SOURCES/pam-1.3.1-access-handle-hostnames.patch

@@ -1,158 +0,0 @@
-diff -up Linux-PAM-1.3.1/modules/pam_access/pam_access.c.access-handle-hostnames Linux-PAM-1.3.1/modules/pam_access/pam_access.c
---- Linux-PAM-1.3.1/modules/pam_access/pam_access.c.access-handle-hostnames	2024-01-19 16:45:18.319862531 +0100
-+++ Linux-PAM-1.3.1/modules/pam_access/pam_access.c	2024-01-19 16:50:34.239545948 +0100
-@@ -683,7 +683,7 @@ string_match (pam_handle_t *pamh, const
-     /*
-      * If the token has the magic value "ALL" the match always succeeds.
-      * Otherwise, return YES if the token fully matches the string.
--	 * "NONE" token matches NULL string.
-+     * "NONE" token matches NULL string.
-      */
- 
-     if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
-@@ -701,7 +701,8 @@ string_match (pam_handle_t *pamh, const
- 
- /* network_netmask_match - match a string against one token
-  * where string is a hostname or ip (v4,v6) address and tok
-- * represents either a single ip (v4,v6) address or a network/netmask
-+ * represents either a hostname, a single ip (v4,v6) address
-+ * or a network/netmask
-  */
- static int
- network_netmask_match (pam_handle_t *pamh,
-@@ -710,10 +711,12 @@ network_netmask_match (pam_handle_t *pam
-     char *netmask_ptr;
-     char netmask_string[MAXHOSTNAMELEN + 1];
-     int addr_type;
-+    struct addrinfo *ai = NULL;
- 
-     if (item->debug)
--    pam_syslog (pamh, LOG_DEBUG,
-+      pam_syslog (pamh, LOG_DEBUG,
- 		"network_netmask_match: tok=%s, item=%s", tok, string);
-+
-     /* OK, check if tok is of type addr/mask */
-     if ((netmask_ptr = strchr(tok, '/')) != NULL)
-       {
-@@ -745,52 +748,109 @@ network_netmask_match (pam_handle_t *pam
- 	    netmask_ptr = number_to_netmask(netmask, addr_type,
- 		netmask_string, MAXHOSTNAMELEN);
- 	  }
--	}
-+
-+        /*
-+         * Construct an addrinfo list from the IP address.
-+         * This should not fail as the input is a correct IP address...
-+         */
-+	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
-+	  {
-+	    return NO;
-+	  }
-+      }
-     else
--	/* NO, then check if it is only an addr */
--	if (isipaddr(tok, NULL, NULL) != YES)
-+      {
-+        /*
-+	 * It is either an IP address or a hostname.
-+	 * Let getaddrinfo sort everything out
-+	 */
-+	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
- 	  {
-+	    if (item->debug)
-+	      pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
-+
- 	    return NO;
- 	  }
-+	netmask_ptr = NULL;
-+      }
- 
-     if (isipaddr(string, NULL, NULL) != YES)
-       {
--	/* Assume network/netmask with a name of a host.  */
- 	struct addrinfo hint;
- 
-+	/* Assume network/netmask with a name of a host.  */
- 	memset (&hint, '\0', sizeof (hint));
- 	hint.ai_flags = AI_CANONNAME;
- 	hint.ai_family = AF_UNSPEC;
- 
- 	if (item->gai_rv != 0)
-+	  {
-+	    freeaddrinfo(ai);
- 	    return NO;
-+	  }
- 	else if (!item->res &&
- 		(item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
-+	  {
-+	    freeaddrinfo(ai);
- 	    return NO;
-+	  }
-         else
- 	  {
- 	    struct addrinfo *runp = item->res;
-+	    struct addrinfo *runp1;
- 
- 	    while (runp != NULL)
- 	      {
- 		char buf[INET6_ADDRSTRLEN];
- 
--		inet_ntop (runp->ai_family,
--			runp->ai_family == AF_INET
--			? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
--			: (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
--			buf, sizeof (buf));
-+		if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
-+		  {
-+		    freeaddrinfo(ai);
-+		    return NO;
-+		  }
- 
--		if (are_addresses_equal(buf, tok, netmask_ptr))
-+		for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
- 		  {
--		    return YES;
-+                    char buf1[INET6_ADDRSTRLEN];
-+
-+                    if (runp->ai_family != runp1->ai_family)
-+                      continue;
-+
-+                    if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
-+		      {
-+			freeaddrinfo(ai);
-+			return NO;
-+		      }
-+
-+                    if (are_addresses_equal (buf, buf1, netmask_ptr))
-+                      {
-+                        freeaddrinfo(ai);
-+                        return YES;
-+                      }
- 		  }
- 		runp = runp->ai_next;
- 	      }
- 	  }
-       }
-     else
--      return (are_addresses_equal(string, tok, netmask_ptr));
-+      {
-+       struct addrinfo *runp1;
-+
-+       for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
-+         {
-+           char buf1[INET6_ADDRSTRLEN];
-+
-+           (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
-+
-+           if (are_addresses_equal(string, buf1, netmask_ptr))
-+             {
-+               freeaddrinfo(ai);
-+               return YES;
-+             }
-+         }
-+      }
-+
-+  freeaddrinfo(ai);
- 
-   return NO;
- }

