Import Debian changes 1.1.8-3.3

pam (1.1.8-3.3) unstable; urgency=low

  * Non-maintainer upload.
  [ Steve Langasek ]
  * Updated Swedish translation to correct a typo, thanks to Anders Jonsson
    and Martin Bagge.  Closes: #743875
  * Updated Turkish translation, thanks to Mert Dirik <mertdirik@gmail.com>.
    (closes: #756756)
  * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default
    soft nofile limit read from pid 1 to FD_SETSIZE.  Thanks to Robie Basak
    <robie.basak@ubuntu.com> for the patch.  Closes: #783105.
  * Acknowledge security NMU.
  * pam-auth-update: don't mishandle trailing whitespace in profiles.
    LP: #1487103.

  [ Laurent Bigonville ]
  * debian/control: Fix Vcs-* and Homepage fields (Closes: #752343)
  * debian/watch: Update watch file and point it to http://www.linux-pam.org
  * debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in
    namespace.init script (Closes: #624842)
  * debian/control: Build-depends against debhelper (>= 9) to match the
    defined debhelper compatibility
  * Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality,
    thanks to Jakub Wilk <jwilk@debian.org> for noticing (Closes: #761594)
  * debian/control: Bump Standards-Version to 3.9.8 (no further changes)
  * debian/libpam-doc.doc-base.applications-guide: Fix spelling
  * debian/libpam0g-dev.examples: Do not use shell brace expansion
  * debian/patches-applied/pam-loginuid-in-containers: Updated with the version
    from Ubuntu, this should fix logins in containers (Closes: #726661)
  * debian/patches-applied/update-motd: Updated with the version from Ubuntu:
    use /run/motd.dynamic instead of /var/run/motd, nothing in the archive
    uses the later (Closes: #743286)
  * debian/patches-applied/make_documentation_reproducible.patch: Make the
    build reproducible, removes differences when building with different
    locale values (Closes: #792127)

15 files changed, 284 insertions, 56 deletions

diff --git a/debian/changelog b/debian/changelog
index 0f7a1dbe..73dedf05 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,41 @@
+pam (1.1.8-3.3) unstable; urgency=low
+
+  * Non-maintainer upload.
+  [ Steve Langasek ]
+  * Updated Swedish translation to correct a typo, thanks to Anders Jonsson
+    and Martin Bagge.  Closes: #743875
+  * Updated Turkish translation, thanks to Mert Dirik <mertdirik@gmail.com>.
+    (closes: #756756)
+  * d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default
+    soft nofile limit read from pid 1 to FD_SETSIZE.  Thanks to Robie Basak
+    <robie.basak@ubuntu.com> for the patch.  Closes: #783105.
+  * Acknowledge security NMU.
+  * pam-auth-update: don't mishandle trailing whitespace in profiles.
+    LP: #1487103.
+
+  [ Laurent Bigonville ]
+  * debian/control: Fix Vcs-* and Homepage fields (Closes: #752343)
+  * debian/watch: Update watch file and point it to http://www.linux-pam.org
+  * debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in
+    namespace.init script (Closes: #624842)
+  * debian/control: Build-depends against debhelper (>= 9) to match the
+    defined debhelper compatibility
+  * Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality,
+    thanks to Jakub Wilk <jwilk@debian.org> for noticing (Closes: #761594)
+  * debian/control: Bump Standards-Version to 3.9.8 (no further changes)
+  * debian/libpam-doc.doc-base.applications-guide: Fix spelling
+  * debian/libpam0g-dev.examples: Do not use shell brace expansion
+  * debian/patches-applied/pam-loginuid-in-containers: Updated with the version
+    from Ubuntu, this should fix logins in containers (Closes: #726661)
+  * debian/patches-applied/update-motd: Updated with the version from Ubuntu:
+    use /run/motd.dynamic instead of /var/run/motd, nothing in the archive
+    uses the later (Closes: #743286)
+  * debian/patches-applied/make_documentation_reproducible.patch: Make the
+    build reproducible, removes differences when building with different
+    locale values (Closes: #792127)
+
+ -- Laurent Bigonville <bigon@debian.org>  Wed, 18 May 2016 02:04:29 +0200
+
 pam (1.1.8-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/control b/debian/control
index d7a68308..85d0e792 100644
--- a/debian/control
+++ b/debian/control
@@ -3,13 +3,14 @@ Section: libs
 Priority: optional
 Uploaders: Sam Hartman <hartmans@debian.org>, Roger Leigh <rleigh@debian.org>
 Maintainer: Steve Langasek <vorlon@debian.org>
-Standards-Version: 3.9.1
-Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 8.9.4), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config
+Standards-Version: 3.9.8
+Build-Depends: libcrack2-dev (>= 2.8), bzip2, debhelper (>= 9), quilt (>= 0.48-1), flex, libdb-dev, libselinux1-dev [linux-any], po-debconf, dh-autoreconf, autopoint, libaudit-dev [linux-any], pkg-config
 Build-Depends-Indep: xsltproc, libxml2-utils, docbook-xml, docbook-xsl, w3m
 Build-Conflicts-Indep: fop
 Build-Conflicts: libdb4.2-dev, libxcrypt-dev
-Vcs-Bzr: http://bzr.debian.org/bzr/pkg-pam/debian/sid/
-Homepage: http://pam.sourceforge.net/
+Vcs-Bzr: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid
+Vcs-Browser: https://alioth.debian.org/scm/loggerhead/pkg-pam/debian/sid/files
+Homepage: http://www.linux-pam.org/
 
