result as if EOF has been read.
+
+	* libpam_misc/misc_conv.c (read_string): Use strdup instead of x_strdup,
+	the latter is of no benefit in this case.
+	Do not ignore potential memory allocation errors returned by strdup,
+	forward them to misc_conv.
+
+2014-01-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_limits: fix utmp->ut_user handling.
+	ut_user member of struct utmp is a string that is not necessarily
+	null-terminated, so extra care should be taken when using it.
+
+	* modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to
+	a null-terminated string and consistently use it where a null-terminated
+	string is expected.
+
+2014-01-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_mkhomedir: check and create home directory for the same user (ticket #22)
+	Before pam_mkhomedir helper was introduced in commit
+	7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for
+	existance and creating the same directory - the home directory of the
+	user NAME returned by pam_get_item(PAM_USER).
+
+	The change in behaviour accidentally introduced along with
+	mkhomedir_helper is not consistent: while the module still checks for
+	getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is
+	getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily
+	the same as the directory being checked.
+
+	This change brings check and creation back in sync, both handling
+	getpwnam(NAME)->pw_dir.
+
+	* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace
+	"struct passwd *" argument with user's name and home directory.
+	Pass user's name to MKHOMEDIR_HELPER.
+	(pam_sm_open_session): Update create_homedir call.
+
+2014-01-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_limits: detect and ignore stale utmp entries.
+	Original idea by Christopher Hailey
+
+	* modules/pam_limits/pam_limits.c (check_logins): Use kill() to
+	detect if pid of the utmp entry is still running and ignore the entry
+	if it is not.
+
+2014-01-19  Stéphane Graber  <stgraber@ubuntu.com>
+
+	pam_loginuid: Always return PAM_IGNORE in userns.
+	The previous patch to support user namespaces works fine with containers
+	that are started from a desktop/terminal session but fails when dealing
+	with containers that were started from a remote session such as ssh.
+
+	I haven't looked at the exact reason for that in the kernel but on the
+	userspace side of things, the difference is that containers started from
+	an ssh session will happily let pam open /proc/self/loginuid read-write,
+	will let it read its content but will then fail with EPERM when trying
+	to write to it.
+
+	So to make the userns support bullet proof, this commit moves the userns
+	check earlier in the function (which means a small performance impact as
+	it'll now happen everytime on kernels that have userns support) and will
+	set rc = PAM_IGNORE instead of rc = PAM_ERROR.
+
+	The rest of the code is still executed in the event that PAM is run on a
+	future kernel where we have some kind of audit namespace that includes a
+	working loginuid.
+
+2014-01-15  Steve Langasek  <vorlon@debian.org>
+
+	pam_namespace: don't use bashisms in default namespace.init script.
+	* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
+	namespace init script, so that scripts run with maximum privilege regardless
+	of the shell implementation.
+	* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
+	shebang line
+
+	This is not a POSIX standard option, it's a bashism.  The bash manpage says
+	that it's used to prevent the effective user id from being reset to the real
+	user id on startup, and to ignore certain unsafe variables from the
+	environment.
+
+	In the case of pam_namespace, the -p is not necessary for environment
+	sanitizing because the PAM module (properly) sanitizes the environment
+	before execing the script.
+
+	The stated reason given in CVS history for passing -p is to "preserve euid
+	when called from setuid apps (su, newrole)."  This should be done more
+	portably, by calling setuid() before spawning the shell.
+
+	Bug-Debian: http://bugs.debian.org/624842
+	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
+
+2014-01-10  Stéphane Graber  <stgraber@ubuntu.com>
+
+	pam_loginuid: Ignore failure in user namespaces.
+	When running pam_loginuid in a container using the user namespaces, even
+	uid 0 isn't allowed to set the loginuid property.
+
+	This change catches the EACCES from opening loginuid, checks if the user
+	is in the host namespace (by comparing the uid_map with the host's one)
+	and only if that's the case, sets rc to 1.
+
+	Should uid_map not exist or be unreadable for some reason, it'll be
+	assumed that the process is running on the host's namespace.
+
+	The initial reason behind this change was failure to ssh into an
+	unprivileged container (using a 3.13 kernel and current LXC) when using
+	a standard pam profile for sshd (which requires success from
+	pam_loginuid).
