diff --git a/SOURCES/pam-1.1.1-console-errmsg.patch b/SOURCES/pam-1.1.1-console-errmsg.patch
new file mode 100644
index 0000000..f2fe846
--- /dev/null
+++ b/SOURCES/pam-1.1.1-console-errmsg.patch
@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c
+--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100
++++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200
+@@ -65,7 +65,7 @@ parse_files(void)
+ on system locale */
+ oldlocale = setlocale(LC_COLLATE, "C");
+
+- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
++ rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
+ setlocale(LC_COLLATE, oldlocale);
+ if (rc)
+ return;
diff --git a/SOURCES/pam-1.1.6-full-relro.patch b/SOURCES/pam-1.1.6-full-relro.patch
deleted file mode 100644
index 30cb79b..0000000
--- a/SOURCES/pam-1.1.6-full-relro.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-diff -up Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am
---- Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
-+++ Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am 2012-09-03 15:22:13.735307976 +0200
-@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
- pam_timestamp_check_SOURCES = pam_timestamp_check.c
- pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
- pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
--pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
-+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
-
- hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
- hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
-diff -up Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_unix/Makefile.am
---- Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
-+++ Linux-PAM-1.1.6/modules/pam_unix/Makefile.am 2012-09-03 15:21:31.464424910 +0200
-@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
- unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
- passverify.c
- unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
--unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
-+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
- unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
-
- unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
- passverify.c
- unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
--unix_update_LDFLAGS = @PIE_LDFLAGS@
-+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
- unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
-
- if ENABLE_REGENERATE_MAN
diff --git a/SOURCES/pam-1.1.8-audit-grantor.patch b/SOURCES/pam-1.1.8-audit-grantor.patch
new file mode 100644
index 0000000..451634b
--- /dev/null
+++ b/SOURCES/pam-1.1.8-audit-grantor.patch
@@ -0,0 +1,435 @@
+From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 5 Sep 2014 09:09:37 +0200
+Subject: [PATCH] Add grantor field to audit records of libpam.
+
+The grantor field gives audit trail of PAM modules which granted access
+for successful return from libpam calls. In case of failed return
+the grantor field is set to '?'.
+libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
+libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
+libpam/pam_password.c (pam_chauthtok): Likewise.
+libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
+libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
+add grantor= field to the message if grantors is set.
+(_pam_list_grantors): New function creating the string with grantors list.
+(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
+to list the grantors from the handler list.
+(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
+(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
+libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
+(_pam_clear_grantors): New function to clear grantor field of handler.
+(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
+Call _pam_auditlog() when appropriate.
+libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
+or just "?" to avoid confusing audit trail.
+(_pam_add_handler): Test for NULL return from extract_modulename().
+Clear grantor field of handler.
+libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
+parameter to _pam_auditlog().
+---
+ libpam/pam_account.c | 4 ---
+ libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++--------
+ libpam/pam_auth.c | 8 -----
+ libpam/pam_dispatch.c | 41 ++++++++++++++++++++-----
+ libpam/pam_handlers.c | 14 +++++++--
+ libpam/pam_password.c | 4 ---
+ libpam/pam_private.h | 3 +-
+ libpam/pam_session.c | 7 -----
+ 8 files changed, 119 insertions(+), 46 deletions(-)
+
+diff --git a/libpam/pam_account.c b/libpam/pam_account.c
+index 572acc4..3a4fb1f 100644
+--- a/libpam/pam_account.c
++++ b/libpam/pam_account.c
+@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags)
+
+ retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT);
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags);
+-#endif
+-
+ return retval;
+ }
+diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
+index 531746a..24fb799 100644
+--- a/libpam/pam_audit.c
++++ b/libpam/pam_audit.c
+@@ -6,12 +6,12 @@
+ Authors:
+ Steve Grubb <sgrubb@redhat.com> */
+
+-#include <stdio.h>
+-#include <syslog.h>
+ #include "pam_private.h"
+ #include "pam_modutil_private.h"
+
+ #ifdef HAVE_LIBAUDIT
++#include <stdio.h>
++#include <syslog.h>
+ #include <libaudit.h>
+ #include <pwd.h>
+ #include <netdb.h>
+@@ -25,17 +25,24 @@
+
+ static int
+ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
+- const char *message, int retval)
++ const char *message, const char *grantors, int retval)
+ {
+ static int old_errno = -1;
+- int rc;
+- char buf[32];
++ int rc = -ENOMEM;
++ char *buf;
++ const char *grantors_field = " grantors=";
+
+- snprintf(buf, sizeof(buf), "PAM:%s", message);
++ if (grantors == NULL) {
++ grantors = "";
++ grantors_field = "";
++ }
+
+- rc = audit_log_acct_message (audit_fd, type, NULL, buf,
+- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
+- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
++ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) {
++ rc = audit_log_acct_message(audit_fd, type, NULL, buf,
++ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
++ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
++ free(buf);
++ }
+
+ /* libaudit sets errno to his own negative error code. This can be
+ an official errno number, but must not. It can also be a audit
+@@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh)
+ return audit_fd;
+ }
+
++static int
++_pam_list_grantors(struct handler *hlist, int retval, char **list)
++{
++ *list = NULL;
++
++ if (retval == PAM_SUCCESS) {
++ struct handler *h;
++ char *p = NULL;
++ size_t len = 0;
++
++ for (h = hlist; h != NULL; h = h->next) {
++ if (h->grantor) {
++ len += strlen(h->mod_name) + 1;
++ }
++ }
++
++ if (len == 0) {
++ return 0;
++ }
++
++ *list = malloc(len);
++ if (*list == NULL) {
++ return -1;
++ }
++
++ for (h = hlist; h != NULL; h = h->next) {
++ if (h->grantor) {
++ if (p == NULL) {
++ p = *list;
++ } else {
++ p = stpcpy(p, ",");
++ }
++
++ p = stpcpy(p, h->mod_name);
++ }
++ }
++ }
++
++ return 0;
++}
++
+ int
+-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
++_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h)
+ {
+ const char *message;
+ int type;
+ int audit_fd;
++ char *grantors;
+
+ if ((audit_fd=_pam_audit_open(pamh)) == -1) {
+ return PAM_SYSTEM_ERR;
+@@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+ retval = PAM_SYSTEM_ERR;
+ }
+
+- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
++ if (_pam_list_grantors(h, retval, &grantors) < 0) {
++ /* allocation failure */
++ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
+ retval = PAM_SYSTEM_ERR;
++ }
++
++ if (_pam_audit_writelog(pamh, audit_fd, type, message,
++ grantors ? grantors : "?", retval) < 0)
++ retval = PAM_SYSTEM_ERR;
++
++ free(grantors);
+
+ audit_close(audit_fd);
+ return retval;
+@@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
+ * stacks having been run. Assume that this is sshd faking
+ * things for an unknown user.
+ */
+- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0);
++ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL);
+ }
+
+ return 0;
+@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type,
+ return retval;
+ }
+
+- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
++ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval);
+
+ audit_close(audit_fd);
+
+diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c
+index 5984fa5..1e7bc6e 100644
+--- a/libpam/pam_auth.c
++++ b/libpam/pam_auth.c
+@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags)
+ prelude_send_alert(pamh, retval);
+ #endif
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
+-#endif
+-
+ return retval;
+ }
+
+@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags)
+
+ retval = _pam_dispatch(pamh, flags, PAM_SETCRED);
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags);
+-#endif
+-
+ D(("pam_setcred exit"));
+
+ return retval;
+diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
+index eb52c82..cf632e8 100644
+--- a/libpam/pam_dispatch.c
++++ b/libpam/pam_dispatch.c
+@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
+ status = retval;
+ }
+ }
+- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) {
+- goto decision_made;
++ if ( impression == _PAM_POSITIVE ) {
++ if ( retval == PAM_SUCCESS ) {
++ h->grantor = 1;
++ }
++
++ if ( action == _PAM_ACTION_DONE ) {
++ goto decision_made;
++ }
+ }
+ break;
+
+@@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
+ || (impression == _PAM_POSITIVE
+ && status == PAM_SUCCESS) ) {
+ if ( retval != PAM_IGNORE || cached_retval == retval ) {
++ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
++ h->grantor = 1;
++ }
+ impression = _PAM_POSITIVE;
+ status = retval;
+ }