 Package: libpam0g
 Priority: required
diff --git a/debian/libpam-doc.doc-base.applications-guide b/debian/libpam-doc.doc-base.applications-guide
index f38ef1e5..89768d7e 100644
--- a/debian/libpam-doc.doc-base.applications-guide
+++ b/debian/libpam-doc.doc-base.applications-guide
@@ -4,7 +4,7 @@ Author: Andrew G. Morgan <morgan@linux.kernel.org>
 Abstract: This manual documents what an application developer needs to know
  about the Linux-PAM library. It describes how an application might use
  the Linux-PAM library to authenticate users. In addition it contains a
- description of the funtions to be found in libpam_misc library, that can
+ description of the functions to be found in libpam_misc library, that can
  be used in general applications. Finally, it contains some comments on PAM
  related security issues for the application developer.
 Section: Programming
diff --git a/debian/libpam0g-dev.examples b/debian/libpam0g-dev.examples
index c1b7e77e..351b20ee 100644
--- a/debian/libpam0g-dev.examples
+++ b/debian/libpam0g-dev.examples
@@ -2,4 +2,6 @@ examples/blank.c
 examples/check_user.c
 examples/vpass.c
 examples/xsh.c
-libpamc/test/{agents,modules,regress}
+libpamc/test/agents
+libpamc/test/modules
+libpamc/test/regress
diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
index 17d3fc66..60eb1e8f 100644
--- a/debian/local/pam-auth-update
+++ b/debian/local/pam-auth-update
@@ -671,7 +671,7 @@ sub parse_pam_profile
 	my %profile;
 	open(PROFILE, $profile) || die "could not read profile $profile: $!";
 	while (<PROFILE>) {
-		if (/^(\S+):\s+(.*)$/) {
+		if (/^(\S+):\s+(.*)\s*$/) {
 			$fieldname = $1;
 			# compatibility with the first implementation round;
 			# "Auth-Final" is now just called "Auth"
@@ -686,6 +686,7 @@ sub parse_pam_profile
 		} else {
 			chomp;
 			s/^\s+//;
+			s/\s+$//;
 			$profile{$fieldname} .= "\n$_" if ($_);
 			$profile{$fieldname} =~ s/^[\n\s]+//;
 		}
diff --git a/debian/patches-applied/cve-2011-4708.patch b/debian/patches-applied/cve-2010-4708.patch
index c0fbb1ee..cf23e318 100644
--- a/debian/patches-applied/cve-2011-4708.patch
+++ b/debian/patches-applied/cve-2010-4708.patch
@@ -1,4 +1,4 @@
-Description: fix cve-2011-4708: .pam_environment privilege issue
+Description: fix cve-2010-4708: .pam_environment privilege issue
 Index: pam.debian/modules/pam_env/pam_env.c
 ===================================================================
 --- pam.debian.orig/modules/pam_env/pam_env.c
diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch
new file mode 100644
index 00000000..26f16503
--- /dev/null
+++ b/debian/patches-applied/make_documentation_reproducible.patch
@@ -0,0 +1,28 @@
+Description: Make documentation reproducible
+ Add LC_ALL=C to w3m to avoid changes in the output when build the
+ documentation with different locales.
+Author: Juan Picca <jumapico@gmail.com>
+Last-Update: 2015-07-11
+
+--- pam.orig/configure
++++ pam/configure
+@@ -15162,7 +15162,7 @@ fi
+ 
+ 
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+      enable_docu=no
+ fi
+--- pam.orig/configure.in
++++ pam/configure.in
+@@ -554,7 +554,7 @@ JH_CHECK_XML_CATALOG([http://docbook.sou
+ 
+ AC_PATH_PROG([BROWSER], [w3m])
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="LC_ALL=C $BROWSER -T text/html -dump"