+
+	I believe this solution doesn't have any drawback and will allow people
+	to use unprivileged containers normally. An alternative would be to have
+	all distros set pam_loginuid as optional but that'd be bad for any of
+	the other potential failure case which people may care about.
+
+	There has also been some discussions to get some of the audit features
+	tied with the user namespaces but currently none of that has been merged
+	upstream and the currently proposed implementation doesn't cover
+	loginuid (nor is it clear how this should even work when loginuid is set
+	as immutable after initial write).
+
+2014-01-10  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist.
+	When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
+	PAM_SUCCESS, so that we can distinguish between "loginuid set
+	successfully" and "loginuid not set, but this is expected".
+
+	Suggested by Steve Langasek.
+
+	* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
+	code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
+	does not exist, PAM_SESSION_ERR in case of any other error.
+	(_pam_loginuid): Forward the PAM error code returned by set_loginuid.
+
+2013-11-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_access: fix debug level logging (ticket #19)
+	* modules/pam_access/pam_access.c (group_match): Log the group token
+	passed to the function, not an uninitialized data on the stack.
+
+	pam_warn: log flags passed to the module (ticket #25)
+	* modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and
+	log it using pam_syslog.
+	(pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok,
+	pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass
+	"flags" argument to log_items.
+
+2013-11-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Modernize AM_INIT_AUTOMAKE invocation.
+	Before this change, automake complained that two- and three-arguments
+	forms of AM_INIT_AUTOMAKE are deprecated.
+
+	* configure.in: Pass PACKAGE and VERSION arguments to AC_INIT instead
+	of AM_INIT_AUTOMAKE.
+
+2013-11-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix autoconf warnings.
+	Before this change, autoconf complained that AC_COMPILE_IFELSE
+	and AC_RUN_IFELSE was called before AC_USE_SYSTEM_EXTENSIONS.
+
+	* configure.in: Call AC_USE_SYSTEM_EXTENSIONS before LT_INIT.
+
+2013-11-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_securetty: check return value of fgets.
+	Checking return value of fgets not only silences the warning from glibc
+	but also leads to a cleaner code.
+
+	* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
+	Check return value of fgets.
+
+2013-11-20  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_lastlog: fix format string.
+	gcc -Wformat justly complains:
+	format '%d' expects argument of type 'int', but argument 5 has type 'time_t'
+
+	* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format
+	string.
+
+2013-11-20  Darren Tucker  <dtucker@zip.com.au>
+
+	If the correct loginuid is set already, skip writing it.
+	modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid
+	and skip writing if already correctly set.
+
+2013-11-11  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+		Always ask for old password if changing NIS account.
+		* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask
+		for old password if NIS account.
+
+2013-11-08  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Allow DES as compatibility option for /etc/login.defs.
+	* modules/pam_unix/support.h: Add UNIX_DES
+
+2013-10-14  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Docfix: pam_prompt() and pam_vprompt() return int.
+	doc/man/pam_prompt.3.xml: pam_prompt() and pam_vprompt() return int.
+
+	Make pam_tty_audit work with old kernels not supporting log_passwd.
+	modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros
+	if message is short from older kernel.
+
+2013-09-25  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Fix pam_tty_audit log_passwd support and regression.
+	modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include.
+	(pam_sm_open_session): Always copy the old status as initialization of new.
+
+2013-09-19  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Release version 1.1.8.
+
+2013-09-16  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Check return value of setuid to remove glibc warnings.
+	* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
+	* modules/pam_unix/support.c: Likewise.
+
+2013-09-13  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Write to *rounds only if non-NULL.
+	modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.
+
+	Add missing ')'
+	modules/pam_unix/pam_unix_passwd.c: Add missing ')'..
+
+2013-09-11  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Release version 1.1.7.
+
+2013-09-11  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Updated translations from Transifex.
+	po/*.po: Updated translations from Transifex.
+
+2013-09-04  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Extend pam_exec by stdout and type= options (ticket #8):
+	* modules/pam_exec/pam_exec.c: Add stdout and type= option
+	* modules/pam_exec/pam_exec.8.xml: Document new options
+
+2013-08-30  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Fix compile error.
