Hello, I am writing on behalf of the CyberResponse initiative to report a status update for *CVE-2025-8941* regarding the pam package.
After performing a manual triage on the source code for both Stable (Bookworm) and Testing (Trixie), we have verified that the vulnerability is already addressed in the current repository versions. Evidence: The logic fix in modules/pam_namespace/pam_namespace.c within the ns_setup function is present as follows: Debian 12 (Bookworm) - pam 1.5.2-6: Verified at line 1889. Debian 13 (Trixie) - pam 1.7.0-5: Verified at line 1889. Verified code: if (errno != ENOENT || !(polyptr->flags & POLYDIR_CREATE)) This check correctly prevents the insecure failure path described in the CVE by ensuring that the process halts if the directory does not exist and the creation flag is absent. We suggest updating the Security Tracker status to fixed for these releases. Best regards, bleon CyberResponse Team