+ else
+      enable_docu=no
+ fi
diff --git a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
new file mode 100644
index 00000000..176d7845
--- /dev/null
+++ b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap
@@ -0,0 +1,58 @@
+From: Robie Basak <robie.basak@ubuntu.com>
+Subject: pam_limits: cap the default soft nofile limit read from pid 1 to FD_SETSIZE
+
+Cap the default soft nofile limit read from pid 1 to FD_SETSIZE since
+larger values can cause problems with fd_set overflow and systemd sets
+itself higher.
+
+See:
+https://lists.ubuntu.com/archives/ubuntu-devel/2010-September/031446.html
+http://www.outflux.net/blog/archives/2014/06/13/5-year-old-glibc-select-weakness-fixed/
+https://sourceware.org/bugzilla/show_bug.cgi?id=10352
+https://github.com/systemd/systemd/commit/4096d6f5879aef73e20dd7b62a01f447629945b0
+
+pam_limits reads the default limits from /proc/1/limits. Previously,
+using upstart, this resulted in a 1024 nofile soft limit on Ubuntu
+systems by default. Using systemd, this results in a limit of 65536
+instead. This is not the intention of systemd upstream. See systemd
+commit 4096d6f for an explanation of systemd's behaviour.
+
+If we want to make such a change to the default distribution soft limit
+in PAM, we should do it deliberately and carefully, not accidentally. A
+change should consider what uses select(2) and might inadvertently (and
+incorrectly) assume that file descriptors will always fit into an
+fd_set, what vulnerabilities or crashes the change could consequently
+create, and whether the protection now present with FORTIFY_SOURCE is
+suitably enabled in all relevant builds.
+
+So this keeps the soft limit at 1024 for now. The hard limit will rise
+to 65536 along with systemd. Anything that knows that it will not be
+buggy with respect to fd_set and FD_SETSIZE, such as by using poll(2) or
+epoll(7) instead of select(2), can always raise the soft limit itself
+without issue.
+
+20:54 <rbasak> slangasek: [...] I'm also not sure how to go about
+upstreaming this as pam_limits seems to be heavily patched already.
+
+Forwarded: no
+Reviewed-by: Adam Conrad <adconrad@ubuntu.com>
+Reviewed-by: Martin Pitt <martin.pitt@ubuntu.com>
+Last-Update: 2015-04-22
+
+--- a/modules/pam_limits/pam_limits.c
++++ b/modules/pam_limits/pam_limits.c
+@@ -439,6 +439,14 @@ static void parse_kernel_limits(pam_hand
+         pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
+     }
+     fclose(limitsfile);
++
++    /* Cap the default soft nofile limit read from pid 1 to FD_SETSIZE
++     * since larger values can cause problems with fd_set overflow and
++     * systemd sets itself higher. */
++    if (pl->limits[RLIMIT_NOFILE].src_soft == LIMITS_DEF_KERNEL &&
++        pl->limits[RLIMIT_NOFILE].limit.rlim_cur > FD_SETSIZE) {
++      pl->limits[RLIMIT_NOFILE].limit.rlim_cur = FD_SETSIZE;
++    }
+ }
+ 
+ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers
index bea1e32f..1e965b2d 100644
--- a/debian/patches-applied/pam-loginuid-in-containers
+++ b/debian/patches-applied/pam-loginuid-in-containers
@@ -29,11 +29,11 @@ Description: pam_loginuid: Ignore failure in user namespaces
     Signed-off-by: Steve Langasek <vorlon@debian.org>
     Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
 
-Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
+Index: ubuntu/modules/pam_loginuid/pam_loginuid.c
 ===================================================================
---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c
-+++ pam.deb/modules/pam_loginuid/pam_loginuid.c
-@@ -46,25 +46,49 @@
+--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c	2014-01-31 21:07:08.665185675 +0000
++++ ubuntu/modules/pam_loginuid/pam_loginuid.c	2014-01-31 21:05:05.000000000 +0000
+@@ -47,25 +47,56 @@
  
  /*
   * This function writes the loginuid to the /proc system. It returns
@@ -50,48 +50,58 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
 +	char loginuid[24], buf[24];
 +	static const char host_uid_map[] = "         0          0 4294967295\n";
 +	char uid_map[sizeof(host_uid_map)];
++
++	/* loginuid in user namespaces currently isn't writable and in some
++	   case, not even readable, so consider any failure as ignorable (but try
++	   anyway, in case we hit a kernel which supports it). */
++	fd = open("/proc/self/uid_map", O_RDONLY);
++	if (fd >= 0) {
++		count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
++		if (strncmp(uid_map, host_uid_map, count) != 0)
++			rc = PAM_IGNORE;
++		close(fd);
++	}
  
- 	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+-	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
 -	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
 +	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
  	if (fd < 0) {
 -		if (errno != ENOENT) {
 -			rc = 1;
+-			pam_syslog(pamh, LOG_ERR,
+-				   "Cannot open /proc/self/loginuid: %m");
 +		if (errno == ENOENT) {
 +			rc = PAM_IGNORE;
-+		} else if (errno == EACCES) {
-+			fd = open("/proc/self/uid_map", O_RDONLY);
-+			if (fd >= 0) {
-+				count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
-+				if (strncmp(uid_map, host_uid_map, count) != 0)
-+					rc = PAM_IGNORE;
-+				close(fd);
-+			}
-+			if (rc != PAM_IGNORE)
-+				errno = EACCES;
 +		}
 +		if (rc != PAM_IGNORE) {
- 			pam_syslog(pamh, LOG_ERR,
- 				   "Cannot open /proc/self/loginuid: %m");
++			pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
++				   "/proc/self/loginuid");
  		}
  		return rc;
  	}
 -	if (pam_modutil_write(fd, loginuid, count) != count)
 -		rc = 1;
 +
++	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
 +	if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
 +	    memcmp(buf, loginuid, count) == 0) {
 +		rc = PAM_SUCCESS;
 +		goto done;	/* already correct */
 +	}
 +	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
-+	    pam_modutil_write(fd, loginuid, count) == count)
++	    pam_modutil_write(fd, loginuid, count) == count) {
 +		rc = PAM_SUCCESS;
++	} else {
++		if (rc != PAM_IGNORE) {
++			pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
++				   "/proc/self/loginuid");
++		}
++	}
 + done:
  	close(fd);
  	return rc;
  }
-@@ -164,6 +188,7 @@
+@@ -165,6 +196,7 @@
  {
          const char *user = NULL;
  	struct passwd *pwd;
@@ -99,7 +109,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
  #ifdef HAVE_LIBAUDIT
  	int require_auditd = 0;
  #endif
-@@ -182,9 +207,14 @@
+@@ -183,9 +215,14 @@
  		return PAM_SESSION_ERR;
  	}
  
@@ -117,7 +127,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
  	}
  
  #ifdef HAVE_LIBAUDIT
-@@ -194,11 +224,12 @@
+@@ -195,11 +232,12 @@
  		argv++;
  	}
  
diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch
new file mode 100644
index 00000000..6c6f1861
--- /dev/null
+++ b/debian/patches-applied/pam_namespace_fix_bashism.patch
@@ -0,0 +1,61 @@
+From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001
+From: Steve Langasek <vorlon@debian.org>
+Date: Tue, 14 Jan 2014 19:48:51 -0800
+Subject: pam_namespace: don't use bashisms in default namespace.init script
+
+* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
+namespace init script, so that scripts run with maximum privilege regardless
+of the shell implementation.
+* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
+shebang line
+
+This is not a POSIX standard option, it's a bashism.  The bash manpage says
+that it's used to prevent the effective user id from being reset to the real
+user id on startup, and to ignore certain unsafe variables from the
+environment.
+
+In the case of pam_namespace, the -p is not necessary for environment
+sanitizing because the PAM module (properly) sanitizes the environment
+before execing the script.
+
+The stated reason given in CVS history for passing -p is to "preserve euid
+when called from setuid apps (su, newrole)."  This should be done more
+portably, by calling setuid() before spawning the shell.
+
+Signed-off-by: Steve Langasek <vorlon@debian.org>
+Bug-Debian: http://bugs.debian.org/624842
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
+---
+ modules/pam_namespace/namespace.init  | 2 +-
+ modules/pam_namespace/pam_namespace.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init
+index 9ab5806..67d4aa2 100755
+--- a/modules/pam_namespace/namespace.init
++++ b/modules/pam_namespace/namespace.init
+@@ -1,4 +1,4 @@
+-#!/bin/sh -p
++#!/bin/sh
+ # It receives polydir path as $1, the instance path as $2,
+ # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+ # and user name in $4.
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index e0d5e30..92883f5 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath,
+ 						_exit(1);
+ 				}
+ #endif
++				/* Pass maximum privs when we exec() */
++				if (setuid(geteuid()) < 0) {
++					/* ignore failures, they don't matter */
++				}
++
+ 				if (execle(init_script, init_script,
+ 					polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0)
+ 					_exit(1);
+-- 
+cgit v0.12
+
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 2108e861..51598ca8 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -15,7 +15,7 @@ hurd_no_setfsuid
 045_pam_dispatch_jump_is_ignore
 054_pam_security_abstract_securetty_handling
 055_pam_unix_nullok_secure
-cve-2011-4708.patch
+cve-2010-4708.patch
 PAM-manpage-section 
 update-motd
 no_PATH_MAX_on_hurd
@@ -24,3 +24,6 @@ pam-loginuid-in-containers
 cve-2013-7041.patch
 cve-2014-2583.patch
 cve-2015-3238.patch
+pam-limits-nofile-fd-setsize-cap
+pam_namespace_fix_bashism.patch
+make_documentation_reproducible.patch
diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd
index a89655df..6c2af5bb 100644
--- a/debian/patches-applied/update-motd
+++ b/debian/patches-applied/update-motd
@@ -86,16 +86,16 @@ Index: pam.debian/modules/pam_motd/pam_motd.c
 -
 -	pam_info (pamh, "%s", mtmp);
 -	break;
-+    /* Run the update-motd dynamic motd scripts, outputting to /var/run/motd.
-+       If /etc/motd -> /var/run/motd, the displayed MOTD will be dynamic.
-+       Otherwise, the admin can force a static MOTD by breaking that symlink
-+       and publishing into an /etc/motd text file. */
++    /* Run the update-motd dynamic motd scripts, outputting to /run/motd.dynamic.
++       This will be displayed only when calling pam_motd with
++       motd=/run/motd.dynamic; current /etc/pam.d/login and /etc/pam.d/sshd
++       display both this file and /etc/motd. */
 +    if (do_update && (stat("/etc/update-motd.d", &st) == 0)
 +        && S_ISDIR(st.st_mode))
 +    {
 +	mode_t old_mask = umask(0022);
-+	if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /var/run/motd.new"))
-+	    rename("/var/run/motd.new", "/var/run/motd");
++	if (!system("/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"))
++	    rename("/run/motd.dynamic.new", "/run/motd.dynamic");
 +	umask(old_mask);
      }
  
diff --git a/debian/po/sv.po b/debian/po/sv.po
index dd57b1f7..f56344ee 100644
--- a/debian/po/sv.po
+++ b/debian/po/sv.po
@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: pam 0.99.7.1-5\n"
 "Report-Msgid-Bugs-To: pam@packages.debian.org\n"
 "POT-Creation-Date: 2011-10-30 15:05-0400\n"
-"PO-Revision-Date: 2011-12-06 21:31+0100\n"
+"PO-Revision-Date: 2014-04-08 11:37+0200\n"
 "Last-Translator: Martin Bagge / brother <brother@bsnet.se>\n"
 "Language-Team: Swedish <debian-l10n-swedish@lists.debian.org>\n"
 "Language: sv\n"
@@ -134,7 +134,7 @@ msgid ""
 msgstr ""
 "Pluggable Authentication Modules (PAM) hanterar hur autentisering, "
 "identifiering och byte av lösenord ska utföras på systemet. Dessutom "
-"hanteras särskilda åtgärder som ska vidtas vid uppstarta av "
+"hanteras särskilda åtgärder som ska vidtas vid uppstart av "
 "användarsessioner."
 