+	* modules/pam_unix/pam_unix_acct.c: fix last change
+
+2013-08-29  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Restart waitpid if it returns with EINTR (ticket #17)
+	* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
+	* modules/pam_unix/pam_unix_passwd.c: Likewise.
+	* modules/pam_unix/support.c: Likewise.
+
+2013-08-28  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	misc_conv.3: Fix documentation of misc_conv.
+	doc/man/misc_conv.3.xml: Fix return value of misc_conv
+
+2013-08-23  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Apply the exclusive check in pam_sepermit only when loginuid not set.
+	* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
+	/proc
+	(sepermit_match): Apply the exclusive check only when loginuid not set.
+
+2013-08-22  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Updated translations from Transifex.
+	* po/*.po: Updated translations from Transifex.
+
+2013-07-01  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_rootok: fix linking in --enable-audit mode.
+	pam_rootok.c explicitly uses functions from libaudit, so the module has
+	to be linked with the library.
+
+	* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.
+
+2013-07-01  Richard Guy Briggs  <rgb@redhat.com>
+
+	pam_tty_audit: fix a typo that crept in during patch review.
+	* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace
+	all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with
+	HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD.
+	* configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove.
+
+2013-06-21  Richard Guy Briggs  <rgb@redhat.com>
+
+	pam_tty_audit: add an option to control logging of passwords: log_passwd
+	Most commands are entered one line at a time and processed as complete lines
+	in non-canonical mode.  Commands that interactively require a password, enter
+	canonical mode with echo set to off to do this.  This feature (icanon and
+	!echo) can be used to avoid logging passwords by audit while still logging the
+	rest of the command.  Adding a member to the struct audit_tty_status passed in
+	by pam_tty_audit allows control of logging passwords per task.
+
+	* configure.in: autoconf bits to conditionally add support at compile time
+	depending on struct audit_tty_status kernel header version.
+	* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
+	log_passwd option.
+	* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
+	"log_passwd" option parsing.
+
+2013-06-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Man page fix - unix_update runs in the permissive mode as well.
+	modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
+	permissive mode as well.
+
+2013-06-18  Thorsten Kukuk  <kukuk@orinoco.thkukuk.de>
+
+	Use hash from /etc/login.defs as default if no other one is specified as argument.
+	* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
+	* modules/pam_unix/support.h: Add define for /etc/login.defs
+	* modules/pam_unix/pam_unix.8.xml: Document new behavior.
+	* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
+
+2013-04-12  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_access: better not change the default function used to get domain name.
+	modules/pam_access/pam_access.c (netgroup_match): As we did not use
+	yp_get_default_domain() in the 1.1 branch due to typo in ifdef
+	we should use it only as fallback.
+
+2013-03-28  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Fix strict aliasing issue in MD5 implementations.
+	modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
+	modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
+
+2013-03-22  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_lastlog: Do not fail on short read if btmp is corrupted.
+	modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
+	on short read or read error.
+
+	pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux
+	modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
+	(check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.
+
+2013-02-08  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Add checks for crypt() returning NULL.
+	modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
+	modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
+
+2013-02-07  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_userdb: Allow also modern password hashes supported by crypt().
+	modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
+	longer than 13 characters and long salt.
+
+2013-01-18  Walter de Jong  <walter.dejong@surfsara.nl>
+
+	pam_access: fix typo in ifdef.
+	modules/pam_access/pam_access.c (netgroup_match): Fix typo
+	in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.
+
+2012-12-20  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_cracklib: Mention checks that are not run for root.
+	modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks
+	when run as root.
+
+	Update also the POT file.
+	po/Linux-PAM.pot: Update to reflect current sources.
+
+2012-12-12  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Updated translations from Transifex, added new languages.
+	po/LINGUAS: Added new languages.
+	po/*.po: Updated translations from Transifex including new languages.
+
+2012-11-30  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_selinux: Drop obsolete and unsupported manual context selection.
+	modules/pam_selinux/pam_selinux.c (manual_context): Drop function.
+	(compute_exec_context): Drop manual_context() call.
+
+2012-11-23  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_limits: fix grammatical mistake.
+	modules/pam_limits/limits.conf: Fix grammatical mistake.