SOURCES/pam-1.3.1-faillock-create-tallydir.patch

@@ -1,13 +0,0 @@
-diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-create-tallydir Linux-PAM-1.3.1/modules/pam_faillock/faillock.c
---- Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-create-tallydir	2024-01-08 11:32:02.122392119 +0100
-+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.c	2024-01-08 11:33:10.916515943 +0100
-@@ -74,6 +74,9 @@ open_tally (const char *dir, const char
- 
- 	if (create) {
- 		flags |= O_CREAT;
-+		if (access(dir, F_OK) != 0) {
-+			mkdir(dir, 0755);
-+		}
- 	}
- 
- 	fd = open(path, flags, 0600);

SOURCES/pam-1.3.1-namespace-protect-dir.patch

@@ -1,58 +0,0 @@
-From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
-From: Matthias Gerstner <matthias.gerstner@suse.de>
-Date: Wed, 27 Dec 2023 14:01:59 +0100
-Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
- local DoS situations
-
-Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
-being placed in user controlled directories, causing the PAM module to
-block indefinitely during `openat()`.
-
-Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
-refer to a directory.
-
-With this the check whether the final path element is a directory
-becomes unnecessary, drop it.
----
- modules/pam_namespace/pam_namespace.c | 18 +-----------------
- 1 file changed, 1 insertion(+), 17 deletions(-)
-
-diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
-index 2528cff8..f72d6718 100644
---- a/modules/pam_namespace/pam_namespace.c
-+++ b/modules/pam_namespace/pam_namespace.c
-@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
- 	int dfd = AT_FDCWD;
- 	int dfd_next;
- 	int save_errno;
--	int flags = O_RDONLY;
-+	int flags = O_RDONLY | O_DIRECTORY;
- 	int rv = -1;
- 	struct stat st;
- 
-@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
- 		rv = openat(dfd, dir, flags);
- 	}
- 
--	if (rv != -1) {
--		if (fstat(rv, &st) != 0) {
--			save_errno = errno;
--			close(rv);
--			rv = -1;
--			errno = save_errno;
--			goto error;
--		}
--		if (!S_ISDIR(st.st_mode)) {
--			close(rv);
--			errno = ENOTDIR;
--			rv = -1;
--			goto error;
--		}
--	}
--
- 	if (flags & O_NOFOLLOW) {
- 		/* we are inside user-owned dir - protect */
- 		if (protect_mount(rv, p, idata) == -1) {
--- 
-2.43.0
-

