This bug was fixed in the package pam - 1.1.3-6ubuntu1

---------------
pam (1.1.3-6ubuntu1) precise; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
      Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/libpam0g.postinst: check if gdm is actually running before
      trying to reload it.
    - debian/libpam0g.postinst: the init script for 'samba' is now named
      'smbd' in Ubuntu, so fix the restart handling.
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
      Deprecate pam_unix' explicit "usergroups" option and instead read it
      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
      there. This restores compatibility with the pre-PAM behaviour of login.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)
    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
      default, now that the umask setting is gone from /etc/profile.
    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
  * Dropped changes, included in Debian:
    - debian/patches-applied/update-motd: set a sane umask before calling
      run-parts, and restore the old mask afterwards, so /run/motd gets
      consistent permissions.
    - debian/patches-applied/update-motd: new module option for pam_motd,
      'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
    - debian/libpam0g.postinst: drop kdm from the list of services to
      restart.
  * Build-depend on libfl-dev in addition to flex, for cross-building
    support.

pam (1.1.3-6) unstable; urgency=low

  * debian/patches-applied/hurd_no_setfsuid: we don't want to check all
    setre*id() calls; we know that there are situations where some of these
    may fail but we don't care.  As long as the last setre*id() call in each
    set succeeds, that's the state we mean to be in.
  * debian/libpam0g.postinst: according to Kubuntu developers, kdm no longer
    keeps libpam loaded persistently at runtime, so it's not necessary to
    force a kdm restart on ABI bump.  Which is good, since restarting kdm
    now seems to also log users out of running sessions, which we rather
    want to avoid.  Closes: #632673, LP: #744944.
  * debian/patches-applied/update-motd: set a sane umask before calling
    run-parts, and restore the old mask afterwards, so /run/motd gets
    consistent permissions.  LP: #871943.
  * debian/patches-applied/update-motd: new module option for pam_motd,
    'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
    LP: #805423.
  * debian/libpam0g.templates, debian/libpam0g.postinst: add a new question,
    libraries/restart-without-asking, that allows admins to accept the
    service restarts once for all so that they don't have to repeatedly
    say "ok".  LP: #745004.
  * debian/libpam-runtime.templates, debian/local/pam-auth-update: add a
    new 'title' template, so pam-auth-update doesn't give a blank title
    when called outside of a maintainer script.  LP: #882794.
 -- Steve Langasek <email address hidden>   Mon, 07 Nov 2011 21:15:00 -0800