+
+2012-11-13  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Reflect the enforce_for_root semantics change in pam_pwhistory xtest.
+	xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is
+	running with real uid == 0.
+
+2012-10-10  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_unix: fix build in --enable-selinux mode.
+	glibc's <sys/wait.h> starting with commit
+	http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467
+	does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
+	when pam is being built with SELinux support enabled, pam_unix_passwd.c
+	uses getrlimit(2) and therefore should include <sys/resource.h> without
+	relying on other headers.
+
+	* modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.
+
+	Reported-by: Guido Trentalancia <guido@trentalancia.com>
+	Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
+	Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+
+2012-10-10  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_namespace: add mntopts flag for tmpfs mount options.
+	modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
+	structure.
+	modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
+	(parse_method): Parse the mntopts flag.
+	(ns_setup): Pass the mount_opts to mount().
+	modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.
+
+2012-09-06  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_selinux, pam_tally2: Add tty and rhost to audit data.
+	modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
+	rhost from PAM items and pass them to audit.
+	modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
+	rhost from PAM items and pass them to audit.
+	(main): Obtain tty name of stdin and pass it to audit.
+
+	Update configure.in to use more recent interfaces.
+	configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead
+	of AC_HELP_STRING.
+
+2012-08-17  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Add missing $(DESTDIR) when making directories on install.
+	modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
+	$(namespaceddir) on install.
+	modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
+	$(sepermitlockdir) on install.
+
+2012-08-17  Thorsten Kukuk  <kukuk@orinoco.thkukuk.de>
+
+	release version 1.1.6.
+	configure.in: Bump version to 1.1.6
+	NEWS: Document changes
+	po/*.po: Regenerate *.po files
+
+2012-08-16  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	Small documentation and define fixes.
+	modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10]
+	modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary
+	modules/pam_pwhistory/pam_pwhistory.c: Document how the module works
+	modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6]
+
+2012-08-13  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Respect PAM_AUTHTOK_TYPE in pam_get_authtok_verify().
+	libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the PAM_AUTHTOK_TYPE
+	item when obtained from module options.
+	(pam_get_authtok_verify): Use the PAM_AUTHTOK_TYPE item when prompting.
+
+2012-08-09  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Document limits.d also in the limits.conf manpage.
+	modules/pam_limits/limits.conf.5.xml: Document the limits.d existence.
+
+2012-07-23  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	New autotools do not create empty directories on install.
+	modules/pam_namespace/Makefile.am: Add install-data-local target to create
+	namespaceddir.
+	modules/pam_sepermit/Makefile.am: Add install-data-local target to create
+	sepermitlockdir.
+
+2012-07-09  Stevan Bajić  <stevan@bajic.ch>
+
+	RLIMIT_* variables are no longer defined unless you explicitly include sys/resource.h.
+
+	modules/pam_unix/pam_unix_acct.c: Include sys/resource.h.
+
+2012-06-27  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_umask: correct the documentation of GECOS field parsing.
+	modules/pam_umask/pam_umask.8.xml: Correct the documentation of GECOS field
+	parsing.
+
+2012-06-22  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_cracklib: Add monotonic character sequence checking.
+	modules/pam_cracklib/pam_cracklib.c (_pam_parse): Parse the maxsequence option.
+	(sequence): New function to check for too long monotonic sequence of characters.
+	(password_check): Call the sequence().
+	modules/pam_cracklib/pam_cracklib.8.xml: Document the maxsequence check.
+
+2012-06-01  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_timestamp: Fix copy&paste error in manpage.
+	modules/pam_timestamp/pam_timestamp.8.xml: Fix AUTHOR section.
+
+2012-05-28  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Pulled new translations from Transifex.
+	po/*.po: Updated translations.
+
+	pam_pwhistory: Always record the old password even when root changes it.
+	modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Use the UID of
+	the process instead of the target user UID (same as in pam_cracklib) to
+	check for root. Always record old password.
+
+2012-05-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_cracklib: Add enforce_for_root option.
+	modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the enforce_for_root option.
+	(pam_sm_chauthtok): Enforce errors for root with the option.
+	modules/pam_cracklib/pam_cracklib.8.xml: Document the enforce_for_root option.
