This bug was fixed in the package pam - 1.0.1-10ubuntu1

---------------
pam (1.0.1-10ubuntu1) karmic; urgency=low

  * Merge from Debian, remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf.  (Originally patch 100; converted to quilt.)
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/local/common-password, debian/pam-configs/unix: switch from
      "md5" to "sha512" as password crypt default.
    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
      run-parts does the right thing in /etc/update-motd.d.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent showing
      it again.

pam (1.0.1-10) unstable; urgency=high

  [ Steve Langasek ]
  * Updated debconf translations:
    - Finnish, thanks to Esko Arajärvi <email address hidden> (closes: #520785)
    - Russian, thanks to Yuri Kozlov <email address hidden> (closes: #521874)
    - German, thanks to Sven Joachim <email address hidden> (closes: #521530)
    - Basque, thanks to Piarres Beobide <email address hidden>
      (closes: #524285)
  * When no profiles are chosen in pam-auth-update, throw an error message
    and prompt again instead of letting the user end up with an insecure
    system.  This introduces a new debconf template.  Closes: #519927,
    LP: #410171.

  [ Kees Cook ]
  * Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes
    for MINDAYS-Field regression (closes: #514437).
  * debian/control: add missing misc:Depends for packages that need it.

  [ Sam Hartman ]
  * Remove conflicts information for transitions prior to woody release
  * Fix lintian overrides for libpam-runtime
  * Overrides for lintian finding quilt patches
  * pam_mail-fix-quiet: patch from Andreas Henriksson
    applied upstream to fix quiet option of pam_mail, Closes: #439268

  [ Dustin Kirkland ]
  * debian/patches/update-motd: run the update-motd scripts in pam_motd;
    render update-motd obsolete, LP: #399071

  [ Sam Hartman ]
  * cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem
    (CVE-2009-0887) (Closes: #520115)

 -- Steve Langasek <email address hidden>   Fri, 07 Aug 2009 09:50:02 +0100