SOURCES/pam-1.3.1-pam-misc-configurable.patch

@@ -1,29 +0,0 @@
-diff -up Linux-PAM-1.3.1/configure.ac.pam-misc-configurable Linux-PAM-1.3.1/configure.ac
---- Linux-PAM-1.3.1/configure.ac.pam-misc-configurable	2023-06-26 09:57:00.243146563 +0200
-+++ Linux-PAM-1.3.1/configure.ac	2023-06-26 09:59:45.353636685 +0200
-@@ -621,6 +621,13 @@ if test x"$opt_kerneloverflowuid" == x;
- fi
- AC_DEFINE_UNQUOTED(PAM_USERTYPE_OVERFLOW_UID, $opt_kerneloverflowuid, [Kernel overflow uid.])
- 
-+AC_ARG_WITH([misc-conv-bufsize],
-+AS_HELP_STRING([--with-misc-conv-bufsize=<number>],
-+    [Size of input buffer for libpam_misc's misc_conv() conversation function, default=4096]),
-+    [],
-+    [with_misc_conv_bufsize=4096])
-+AC_DEFINE_UNQUOTED(PAM_MISC_CONV_BUFSIZE, $with_misc_conv_bufsize, [libpam_misc misc_conv() buffer size.])
-+
- dnl Files to be created from when we run configure
- AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile \
- 	libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
-diff -up Linux-PAM-1.3.1/libpam_misc/misc_conv.c.pam-misc-configurable Linux-PAM-1.3.1/libpam_misc/misc_conv.c
---- Linux-PAM-1.3.1/libpam_misc/misc_conv.c.pam-misc-configurable	2023-06-26 09:57:00.242146560 +0200
-+++ Linux-PAM-1.3.1/libpam_misc/misc_conv.c	2023-06-26 10:00:38.023787972 +0200
-@@ -18,7 +18,7 @@
- #include <security/pam_appl.h>
- #include <security/pam_misc.h>
- 
--#define INPUTSIZE PAM_MAX_MSG_SIZE           /* maximum length of input+1 */
-+#define INPUTSIZE PAM_MISC_CONV_BUFSIZE      /* maximum length of input+1 */
- #define CONV_ECHO_ON  1                            /* types of echo state */
- #define CONV_ECHO_OFF 0
- 

SOURCES/pam-1.3.1-unix-default-rounds.patch

@@ -1,12 +0,0 @@
-diff -up Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c.unix-default-rounds Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c
---- Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c.unix-default-rounds	2023-11-02 09:59:54.533238124 +0100
-+++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix_passwd.c	2023-11-02 10:40:58.017404936 +0100
-@@ -607,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
- 	unsigned int ctrl, lctrl;
- 	int retval;
- 	int remember = -1;
--	int rounds = -1;
-+	int rounds = 0;
- 	int pass_min_len = 0;
- 
- 	/* <DO NOT free() THESE> */