+
+2012-04-30  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore.
+	modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option.
+	(simple): Add the check for the same class repetition.
+	(usercheck): Refactor into wordcheck().
+	(gecoscheck): New test for words from the GECOS field.
+	(password_check): Call the gecoscheck().
+	(pam_sm_chauthtok): Drop the diff_ignore from options struct.
+	modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.
+
+	pam_lastlog: Never lock out the root account.
+	modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if
+	uid==0.
+	modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation.
+
+2012-04-17  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	pam_lastlog: add possibility to lock out inactive users in auth or account
+	* modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and
+	option.
+	* modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out.
+	(_pam_session_parse): Renamed from _pam_parse.
+	(_pam_auth_parse): New function to parse auth arguments.
+	(_last_login_open): Factor out opening of the lastlog file.
+	(_last_login_read): Factor out opening of the lastlog file.
+	(pam_sm_authenticate): Implement the lockout functionality.
+	(pam_sm_setcred): Just return PAM_SUCCESS.
+	(pam_sm_acct_mgmt): Call pam_sm_authenticate().
+
+2012-04-11  Paul Wouters  <pwouters@redhat.com>
+
+	Check for crypt() failure returning NULL.
+	* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message.
+	* modules/pam_unix/passverify.c (create_password_hash): Check for crypt()
+	returning NULL.
+
+2012-02-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_unix: make configuration consistent in --enable-static-modules mode.
+	In --enable-static-modules mode, it was not possible to use "pam_unix"
+	in PAM config files.  Instead, different names had to be used for each
+	management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and
+	pam_unix_session.  This change makes pam_unix configuration consistent
+	with other PAM modules.
+
+	* README: Remove the paragraph describing pam_unix distinctions in
+	--enable-static-modules mode.
+	* libpam/pam_static_modules.h (_pam_unix_acct_modstruct,
+	_pam_unix_auth_modstruct, _pam_unix_passwd_modstruct,
+	_pam_unix_session_modstruct): Remove.
+	(_pam_unix_modstruct): New pam_module declaration.
+	* modules/pam_unix/pam_unix_static.h: New file.
+	* modules/pam_unix/pam_unix_static.c: Likewise.
+	* modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h
+	(pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c
+	* modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include
+	pam_unix_static.h
+	[PAM_STATIC] (_pam_unix_acct_modstruct): Remove.
+	* modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include
+	pam_unix_static.h
+	[PAM_STATIC] (_pam_unix_auth_modstruct): Remove.
+	* modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include
+	pam_unix_static.h
+	[PAM_STATIC] (_pam_unix_passwd_modstruct): Remove.
+	* modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include
+	pam_unix_static.h
+	[PAM_STATIC] (_pam_unix_session_modstruct): Remove.
+
+	Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
+
+2012-01-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Make --disable-cracklib compatible with --enable-static-modules mode.
+	* configure.in: Define HAVE_LIBCRACK when cracklib is enabled.
+	* libpam/pam_static_modules.h (static_modules): Guard the use of
+	_pam_cracklib_modstruct by HAVE_LIBCRACK macro.
+
+2012-02-10  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Add missing includes for types used in the pam_modutil.h.
+	* libpam/include/security/pam_modutil.h: Add missing includes for used types.
+
+2012-01-27  Matveychikov Ilya  <i.matveychikov@securitycode.ru>
+
+	Fix compile time errors in --enable-static-modules mode.
+	* libpam/pam_static_modules.h (_pam_rhosts_auth_modstruct): Remove
+	obsolete declaration.
+	(static_modules): Remove undefined reference to
+	_pam_rhosts_auth_modstruct.
+	* modules/pam_pwhistory/opasswd.h: Rename {save,check}_old_password to
+	{save,check}_old_pass in order to avoid conflicts with pam_unix.
+	* modules/pam_pwhistory/opasswd.c: Likewise.
+	* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
+	* modules/pam_tally2/pam_tally2.c: Rename _pam_tally_modstruct to
+	_pam_tally2_modstruct.
+
+2012-01-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix SUBDIRS for --enable-static-modules mode.
+	There is no way to build "modules" subdirectory before "libpam" anyway.
