Fedora has issued an advisory on December 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DXQ7FDHYLED67W25CECAG23E5F5V6LXK/ The issue was introduced in 1.5.0 and fixed in 1.5.1. However, Fedora had to patch 1.3.1. They caused the issue in their 1.3.1 package with the addition of pam-1.3.1-determinine-user-exists.patch, which was added after the last time I synced patches with them, so we are not affected. Filing this bug to document that fact and make that clear.
Closing.
Status: NEW => RESOLVEDResolution: (none) => INVALID