+@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */
+ return status;
+ }
+
++static void _pam_clear_grantors(struct handler *h)
++{
++ for (; h != NULL; h = h->next) {
++ h->grantor = 0;
++ }
++}
++
+ /*
+ * This function translates the module dispatch request into a pointer
+ * to the stack of modules that will actually be run. the
+@@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */
+ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
+ {
+ struct handler *h = NULL;
+- int retval, use_cached_chain;
++ int retval = PAM_SYSTEM_ERR, use_cached_chain;
+ _pam_boolean resumed;
+
+ IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR);
+
+ if (__PAM_FROM_MODULE(pamh)) {
+ D(("called from a module!?"));
+- return PAM_SYSTEM_ERR;
++ goto end;
+ }
+
+ /* Load all modules, resolve all symbols */
+
+ if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "unable to dispatch function");
+- return retval;
++ goto end;
+ }
+
+ use_cached_chain = _PAM_PLEASE_FREEZE;
+@@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
+ break;
+ default:
+ pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
+- return PAM_ABORT;
++ retval = PAM_ABORT;
++ goto end;
+ }
+
+ if (h == NULL) { /* there was no handlers.conf... entry; will use
+@@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
+ pam_syslog(pamh, LOG_ERR,
+ "application failed to re-exec stack [%d:%d]",
+ pamh->former.choice, choice);
+- return PAM_ABORT;
++ retval = PAM_ABORT;
++ goto end;
+ }
+ resumed = PAM_TRUE;
+ } else {
+ resumed = PAM_FALSE;
++ _pam_clear_grantors(h);
+ }
+
+ __PAM_TO_MODULE(pamh);
+@@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
+ pamh->former.choice = PAM_NOT_STACKED;
+ }
+
++end:
++
++#ifdef HAVE_LIBAUDIT
++ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) {
++ retval = _pam_auditlog(pamh, choice, retval, flags, h);
++ }
++#endif
++
+ return retval;
+ }
+diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
+index 02714f7..df3a1d9 100644
+--- a/libpam/pam_handlers.c
++++ b/libpam/pam_handlers.c
+@@ -611,6 +611,12 @@ extract_modulename(const char *mod_path)
+ if (dot)
+ *dot = '\0';
+
++ if (*retval == '\0' || strcmp(retval, "?") == 0) {
++ /* do not allow empty module name or "?" to avoid confusing audit trail */
++ _pam_drop(retval);
++ return NULL;
++ }
++
+ return retval;
+ }
+
+@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh
+ (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval);
+ (*handler_p)->argc = argc;
+ (*handler_p)->argv = argv; /* not a copy */
+- (*handler_p)->mod_name = extract_modulename(mod_path);
++ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL)
++ return PAM_ABORT;
++ (*handler_p)->grantor = 0;
+ (*handler_p)->next = NULL;
+
+ /* some of the modules have a second calling function */
+@@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh
+ } else {
+ (*handler_p2)->argv = NULL; /* no arguments */
+ }
+- (*handler_p2)->mod_name = extract_modulename(mod_path);
++ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL)
++ return PAM_ABORT;
++ (*handler_p2)->grantor = 0;
+ (*handler_p2)->next = NULL;
+ }
+
+diff --git a/libpam/pam_password.c b/libpam/pam_password.c
+index 75db5e5..592e01f 100644
+--- a/libpam/pam_password.c
++++ b/libpam/pam_password.c
+@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags)
+ D(("will resume when ready", retval));
+ }
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
+-#endif
+-
+ return retval;
+ }
+diff --git a/libpam/pam_private.h b/libpam/pam_private.h
+index 134dc72..d93283c 100644
+--- a/libpam/pam_private.h
++++ b/libpam/pam_private.h
+@@ -55,6 +55,7 @@ struct handler {
+ struct handler *next;
+ char *mod_name;
+ int stack_level;
++ int grantor;
+ };
+
+ #define PAM_HT_MODULE 0
+@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \
+ do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
+
+ #ifdef HAVE_LIBAUDIT
+-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags);
++extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h);
+ extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
+ #endif
+
+diff --git a/libpam/pam_session.c b/libpam/pam_session.c
+index 512153f..cb393c1 100644
+--- a/libpam/pam_session.c
++++ b/libpam/pam_session.c
+@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags)
+ }
+ retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags);
+-#endif
+ return retval;
+ }
+
+@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags)
+
+ retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags);
+-#endif
+-
+ return retval;
+
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/pam-1.1.8-audit-user-mgmt.patch b/SOURCES/pam-1.1.8-audit-user-mgmt.patch
new file mode 100644
index 0000000..8459997
--- /dev/null
+++ b/SOURCES/pam-1.1.8-audit-user-mgmt.patch
@@ -0,0 +1,47 @@
+diff -urp Linux-PAM-1.1.8.orig/modules/pam_faillock/main.c Linux-PAM-1.1.8/modules/pam_faillock/main.c