+	In STATIC_MODULES mode, "libpam" subdirectory must be built twice to
+	produce a usable libpam.a without undefined references to multiple
+	_pam_*_modstruct symbols.
+
+	* Makefile.am: Use default SUBDIRS in STATIC_MODULES mode.
+
+2012-01-26  Matveychikov Ilya  <i.matveychikov@securitycode.ru>
+
+	configure: fix typo in --disable-nis help string.
+	* configure.in: Change '-disable-nis' to '--disable-nis'.
+
+2012-01-26  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Do not unmount anything by default in pam_namespace close session call.
+	* modules/pam_namespace/pam_namespace.c (pam_sm_close_session): Recognize
+	the unmount_on_close option and make the default to be to not unmount.
+	* modules/pam_namespace/pam_namespace.h: Rename PAMNS_NO_UNMOUNT_ON_CLOSE to
+	PAMNS_UNMOUNT_ON_CLOSE.
+	* modules/pam_namespace/pam_namespace.8.xml: Document the change.
+
+2012-01-24  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Make / mount as rslave instead of bind mounting polydirs.
+	* modules/pam_namespace/pam_namespace.c (protect_dir): Drop the always argument.
+	(check_inst_parent): Drop the always argument from protect_dir().
+	(create_polydir): Likewise.
+	(ns_setup): Likewise and do not mark the polydir with MS_PRIVATE.
+	(setup_namespace): Mark the / with MS_SLAVE|MS_REC.
+	* modules/pam_namespace/pam_namespace.8.xml: Reflect the change in docs.
+
+2012-01-13  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Add possibility to match ruser, rhost, and tty in pam_succeed_if.
+	* modules/pam_succeed_if/pam_succeed_if.c (evaluate): Match ruser,
+	rhost, and tty as left operand.
+	* modules/pam_succeed_if/pam_succeed_if.8.xml: Document the new
+	possible left operands.
+
+2012-01-03  Tomas Mraz  <tmraz@fedoraproject.org>
+
+	Merge branch 'master' of ssh://git.fedorahosted.org/git/linux-pam.
+
+	Fix matching of usernames in the pam_unix remember feature.
+	* modules/pam_unix/pam_unix_passwd.c (check_old_password): Make
+	sure we match only the whole username in opasswd entry.
+	* modules/pam_unix/passverify.c (save_old_password): Likewise make
+	sure we match only the whole username in opasswd entry.
+
+2011-12-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_start: fix memory leak on error path.
+	* libpam/pam_start.c (pam_start): If _pam_make_env() or
+	_pam_init_handlers() returned an error, release the memory allocated
+	for pam_conv structure.
+
+	Patch-by: cancel <suntsu@yandex.ru>.
+
+2011-11-03  Dmitry V. Levin  <ldv@altlinux.org>
+
+	pam_selinux.8.xml: update.
+	* modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis):
+	Reorder options, add new "restore" option.
+	pam_selinux-description): Rewrite.
+	(pam_selinux-options): Reorder options, describe new "restore" option.
+	(pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR
+	and PAM_BUF_ERR.
+	(pam_selinux-see_also): Remove pam.conf(5).  Add execve(2), tty(4)
+	and selinux(8).
+
+	pam_selinux.c: add "restore" option.
+	* modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new
+	"restore" option.
+
+	pam_selinux.c: rewrite using pam_get_data/pam_set_data.
+	* modules/pam_selinux/pam_selinux.c (security_restorelabel_tty,
+	security_label_tty): Remove old functions.
+	(module_data_t): New structure.
+	(free_module_data, cleanup, get_module_data, get_item,
+	set_exec_context, set_file_context, compute_exec_context,
+	compute_tty_context, restore_context, set_context,
+	create_context): New functions.
+	(pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session,
+	pam_sm_close_session): Use them.
+
+2011-10-28  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc.
+	GNU automake documentation recommends to avoid using -l options in
+	LDADD or LIBADD when referring to libraries built by the package.
+	Instead, it recommends to write the file name of the library explicitly,
+	and use -l option only to list third-party libraries.  As result, the
+	default value of *_DEPENDENCIES will list all local libraries and omit
+	the other ones.