SOURCES/pam-1.3.1-unix-enable-bcrypt.patch

@@ -1,174 +0,0 @@
-From f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
-Date: Thu, 15 Nov 2018 15:01:57 +0100
-Subject: [PATCH] pam_unix: Use bcrypt b-variant for computing new hashes.
-
-Bcrypt hashes used the "$2a$" prefix since 1997.
-However, in 2011 an implementation bug was discovered in bcrypt
-affecting the handling of characters in passphrases with the 8th
-bit set.
-
-Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
-for a behavior that exactly matches crypt_blowfish's "$2y$", and
-the crypt_blowfish implementation supports it as well since v1.1.
-
-That said new computed bcrypt hashes should use the "$2b$" prefix.
-
-* modules/pam_unix/passverify.c: Use bcrypt b-variant.
----
- modules/pam_unix/passverify.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
-index 9c1771e2..1f433b3a 100644
---- a/modules/pam_unix/passverify.c
-+++ b/modules/pam_unix/passverify.c
-@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
- 		/* algoid = "$1" */
- 		return crypt_md5_wrapper(password);
- 	} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
--		algoid = "$2a$";
-+		algoid = "$2b$";
- 	} else if (on(UNIX_SHA256_PASS, ctrl)) {
- 		algoid = "$5$";
- 	} else if (on(UNIX_SHA512_PASS, ctrl)) {
--- 
-2.41.0
-
-diff -up Linux-PAM-1.3.1/configure.ac.legacy-xcrypt Linux-PAM-1.3.1/configure.ac
---- Linux-PAM-1.3.1/configure.ac.legacy-xcrypt	2023-10-26 12:08:46.896437225 +0200
-+++ Linux-PAM-1.3.1/configure.ac	2023-10-26 12:10:38.289654696 +0200
-@@ -395,19 +395,32 @@ AC_SUBST(LIBAUDIT)
- AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
- 	       [test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
- 
--AC_CHECK_HEADERS(xcrypt.h crypt.h)
--AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
--  [crypt_libs="xcrypt crypt"],
--  [crypt_libs="crypt"])
-+AC_CHECK_HEADERS(crypt.h)
- 
- BACKUP_LIBS=$LIBS
--AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
--AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
-+LIBCRYPT=""
-+PKG_CHECK_MODULES([CRYPT], [libcrypt], [
-+  CFLAGS="$CFLAGS $CRYPT_CFLAGS"
-+  CPPFLAGS="$CPPFLAGS $CRYPT_CFLAGS"
-+  LIBS="$LIBS $CRYPT_LIBS"
-+  LIBCRYPT="$CRYPT_LIBS"
-+], [
-+  AC_SEARCH_LIBS([crypt_gensalt_rn],[crypt])
-+  case "$ac_cv_search_crypt_gensalt_rn" in
-+	-l*) LIBCRYPT="$ac_cv_search_crypt_gensalt_rn" ;;
-+	no) AC_SEARCH_LIBS([crypt_r],[crypt])
-+		case "$ac_cv_search_crypt_r" in
-+		-l*) LIBCRYPT="$ac_cv_search_crypt_r" ;;
-+		no ) AC_SEARCH_LIBS([crypt],[crypt])
-+		case "$ac_cv_search_crypt" in
-+			-l*) LIBCRYPT="$ac_cv_search_crypt" ;;
-+		esac ;;
-+	esac ;;
-+  esac
-+])
-+AC_CHECK_FUNCS([crypt_r])
- LIBS=$BACKUP_LIBS
- AC_SUBST(LIBCRYPT)
--if test "$LIBCRYPT" = "-lxcrypt" -a "$ac_cv_header_xcrypt_h" = "yes" ; then
--	AC_DEFINE([HAVE_LIBXCRYPT], 1, [Define to 1 if xcrypt support should be compiled in.])
--fi
- 
- AC_ARG_WITH([randomdev], AS_HELP_STRING([--with-randomdev=(<path>|yes|no)],[use specified random device instead of /dev/urandom or 'no' to disable]), opt_randomdev=$withval)
- if test "$opt_randomdev" = yes -o -z "$opt_randomdev"; then
-diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c
---- Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c.legacy-xcrypt	2023-10-26 12:08:46.896437225 +0200
-+++ Linux-PAM-1.3.1/modules/pam_pwhistory/opasswd.c	2023-10-26 12:11:14.437725259 +0200
-@@ -52,9 +52,7 @@
- #include <stdarg.h>
- #include <sys/stat.h>
- 
--#if defined (HAVE_XCRYPT_H)
--#include <xcrypt.h>
--#elif defined (HAVE_CRYPT_H)
-+#ifdef HAVE_CRYPT_H
- #include <crypt.h>
- #endif
- 
-diff -up Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c
---- Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c.legacy-xcrypt	2017-02-10 11:10:15.000000000 +0100
-+++ Linux-PAM-1.3.1/modules/pam_unix/bigcrypt.c	2023-10-26 12:08:46.896437225 +0200
-@@ -29,9 +29,7 @@
- #include <string.h>
- #include <stdlib.h>
- #include <security/_pam_macros.h>
--#ifdef HAVE_LIBXCRYPT
--#include <xcrypt.h>
--#elif defined(HAVE_CRYPT_H)
-+#ifdef HAVE_CRYPT_H
- #include <crypt.h>
- #endif
- 
-diff -up Linux-PAM-1.3.1/modules/pam_unix/passverify.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_unix/passverify.c
---- Linux-PAM-1.3.1/modules/pam_unix/passverify.c.legacy-xcrypt	2023-10-26 12:08:46.895437223 +0200
-+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c	2023-10-26 12:16:25.470320408 +0200
-@@ -19,9 +19,7 @@
- #include <sys/time.h>
- #include <sys/stat.h>
- #include <fcntl.h>
--#ifdef HAVE_LIBXCRYPT
--#include <xcrypt.h>
--#elif defined(HAVE_CRYPT_H)
-+#ifdef HAVE_CRYPT_H
- #include <crypt.h>
- #endif
- 
-@@ -406,23 +404,19 @@ PAMH_ARG_DECL(char * create_password_has
- 		return crypted;
- 	}
- 
--#ifdef HAVE_CRYPT_GENSALT_R
--	if (on(UNIX_BLOWFISH_PASS, ctrl)) {
--		char entropy[17];
--		crypt_make_salt(entropy, sizeof(entropy) - 1);
--		sp = crypt_gensalt_r (algoid, rounds,
--				      entropy, sizeof(entropy),
--				      salt, sizeof(salt));
--	} else {
--#endif
--		sp = stpcpy(salt, algoid);
--		if (on(UNIX_ALGO_ROUNDS, ctrl)) {
--			sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
--		}
--		crypt_make_salt(sp, 16);
--#ifdef HAVE_CRYPT_GENSALT_R
-+#if defined(CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY) && CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY
-+	/*
-+	 * Any version of libcrypt supporting auto entropy is
-+	 * guaranteed to have crypt_gensalt_rn().
-+	 */
-+	sp = crypt_gensalt_rn(algoid, rounds, NULL, 0, salt, sizeof(salt));
-+#else
-+	sp = stpcpy(salt, algoid);
-+	if (on(UNIX_ALGO_ROUNDS, ctrl)) {
-+		sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
- 	}
--#endif
-+	crypt_make_salt(sp, 16);
-+#endif /* CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY */
- #ifdef HAVE_CRYPT_R
- 	sp = NULL;
- 	cdata = malloc(sizeof(*cdata));
-diff -up Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c.legacy-xcrypt Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c
---- Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c.legacy-xcrypt	2023-10-26 12:08:46.880437194 +0200
-+++ Linux-PAM-1.3.1/modules/pam_userdb/pam_userdb.c	2023-10-26 12:08:46.896437225 +0200
-@@ -17,9 +17,7 @@
- #include <sys/stat.h>
- #include <fcntl.h>
- #include <errno.h>
--#ifdef HAVE_LIBXCRYPT
--#include <xcrypt.h>
--#elif defined(HAVE_CRYPT_H)
-+#ifdef HAVE_CRYPT_H
- #include <crypt.h>
- #endif
- 