+--- Linux-PAM-1.1.8.orig/modules/pam_faillock/main.c 2014-10-16 10:12:57.117554380 -0400
++++ Linux-PAM-1.1.8/modules/pam_faillock/main.c 2014-10-16 10:38:00.199510093 -0400
+@@ -141,10 +141,8 @@ do_user(struct options *opts, const char
+ if ((audit_fd=audit_open()) >= 0) {
+
+ if (pwd != NULL) {
+- snprintf(buf, sizeof(buf), "faillock reset uid=%u",
+- pwd->pw_uid);
+- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, NULL, rv == 0);
++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
++ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0);
+ }
+ close(audit_fd);
+ }
+diff -urp Linux-PAM-1.1.8.orig/modules/pam_tally2/pam_tally2.c Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
+--- Linux-PAM-1.1.8.orig/modules/pam_tally2/pam_tally2.c 2013-06-18 10:11:21.000000000 -0400
++++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-16 10:37:05.072511717 -0400
+@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
+ #ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd = audit_open();
+- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
+- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
++ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
++ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
+ if (audit_fd >=0)
+ close(audit_fd);
+ #endif
+@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
+ }
+ else if ( !cline_reset ) {
+ #ifdef HAVE_LIBAUDIT
+- char buf[64];
+ int audit_fd = audit_open();
+- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
+- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
++ "pam_tally2-reset-all-accts reset=0", "*", -1,
++ NULL, NULL, ttyname(STDIN_FILENO), 1);
+ if (audit_fd >=0)
+ close(audit_fd);
+ #endif
diff --git a/SOURCES/pam-1.1.8-full-relro.patch b/SOURCES/pam-1.1.8-full-relro.patch
new file mode 100644
index 0000000..0337062
--- /dev/null
+++ b/SOURCES/pam-1.1.8-full-relro.patch
@@ -0,0 +1,108 @@
+diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200
+@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
+
+ pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
+
++pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
++
+ securelib_LTLIBRARIES = pam_console.la
+ sbin_PROGRAMS = pam_console_apply
+
+@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
+ configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
+
+ pam_console_la_CFLAGS = $(AM_CFLAGS)
+-pam_console_apply_CFLAGS = $(AM_CFLAGS)
++pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+
+ configfile.tab.c: configfile.y
+ $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200
+@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR)
+
+ noinst_HEADERS = faillock.h
+
+-faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
+ pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+
+ pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
+@@ -28,6 +28,7 @@ if HAVE_VERSIONING
+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+
++faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+
+ securelib_LTLIBRARIES = pam_faillock.la
+diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
++++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
+@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
+
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ -I$(srcdir)/.. @PIE_CFLAGS@
+-AM_LDFLAGS = @PIE_LDFLAGS@
++AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ LDADD = $(top_builddir)/libpam/libpam.la
+
+ securelibfilter_PROGRAMS = upperLOWER
+diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
+@@ -30,6 +30,8 @@ endif
+
+ sbin_PROGRAMS = mkhomedir_helper
+ mkhomedir_helper_SOURCES = mkhomedir_helper.c
++mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
++mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
+
+ if ENABLE_REGENERATE_MAN
+diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
+@@ -26,6 +26,8 @@ if HAVE_VERSIONING
+ pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+
++pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
++pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
+
+ securelib_LTLIBRARIES = pam_tally2.la
+diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
+@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
+ pam_timestamp_check_SOURCES = pam_timestamp_check.c
+ pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+ pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
+-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
++pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+
+ hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
+ hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
+diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
+@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
+ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
+ passverify.c
+ unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
+-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
++unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
+
+ unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
+ passverify.c
+ unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
+-unix_update_LDFLAGS = @PIE_LDFLAGS@
++unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
+
+ if ENABLE_REGENERATE_MAN
diff --git a/SOURCES/pam-1.1.8-lastlog-uninitialized.patch b/SOURCES/pam-1.1.8-lastlog-uninitialized.patch
new file mode 100644
index 0000000..8c545d9
--- /dev/null
+++ b/SOURCES/pam-1.1.8-lastlog-uninitialized.patch
@@ -0,0 +1,37 @@
+diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
+--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200
+@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int
+ return PAM_SERVICE_ERR;
+ }
+
++ memset(&last_login, 0, sizeof(last_login));
++
+ /* set this login date */
+ D(("set the most recent login time"));
+ (void) time(&ll_time); /* set the time */
+@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int
+ }
+
+ /* copy to last_login */
+- last_login.ll_host[0] = '\0';
+ strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1);
+
+ /* set the terminal line */
+ terminal_line = get_tty(pamh);
+
+ /* copy to last_login */
+- last_login.ll_line[0] = '\0';
+ strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1);
+ terminal_line = NULL;
+
+@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ lltime = (time(NULL) - lltime) / (24*60*60);
+
+ if (lltime > inactive_days) {
+- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
++ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
++ user, (long) lltime);
+ return PAM_AUTH_ERR;
+ }
+
diff --git a/SOURCES/pam-1.1.8-limits-check-process.patch b/SOURCES/pam-1.1.8-limits-check-process.patch
new file mode 100644
index 0000000..f37f799
--- /dev/null
+++ b/SOURCES/pam-1.1.8-limits-check-process.patch
@@ -0,0 +1,41 @@
+diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c
+--- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200
+@@ -27,6 +27,7 @@
+ #include <errno.h>
+ #include <syslog.h>
+ #include <stdarg.h>
++#include <signal.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/resource.h>
+@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const
+ continue;
+ }
+ if (!pl->flag_numsyslogins) {
++ char user[sizeof(ut->UT_USER) + 1];
++ user[0] = '\0';
++ strncat(user, ut->UT_USER, sizeof(ut->UT_USER));
++
+ if (((pl->login_limit_def == LIMITS_DEF_USER)
+ || (pl->login_limit_def == LIMITS_DEF_GROUP)
+ || (pl->login_limit_def == LIMITS_DEF_DEFAULT))
+- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
++ && strcmp(name, user) != 0) {
+ continue;
+ }
+ if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
+- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) {
++ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
+ continue;
+ }
++ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) {
++ /* process does not exist anymore */
++ pam_syslog(pamh, LOG_WARNING,
++ "Stale utmp entry (pid %d) for '%s' ignored",
++ ut->ut_pid, user);
++ continue;
++ }
+ }
+ if (++count > limit) {
+ break;
diff --git a/SOURCES/pam-1.1.8-limits-docfix.patch b/SOURCES/pam-1.1.8-limits-docfix.patch
new file mode 100644
index 0000000..37703e3
--- /dev/null
+++ b/SOURCES/pam-1.1.8-limits-docfix.patch
@@ -0,0 +1,54 @@
+diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200
+@@ -32,7 +32,7 @@
+ # - data - max data size (KB)
+ # - fsize - maximum filesize (KB)
+ # - memlock - max locked-in-memory address space (KB)
+-# - nofile - max number of open files
++# - nofile - max number of open file descriptors
+ # - rss - max resident set size (KB)
+ # - stack - max stack size (KB)
+ # - cpu - max CPU time (MIN)
+diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml
+--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200
+@@ -178,7 +178,7 @@
+ <varlistentry>
+ <term><option>nofile</option></term>
+ <listitem>
+- <para>maximum number of open files</para>
++ <para>maximum number of open file descriptors</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+@@ -214,14 +214,17 @@
+ <varlistentry>
+ <term><option>maxlogins</option></term>
+ <listitem>
+- <para>maximum number of logins for this user except
+- for this with <emphasis>uid=0</emphasis></para>
++ <para>maximum number of logins for this user (this limit does
++ not apply to user with <emphasis>uid=0</emphasis>)</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>maxsyslogins</option></term>
+ <listitem>
+- <para>maximum number of all logins on system</para>
++ <para>maximum number of all logins on system; user is not
++ allowed to log-in if total number of all users' logins is
++ greater than specified number (this limit does not apply to
++ user with <emphasis>uid=0</emphasis>)</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+@@ -292,7 +295,7 @@
+ permanent; existing only for the duration of the session.