+	* modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace
+	"-L$(top_builddir)/libpam -lpam" with
+	"$(top_builddir)/libpam/libpam.la", to follow GNU automake
+	recommendations.
+	* modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise.
+	* modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise.
+	* modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise.
+	* modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise.
+	* modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise.
+	* modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise.
+	* modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise.
+	* modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise.
+	* modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise.
+	* modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise.
+	* modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise.
+	* modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise.
+	* modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise.
+	* modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise.
+	* modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise.
+	* modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise.
+	* modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise.
+	* modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise.
+	* modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise.
+	* modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD,
+	mkhomedir_helper_LDADD): Likewise.
+	* modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise.
+	* modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise.
+	* modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise.
+	* modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise.
+	* modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise.
+	* modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise.
+	* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise.
+	* modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise.
+	* modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise.
+	* modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise.
+	* modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise.
+	* modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD):
+	Likewise.
+	* modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise.
+	* modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD,
+	pam_tally2_LDADD): Likewise.
+	* modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise.
+	* modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD,
+	pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise.
+	* modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise.
+	* modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise.
+	* modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise.
+	* modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise.
+	* modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise.
+	* modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise.
+	* modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise.
+	* tests/Makefile.am (LDADD): Likewise.
+	* examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam"
+	with "$(top_builddir)/libpam/libpam.la", and
+	"-L$(top_builddir)/libpam_misc -lpam_misc" with
+	"$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake
+	recommendations.
+	* xtests/Makefile.am (LDADD): Likewise.
+	* modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise.
+
+	Fix usage of LIBADD, LDADD and LDFLAGS.
+	* modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to
+	pam_selinux_check_LDADD.
+	* modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from
+	AM_LDFLAGS.
+	* modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from
+	AM_LDFLAGS.
+	* modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from
+	AM_LDFLAGS.
+	* modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from
+	AM_LDFLAGS.
+	* xtests/Makefile.am: Rename AM_LDFLAGS to LDADD.
+
+2011-10-27  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Update .gitignore files.
+	* .gitignore: Add common ignore patterns.
+	* m4/.gitignore: Unignore local m4 files.
+	* dynamic/.gitignore: Unignore Makefile.
+	* libpamc/test/modules/.gitignore: Likewise.
+	* libpamc/test/regress/.gitignore: Likewise.
+	* po/.gitignore: Add Makevars.template.
+	* conf/.gitignore: Remove common ignore patterns.
+	* conf/pam_conv1/.gitignore: Likewise.
+	* doc/.gitignore: Likewise.
+	* doc/specs/.gitignore: Likewise.
+	* doc/specs/formatter/.gitignore: Likewise.
+	* examples/.gitignore: Likewise.
+	* modules/pam_filter/upperLOWER/.gitignore: Likewise.
+	* modules/pam_mkhomedir/.gitignore: Likewise.
+	* modules/pam_selinux/.gitignore: Likewise.
+	* modules/pam_stress/.gitignore: Likewise.
+	* modules/pam_tally/.gitignore: Likewise.
+	* modules/pam_tally2/.gitignore: Likewise.
+	* modules/pam_timestamp/.gitignore: Likewise.
+	* modules/pam_unix/.gitignore: Likewise.
+	* tests/.gitignore: Likewise.
+	* xtests/.gitignore: Likewise.
+	* doc/adg/.gitignore: Remove.
+	* doc/man/.gitignore: Remove.
+	* doc/mwg/.gitignore: Remove.
+	* doc/sag/.gitignore: Remove.
+	* libpamc/.gitignore: Remove.
+	* libpamc/test/.gitignore: Remove.
+	* libpam/.gitignore: Remove.
+	* libpam_misc/.gitignore: Remove.
+	* modules/.gitignore: Remove.
+	* modules/pam_access/.gitignore: Remove.
+	* modules/pam_cracklib/.gitignore: Remove.
+	* modules/pam_debug/.gitignore: Remove.
+	* modules/pam_deny/.gitignore: Remove.
