+libpve-access-control (8.1.4) bookworm; urgency=medium
+
+ * fix #5335: sort ACL entries in user.cfg to make it easier to track changes
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 22 Apr 2024 13:45:22 +0200
+
+libpve-access-control (8.1.3) bookworm; urgency=medium
+
+ * user: password change: require confirmation-password parameter so that
+ anybody gaining local or physical access to a device where a user is
+ logged in on a Proxmox VE web-interface cannot give them more permanent
+ access or deny the actual user accessing their account by changing the
+ password. Note that such an attack scenario means that the attacker
+ already has high privileges and can already control the resource
+ completely through another attack.
+ Such initial attacks (like stealing an unlocked device) are almost always
+ are outside of the control of our projects. Still, hardening the API a bit
+ by requiring a confirmation of the original password is to cheap to
+ implement to not do so.
+
+ * jobs: realm sync: fix scheduled LDAP syncs not applying all attributes,
+ like comments, correctly
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 22 Mar 2024 14:14:36 +0100
+
+libpve-access-control (8.1.2) bookworm; urgency=medium
+
+ * add Sys.AccessNetwork privilege
+
+ -- Proxmox Support Team <support@proxmox.com> Wed, 28 Feb 2024 15:42:12 +0100
+
+libpve-access-control (8.1.1) bookworm; urgency=medium
+
+ * LDAP sync: fix-up assembling valid attribute set
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 19:03:26 +0100
+
+libpve-access-control (8.1.0) bookworm; urgency=medium
+
+ * api: user: limit the legacy user-keys option to the depreacated values
+ that could be set in the first limited TFA system, like e.g., 'x!yubico'
+ or base32 encoded secrets.
+
+ * oidc: enforce generic URI regex for the ACR value to align with OIDC
+ specifications and with Proxmox Backup Server, which was recently changed
+ to actually be less strict.
+
+ * LDAP sync: improve validation of synced attributes, closely limit the
+ mapped attributes names and their values to avoid glitches through odd
+ LDIF entries.
+
+ * api: user: limit maximum length for first & last name to 1024 characters,
+ email to 254 characters (the maximum actually useable in practice) and
+ comment properties to 2048 characters. This avoid that a few single users
+ bloat the user.cfg to much by mistake, reducing the total amount of users
+ and ACLs that can be set up. Note that only users with User.Modify and
+ realm syncs (setup by admins) can change these in the first place, so this
+ is mostly to avoid mishaps and just to be sure.
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 08 Feb 2024 17:50:59 +0100
+
+libpve-access-control (8.0.7) bookworm; urgency=medium
+
+ * fix #1148: allow up to three levels of pool nesting
+
+ * pools: record parent/subpool information
+
+ -- Proxmox Support Team <support@proxmox.com> Mon, 20 Nov 2023 12:24:13 +0100
+
+libpve-access-control (8.0.6) bookworm; urgency=medium
+
+ * perms: fix wrong /pools entry in default set of ACL paths
+
+ * acl: add missing SDN ACL paths to allowed list
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 17 Nov 2023 08:27:11 +0100
+
libpve-access-control (8.0.5) bookworm; urgency=medium
* fix an issue where setting ldap passwords would refuse to work unless