+ One exception is the <emphasis>maxlogin</emphasis> option, this one
+ is system wide. But there is a race, concurrent logins at the same
+- time will not always be detect as such but only counted as one.
++ time will not always be detected as such but only counted as one.
+ </para>
+ <para>
+ In the <emphasis>limits</emphasis> configuration file, the
diff --git a/SOURCES/pam-1.1.8-man-dbsuffix.patch b/SOURCES/pam-1.1.8-man-dbsuffix.patch
new file mode 100644
index 0000000..be2e231
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-dbsuffix.patch
@@ -0,0 +1,22 @@
+diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml
+--- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200
+@@ -89,7 +89,8 @@
+ Use the <filename>/path/database</filename> database for
+ performing lookup. There is no default; the module will
+ return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
+- database is provided.
++ database is provided. Note that the path to the database file
++ should be specified without the <filename>.db</filename> suffix.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -260,7 +261,7 @@
+ <refsect1 id='pam_userdb-examples'>
+ <title>EXAMPLES</title>
+ <programlisting>
+-auth sufficient pam_userdb.so icase db=/etc/dbtest.db
++auth sufficient pam_userdb.so icase db=/etc/dbtest
+ </programlisting>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-opasswd-tolerant.patch b/SOURCES/pam-1.1.8-opasswd-tolerant.patch
new file mode 100644
index 0000000..fb9b198
--- /dev/null
+++ b/SOURCES/pam-1.1.8-opasswd-tolerant.patch
@@ -0,0 +1,50 @@
+diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
+index 836d713..c36628e 100644
+--- a/modules/pam_pwhistory/opasswd.c
++++ b/modules/pam_pwhistory/opasswd.c
+@@ -82,10 +82,15 @@ parse_entry (char *line, opwd *data)
+ {
+ const char delimiters[] = ":";
+ char *endptr;
++ char *count;
+
+ data->user = strsep (&line, delimiters);
+ data->uid = strsep (&line, delimiters);
+- data->count = strtol (strsep (&line, delimiters), &endptr, 10);
++ count = strsep (&line, delimiters);
++ if (data->user == NULL || data->uid == NULL || count == NULL)
++ return 1;
++
++ data->count = strtol (count, &endptr, 10);
+ if (endptr != NULL && *endptr != '\0')
+ return 1;
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 4840bb2..7f7bc49 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -639,11 +639,23 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
+ continue;
+ buf[strlen(buf) - 1] = '\0';
+ s_luser = strtok_r(buf, ":", &sptr);
++ if (s_luser == NULL) {
++ found = 0;
++ continue;
++ }
+ s_uid = strtok_r(NULL, ":", &sptr);
++ if (s_uid == NULL) {
++ found = 0;
++ continue;
++ }
+ s_npas = strtok_r(NULL, ":", &sptr);
++ if (s_npas == NULL) {
++ found = 0;
++ continue;
++ }
+ s_pas = strtok_r(NULL, ":", &sptr);
+ npas = strtol(s_npas, NULL, 10) + 1;
+- while (npas > howmany) {
++ while (npas > howmany && s_pas != NULL) {
+ s_pas = strpbrk(s_pas, ",");
+ if (s_pas != NULL)
+ s_pas++;
diff --git a/SPECS/pam.spec b/SPECS/pam.spec
