severity: serious tags: security package: libpam-runtime Version: 1.0.1-6 Even with the changes committed for 1.0.1-10, enabling only profiles like consolekit that provide no authentication option leave the system accepting any password.
I realize this is messy in the code, but I think we need to actually check that the auth stack contains an entry and require more profiles if that is not true. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org