 #. Type: multiselect
diff --git a/debian/po/tr.po b/debian/po/tr.po
index ef0563e4..960ce5e8 100644
--- a/debian/po/tr.po
+++ b/debian/po/tr.po
@@ -8,15 +8,15 @@ msgstr ""
 "Project-Id-Version: pam 0.99.7.1-5\n"
 "Report-Msgid-Bugs-To: pam@packages.debian.org\n"
 "POT-Creation-Date: 2011-10-30 15:05-0400\n"
-"PO-Revision-Date: 2009-01-01 19:20+0200\n"
+"PO-Revision-Date: 2014-08-01 14:42+0200\n"
 "Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
 "Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
-"Language: \n"
+"Language: tr\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Poedit-Language: Turkish\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
+"X-Generator: Poedit 1.5.4\n"
 
 #. Type: string
 #. Description
@@ -48,7 +48,6 @@ msgstr "Görüntü yöneticisinin elle yeniden başlatılması gerekli"
 #. Type: error
 #. Description
 #: ../libpam0g.templates:2001
-#, fuzzy
 #| msgid ""
 #| "The kdm, wdm, and xdm display managers require a restart for the new "
 #| "version of libpam, but there are X login sessions active on your system "
@@ -60,11 +59,11 @@ msgid ""
 "terminated by this restart.  You will therefore need to restart these "
 "services by hand before further X logins will be possible."
 msgstr ""
-"kdm, wdm ve xdm görüntü yöneticileri, libpam'ın yeni sürümünden "
-"yararlanabilmek için yeniden başlatılmalı; fakat sisteminizde etkin X "
-"oturumları var. Görüntü yöneticisi yeniden başlatılırsa bu oturumlar da "
-"kapatılır. Bu yüzden ileride yeni X oturumları açabilmek için bu hizmetleri "
-"elle yeniden başlatmanız gerekecek. "
+"wdm ve xdm görüntü yöneticileri, libpam'ın yeni sürümünden yararlanabilmek "
+"için yeniden başlatılmalı; fakat sisteminizde etkin X oturumları var.  "
+"Görüntü yöneticisi yeniden başlatılırsa bu oturumlar da kapatılır.  Bu "
+"yüzden ileride yeni X oturumları açabilmek için bu hizmetleri elle yeniden "
+"başlatmanız gerekecek. "
 
 #. Type: error
 #. Description
@@ -94,7 +93,7 @@ msgstr ""
 #. Description
 #: ../libpam0g.templates:4001
 msgid "Restart services during package upgrades without asking?"
-msgstr ""
+msgstr "Paket yükseltme esnasında hizmetler sorulmadan yeniden başlatılsın mı?"
 
 #. Type: boolean
 #. Description
@@ -108,18 +107,26 @@ msgid ""
 "necessary restarts will be done for you automatically so you can avoid being "
 "asked questions on each library upgrade."
 msgstr ""
+"Sisteminizde libpam, libc ve libssl gibi bazı kitaplıklar yükseltildiğinde "
+"yeniden başlatılması gereken bazı hizmetler kurulu. Yeniden başlatma "
+"işlemleri sisteminizin sunduğu hizmetlerde kesintilere neden olabileceğinden "
+"dolayı her yükseltme işlemi esnasında yeniden başlatmak istediğiniz "
+"hizmetler size sorulacaktır. Eğer bu sorunun sorulmasını istemiyorsanız bu "
+"seçeneği kullanabilirsiniz. Bu seçenek seçildiği takdirde bir kitaplık "
+"yükseltmesi yapılırken gereken tüm yeniden başlatma işlemleri size "
+"sorulmaksızın otomatik olarak yapılacaktır."
 