index 4fd99ba..58f87b8 100644
--- a/SPECS/pam.spec
+++ b/SPECS/pam.spec
@@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.8
-Release: 9%{?dist}
+Release: 12%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -36,9 +36,10 @@ Patch9: pam-1.1.6-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch
Patch12: pam-1.1.3-faillock-screensaver.patch
Patch13: pam-1.1.6-limits-user.patch
-Patch15: pam-1.1.6-full-relro.patch
+Patch15: pam-1.1.8-full-relro.patch
# FIPS related - non upstreamable
Patch20: pam-1.1.5-unix-no-fallback.patch
+Patch28: pam-1.1.1-console-errmsg.patch
# Upstreamed partially
Patch29: pam-1.1.8-pwhistory-helper.patch
Patch31: pam-1.1.6-use-links.patch
@@ -47,6 +48,13 @@ Patch33: pam-1.1.8-translation-updates.patch
Patch34: pam-1.1.8-canonicalize-username.patch
Patch35: pam-1.1.8-cve-2013-7041.patch
Patch36: pam-1.1.8-cve-2014-2583.patch
+Patch37: pam-1.1.8-lastlog-uninitialized.patch
+Patch38: pam-1.1.8-opasswd-tolerant.patch
+Patch39: pam-1.1.8-audit-grantor.patch
+Patch40: pam-1.1.8-man-dbsuffix.patch
+Patch41: pam-1.1.8-limits-check-process.patch
+Patch42: pam-1.1.8-limits-docfix.patch
+Patch43: pam-1.1.8-audit-user-mgmt.patch
%define _pamlibdir %{_libdir}
%define _moduledir %{_libdir}/security
@@ -120,6 +128,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch13 -p1 -b .limits
%patch15 -p1 -b .relro
%patch20 -p1 -b .no-fallback
+%patch28 -p1 -b .errmsg
%patch29 -p1 -b .pwhhelper
%patch31 -p1 -b .links
%patch32 -p1 -b .tty-audit-init
@@ -127,6 +136,13 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch34 -p1 -b .canonicalize
%patch35 -p1 -b .case
%patch36 -p1 -b .timestamp-ruser
+%patch37 -p1 -b .uninitialized
+%patch38 -p1 -b .opasswd-tolerant
+%patch39 -p1 -b .grantor
+%patch40 -p1 -b .dbsuffix
+%patch41 -p1 -b .check-process
+%patch42 -p1 -b .docfix
+%patch43 -p1 -b .audit-user-mgmt
%build
autoreconf -i
@@ -248,7 +264,7 @@ done
%post
/sbin/ldconfig
if [ ! -e /var/log/tallylog ] ; then
- install -m 600 /dev/null /var/log/tallylog
+ /usr/bin/install -m 600 /dev/null /var/log/tallylog
fi
%postun -p /sbin/ldconfig
@@ -375,6 +391,22 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-12
+- use USER_MGMT type for auditing in the pam_tally2 and faillock
+ apps (#1151576)
+
+* Thu Sep 11 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-11
+- be tolerant to corrupted opasswd file
+- audit the module names that granted access
+- pam_userdb: correct the example in man page (#1078784)
+- pam_limits: check whether the utmp login entry is valid (#1080023)
+- pam_console_apply: do not print error if console.perms.d is empty
+- pam_limits: nofile refers to open file descriptors (#1111220)
+- apply PIE and full RELRO to all binaries built
+
+* Mon Aug 25 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-10
+- pam_lastlog: fix uninitialized access of parts of lastlog structure
+
* Mon Mar 31 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-9
- fix CVE-2014-2583: potential path traversal issue in pam_timestamp
- pam_pwhistory: call the helper if SELinux enabled