+libpve-access-control (8.1.3) bookworm; urgency=medium
+
+ * user: password change: require confirmation-password parameter so that
+ anybody gaining local or physical access to a device where a user is
+ logged in on a Proxmox VE web-interface cannot give them more permanent
+ access or deny the actual user accessing their account by changing the
+ password. Note that such an attack scenario means that the attacker
+ already has high privileges and can already control the resource
+ completely through another attack.
+ Such initial attacks (like stealing an unlocked device) are almost always
+ are outside of the control of our projects. Still, hardening the API a bit
+ by requiring a confirmation of the original password is to cheap to
+ implement to not do so.
+
+ * jobs: realm sync: fix scheduled LDAP syncs not applying all attributes,
+ like comments, correctly
+
+ -- Proxmox Support Team <support@proxmox.com> Fri, 22 Mar 2024 14:14:36 +0100
+
libpve-access-control (8.1.2) bookworm; urgency=medium
* add Sys.AccessNetwork privilege