+	* modules/pam_echo/.gitignore: Remove.
+	* modules/pam_env/.gitignore: Remove.
+	* modules/pam_exec/.gitignore: Remove.
+	* modules/pam_faildelay/.gitignore: Remove.
+	* modules/pam_filter/.gitignore: Remove.
+	* modules/pam_ftp/.gitignore: Remove.
+	* modules/pam_group/.gitignore: Remove.
+	* modules/pam_issue/.gitignore: Remove.
+	* modules/pam_keyinit/.gitignore: Remove.
+	* modules/pam_lastlog/.gitignore: Remove.
+	* modules/pam_limits/.gitignore: Remove.
+	* modules/pam_listfile/.gitignore: Remove.
+	* modules/pam_localuser/.gitignore: Remove.
+	* modules/pam_loginuid/.gitignore: Remove.
+	* modules/pam_mail/.gitignore: Remove.
+	* modules/pam_motd/.gitignore: Remove.
+	* modules/pam_namespace/.gitignore: Remove.
+	* modules/pam_nologin/.gitignore: Remove.
+	* modules/pam_permit/.gitignore: Remove.
+	* modules/pam_pwhistory/.gitignore: Remove.
+	* modules/pam_rhosts/.gitignore: Remove.
+	* modules/pam_rootok/.gitignore: Remove.
+	* modules/pam_securetty/.gitignore: Remove.
+	* modules/pam_sepermit/.gitignore: Remove.
+	* modules/pam_shells/.gitignore: Remove.
+	* modules/pam_succeed_if/.gitignore: Remove.
+	* modules/pam_time/.gitignore: Remove.
+	* modules/pam_tty_audit/.gitignore: Remove.
+	* modules/pam_umask/.gitignore: Remove.
+	* modules/pam_userdb/.gitignore: Remove.
+	* modules/pam_warn/.gitignore: Remove.
+	* modules/pam_wheel/.gitignore: Remove.
+	* modules/pam_xauth/.gitignore: Remove.
+
+	Move generated auxiliary files to build-aux directory.
+	* configure.in: Add AC_CONFIG_AUX_DIR([build-aux]).
+
+	Remove generated files.
+	* ABOUT-NLS: Remove.
+	* INSTALL: Remove.
+	* config.rpath: Remove.
+	* install-sh: Remove.
+	* mkinstalldirs: Remove.
+	* Makefile.am (EXTRA_DIST): Remove config.rpath and mkinstalldirs.
+	* .gitignore: Add ABOUT-NLS and INSTALL.
+
+	Create release tarballs using safe ownership and permissions.
+	* Makefile.am: Define and export TAR_OPTIONS.
+
+	Generate ChangeLog from git log.
+	* .gitignore: Add ChangeLog
+	* ChangeLog: Rename to ChangeLog-CVS.
+	* Makefile.am (gen-changelog): New rule.
+	(dist-hook, .PHONY): Depend on it.
+	(EXTRA_DIST): Add ChangeLog-CVS.
+	* README-hacking: New file.
+	* gitlog-to-changelog: Import from gnulib.
+	* autogen.sh: Create empty ChangeLog file to make automake strictness
+	check happy.  Use automated "autoreconf -fiv" instead of manual
+	invocations of various autotools.
+
+	Fix "make distcheck"
+	There is no use to distribute m4 files manually, because automake does
+	the right thing, while manual distribution is not only redundant but
+	also very fragile.
+	* Makefile.am (M4_FILES): Remove.
+	(EXTRA_DIST): Remove M4_FILES.
+
+	Remove modules/pam_timestamp/hmacfile from distribution.
+	* modules/pam_timestamp/Makefile.am (dist_TESTS): Add tst-pam_timestamp.
+	(nodist_TESTS): Add hmacfile.
+	(EXTRA_DIST): Replace TESTS with dist_TESTS.
+
+	Rename all .cvsignore files to .gitignore.
+
+2011-10-26  Dmitry V. Levin  <ldv@altlinux.org>
+
+	Fix whitespace issues.
+	Cleanup trailing whitespaces, indentation that uses spaces before tabs,
+	and blank lines at EOF.  Make the project free of warnings reported by
+	git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD
+
+
+See ChangeLog-CVS for earlier changes.