SOURCES/smartcard-auth.pamd

@@ -1,4 +1,19 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authselect is run.
-auth sufficient pam_sss.so allow_missing_name
+auth        required      pam_env.so
+auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    optional      pam_pkcs11.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so

SPECS/pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 33%{?dist}
+Release: 25%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -97,19 +97,6 @@ Patch62: pam-1.5.1-pam-lastlog-check-localtime_r-return-value.patch
 Patch63: pam-1.5.1-pam-faillock-clarify-missing-user.patch
 # https://github.com/linux-pam/linux-pam/commit/10086bc69663fa819277af244eeb5b629a2403b8
 Patch64: pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch
-# https://github.com/linux-pam/linux-pam/commit/55f206447a1e4ee26e307e7a9c069236e823b1a5
-# https://github.com/linux-pam/linux-pam/commit/80bfda5962e5be3daa70e0fc8c75fc97d1c55121
-Patch65: pam-1.3.1-pam-misc-configurable.patch
-# https://github.com/linux-pam/linux-pam/commit/530c9f9e2d746e1d168c6b17863debda7664ac7c
-# https://github.com/linux-pam/linux-pam/commit/f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016
-Patch66: pam-1.3.1-unix-enable-bcrypt.patch
-Patch67: pam-1.3.1-unix-default-rounds.patch
-# https://github.com/linux-pam/linux-pam/commit/d54870f993e97fe75e2cd0470a3701d5af22877c
-Patch68: pam-1.3.1-faillock-create-tallydir.patch
-# https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f
-Patch69: pam-1.3.1-access-handle-hostnames.patch
-# https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
-Patch70: pam-1.3.1-namespace-protect-dir.patch
 
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@@ -222,12 +209,6 @@ cp %{SOURCE18} .
 %patch62 -p1 -b .pam-lastlog-check-localtime_r-return-value
 %patch63 -p1 -b .pam-faillock-clarify-missing-user
 %patch64 -p1 -b .pam-faillock-avoid-logging-erroneous
-%patch65 -p1 -b .pam-misc-configurable
-%patch66 -p1 -b .unix-enable-bcrypt
-%patch67 -p1 -b .unix-default-rounds
-%patch68 -p1 -b .faillock-create-tallydir
-%patch69 -p1 -b .access-handle-hostnames
-%patch70 -p1 -b .namespace-protect-dir
 
 autoreconf -i
 
@@ -481,25 +462,6 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
-* Mon Feb 12 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-33
-- pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
-  situations. CVE-2024-22365. Resolves: RHEL-21242
-
-* Fri Jan 26 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-32
-- pam_access: handle hostnames in access.conf. Resolves: RHEL-3374
-
-* Mon Jan  8 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-31
-- pam_faillock: create tallydir before creating tallyfile. Resolves: RHEL-19810
-
-* Thu Nov  2 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-30
-- pam_unix: enable bcrypt. Resolves: RHEL-5057
-
-* Mon Jun 26 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-27
-- pam_misc: make length of misc_conv() configurable and set to 4096. Resolves: #2209785
-
-* Tue May 16 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-26
-- smartcard-auth: modify the content to remove unnecessary modules. Resolves: #1983683
-
 * Tue Nov 29 2022 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-25
 - pam_motd: avoid unnecessary logging. Resolves: #2091062
 - pam_lastlog: check localtime_r() return value. Resolves: #2012871