 #. Type: title
 #. Description
 #: ../libpam-runtime.templates:1001
 msgid "PAM configuration"
-msgstr ""
+msgstr "PAM yapılandırması"
 
 #. Type: multiselect
 #. Description
 #: ../libpam-runtime.templates:2001
 msgid "PAM profiles to enable:"
-msgstr ""
+msgstr "Etkinleştirilecek PAM profilleri:"
 
 #. Type: multiselect
 #. Description
@@ -130,6 +137,10 @@ msgid ""
 "allowing configuration of additional actions to take when starting user "
 "sessions."
 msgstr ""
+"Takılabilir Doğrulama Modülleri (PAM), sistemdeki kimlik doğrulama, izin "
+"verme ve parola değiştirme işlemlerinin ne şekilde idare edileceğine karar "
+"veren ve ayrıca kullanıcı oturumları başlatılırken atılması gereken adımları "
+"yapılandırmaya yarayan bir sistemdir."
 
 #. Type: multiselect
 #. Description
@@ -139,12 +150,16 @@ msgid ""
 "adjust the behavior of all PAM-using applications on the system.  Please "
 "indicate which of these behaviors you wish to enable."
 msgstr ""
+"Bazı PAM modül paketleri, sistemde mevcut olan ve PAM kullanan tüm "
+"uygulamaların davranışlarını otomatik olarak ayarlamaya yarayan profiller "
+"sağlar.  Lütfen bu davranışlardan hangisini etkinleştirmek istediğinizi "
+"belirtin."
 
 #. Type: error
 #. Description
 #: ../libpam-runtime.templates:3001
 msgid "Incompatible PAM profiles selected."
-msgstr ""
+msgstr "Uyumsuz PAM profilleri seçildi"
 
 #. Type: error
 #. Description
@@ -152,19 +167,20 @@ msgstr ""
 #. PAM profile names.
 #: ../libpam-runtime.templates:3001
 msgid "The following PAM profiles cannot be used together:"
-msgstr ""
+msgstr "Şu PAM profilleri birarada kullanılamaz:"
 
 #. Type: error
 #. Description
 #: ../libpam-runtime.templates:3001
 msgid "Please select a different set of modules to enable."
-msgstr ""
+msgstr "Lütfen farklı bir modül kümesi seçin."
 
 #. Type: boolean
 #. Description
 #: ../libpam-runtime.templates:4001
 msgid "Override local changes to /etc/pam.d/common-*?"
 msgstr ""
+"/etc/pam.d/common-* konumundaki yerel değişiklikler görmezden gelinsin mi?"
 
 #. Type: boolean
 #. Description
@@ -176,12 +192,17 @@ msgid ""
 "decline this option, you will need to manage your system's authentication "
 "configuration by hand."
 msgstr ""
+"/etc/pam.d/common-{auth,account,password,session} dosyalarından bir ya da "
+"daha fazlası yerel olarak değiştirilmiş.  Lütfen bu yerel değişikliklerin "
+"sistem tarafından sağlanan yapılandırma ile değiştirilmesine izin verip "
+"vermediğinizi belirtin.  Bu seçeneği kabul etmediğiniz takdirde sistemin "
+"kimlik doğrulama yapılandırmasını elinizle ayarlamanız gerekecektir."
 
 #. Type: error
 #. Description
 #: ../libpam-runtime.templates:5001
 msgid "No PAM profiles have been selected."
-msgstr ""
+msgstr "Hiçbir PAM profili seçilmedi."
 
 #. Type: error
 #. Description
@@ -191,6 +212,10 @@ msgid ""
 "all users access without authenticating, and is not allowed.  Please select "
 "at least one PAM profile from the available list."
 msgstr ""
+"Sistemde kullanılmak üzere hiçbir PAM modülü seçilmedi.  Bu durum tüm "
+"kullanıcılara hiçbir kimlik doğrulamaya maruz kalmaksızın erişim izni "
+"verilmesi anlamına gelir ve bu duruma izin verilmemektedir.  Lütfen mevcut "
+"profiller listesinden en az bir PAM profili seçin."
 
 #. Type: error
 #. Description
diff --git a/debian/watch b/debian/watch
index da5e1ef6..e137cd73 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,4 @@
 version=3
-opts=pasv ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-(.*).tar.gz
-
+opts=uversionmangle=s/^(\S+-doc)/0.0.$1/ \
+http://www.linux-pam.org/library/ \
+(?:|.*/)Linux-PAM(?:[_\-]v?|)(\d[^\s/]*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz)