diff --git a/btrfs-progs/PKGBUILD b/btrfs-progs/PKGBUILD
index 231a8ee..2d128d9 100644
--- a/btrfs-progs/PKGBUILD
+++ b/btrfs-progs/PKGBUILD
@@ -6,7 +6,7 @@
 #-----------------------------------------| DESCRIPTION |---------------------------------------
 
 pkgname=btrfs-progs
-pkgver=6.7
+pkgver=6.7.1
 pkgrel=01
 pkgdesc='Btrfs filesystem utilities w/o systemd'
 makedepends=('asciidoc' 'xmlto' 'python' 'python-setuptools' 'e2fsprogs'
@@ -72,10 +72,10 @@ license=('GPL-2.0-only')
 
 validpgpkeys=('F2B41200C54EFB30380C1756C565D5F9D76D583B')
 
-sha256sums=(c27f755185b9f2dab31f42e8a303d36bed2a3f3341cc6d75ee68a0a650a24767  # btrfs-progs-v6.7.tar.xz
-	e44a1c6a33f06f38b4199db5c85202a930fd4e1a4e4f89b4cfce4afea0e61c01  # btrfs-progs-v6.7.tar.sign
+sha256sums=(24dc7b974f0a57ba0eca80f97440b840dfa85b0f1cb2c01bdfd97659a480b200  # btrfs-progs-v6.7.1.tar.xz
+	181ebfef6c8fb7df1015478b5ecec2a33a49437ed1c4e48188eed722648b6ee1  # btrfs-progs-v6.7.1.tar.sign
 	bbe60b35d1b1e2efc1308a8f54f1fdc6808240a81c5f5b4d75321b7ee86e41f4  # initcpio-install-btrfs
 	35efeee8590d6d60c711ae9cdc918e4841ab61d10cb02359e65e36ebff95ffc5) # initcpio-hook-btrfs
 
-##  548361394d138e6cf48440daa570458c5a018eea77c5a7fa24ed996991cf80d0  btrfs-progs-6.7-01-x86_64.pkg.tar.lz
+##  2b7c446a389b12c5e059dfff5f25782e39c0bdeb8589f4cc1000dc4b7ff5a1f1  btrfs-progs-6.7.1-01-x86_64.pkg.tar.lz
 
diff --git a/btrfs-progs/PKGBUILD-arch b/btrfs-progs/PKGBUILD-arch
index dd67bd4..ca63b40 100644
--- a/btrfs-progs/PKGBUILD-arch
+++ b/btrfs-progs/PKGBUILD-arch
@@ -3,7 +3,7 @@
 # Contributor: Tobias Powalowski <tpowa@archlinux.org>
 
 pkgname=btrfs-progs
-pkgver=6.7
+pkgver=6.7.1
 pkgrel=1
 pkgdesc='Btrfs filesystem utilities'
 arch=('x86_64')
@@ -28,7 +28,7 @@ source=("https://www.kernel.org/pub/linux/kernel/people/kdave/btrfs-progs/btrfs-
 install=btrfs-progs.install
 options=(!staticlibs)
 sha256sums=('SKIP'
-            'c27f755185b9f2dab31f42e8a303d36bed2a3f3341cc6d75ee68a0a650a24767'
+            '24dc7b974f0a57ba0eca80f97440b840dfa85b0f1cb2c01bdfd97659a480b200'
             'bbe60b35d1b1e2efc1308a8f54f1fdc6808240a81c5f5b4d75321b7ee86e41f4'
             '35efeee8590d6d60c711ae9cdc918e4841ab61d10cb02359e65e36ebff95ffc5'
             'eaa7af92d28bfa8940bb551560fd7be777f9f175292eaa72b5f6ef00fb240252'
diff --git a/pam/470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch b/pam/470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch
new file mode 100644
index 0000000..7df83bf
--- /dev/null
+++ b/pam/470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch
@@ -0,0 +1,27 @@
+From 470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Fri, 19 Jan 2024 10:09:00 +0100
+Subject: [PATCH] pam_unix: do not warn if password aging is disabled
+
+Later checks will print a warning if daysleft is 0. If password
+aging is disabled, leave daysleft at -1.
+
+Resolves: https://github.com/linux-pam/linux-pam/issues/743
+Fixes: 9ebc14085a3b ("pam_unix: allow disabled password aging")
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ modules/pam_unix/passverify.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 5c4f862e7..1bc98fa25 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry,
+ 	}
+ 	if (spent->sp_lstchg < 0) {
+ 		D(("password aging disabled"));
+-		*daysleft = 0;
+ 		return PAM_SUCCESS;
+ 	}
+ 	if (curdays < spent->sp_lstchg) {
diff --git a/pam/PKGBUILD b/pam/PKGBUILD
index 8a09742..6d160dc 100644
--- a/pam/PKGBUILD
+++ b/pam/PKGBUILD
@@ -7,7 +7,7 @@
 
 pkgname=pam
 pkgver=1.6.0
-pkgrel=03
+pkgrel=04
 pkgdesc="PAM (Pluggable Authentication Modules) library - w/o systemd"
 url="http://linux-pam.org"
 depends=('glibc' 'libtirpc' 'pambase' 'audit' 'libaudit.so' 'libxcrypt' 'libcrypt.so')
@@ -15,10 +15,24 @@ makedepends=('flex' 'w3m' 'docbook-xml>=4.4' 'docbook-xsl')
 provides=('libpam.so' 'libpamc.so' 'libpam_misc.so')
 backup=(etc/security/{access.conf,faillock.conf,group.conf,limits.conf,namespace.conf,namespace.init,pwhistory.conf,pam_env.conf,time.conf} etc/environment) 
 source=(https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver{,-docs}.tar.xz{,.asc}
+        https://github.com/linux-pam/linux-pam/commit/470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch
+        https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620.patch
         $pkgname.tmpfiles)
-
 options=('!emptydirs')
 
+prepare() {
+  cd Linux-PAM-$pkgver
+  # apply patch from the source array (should be a pacman feature)
+  local src
+  for src in "${source[@]}"; do
+    src="${src%%::*}"
+    src="${src##*/}"
+    [[ $src = *.patch ]] || continue
+    echo "Applying patch $src..."
+    patch -Np1 < "../$src"
+  done
+}
+
 build() {
   cd Linux-PAM-$pkgver
 # prevent the installation of an unneeded systemd file:
@@ -67,7 +81,7 @@ post_install() {
 
 arch=(x86_64)
 
-license=('GPL2')
+license=('GPL-2.0-only')
 
 validpgpkeys=(8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB # Thorsten Kukuk
 	296D6F29A020808E8717A8842DB5BD89A340AEB7) #Dimitry V. Levin <ldv@altlinux.org>
@@ -76,7 +90,9 @@ sha256sums=(fff4a34e5bbee77e2e8f1992f27631e2329bcbf8a0563ddeb5c3389b4e3169ad  #
 	de8059f3c5ede8efe8feaa74db64e27f2a8d0b6efb119d6b7b7f9baea78dc57a  # Linux-PAM-1.6.0.tar.xz.asc
 	3e82730d3350795c42f3708f6609a92c1df841d518aa17c28fd702fe5ec23a32  # Linux-PAM-1.6.0-docs.tar.xz
 	bc052464739edb68fc170b660253cca7adc596056cb2a60f11262639a3d3e1e9  # Linux-PAM-1.6.0-docs.tar.xz.asc
+	ee7333ad2c8b2a710c73d8a2d202027d0c79d3628fefe58073f2d78ecefa121e  # 470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch
+	450760e1989f036acee157f91a3028264f8ce7fb0cbdd65eccf8a0fc0084497c  # b7b96362087414e52524d3d9d9b3faa21e1db620.patch
 	5631f224e90c4f0459361c2a5b250112e3a91ba849754bb6f67d69d683a2e5ac) #  pam.tmpfiles
 
-##  8fb425ef6dfe311d95408d4cac67f12389a7a5bc5dd81ba9cab6321818367384  pam-1.6.0-03-x86_64.pkg.tar.lz
+##  2b41498e68f35858bd73fa7b133bb24a9a6e6aa6b1847d9a1b9b169dae3906c1  pam-1.6.0-04-x86_64.pkg.tar.lz
 
diff --git a/pam/PKGBUILD-arch b/pam/PKGBUILD-arch
index 9373b09..e6c67b8 100644
--- a/pam/PKGBUILD-arch
+++ b/pam/PKGBUILD-arch
@@ -4,16 +4,18 @@
 
 pkgname=pam
 pkgver=1.6.0
-pkgrel=3
+pkgrel=4
 pkgdesc="PAM (Pluggable Authentication Modules) library"
 arch=('x86_64')
-license=('GPL2')
+license=('GPL-2.0-only')
 url="http://linux-pam.org"
 depends=('glibc' 'libtirpc' 'pambase' 'audit' 'libaudit.so' 'libxcrypt' 'libcrypt.so')
 makedepends=('flex' 'w3m' 'docbook-xml>=4.4' 'docbook-xsl')
 provides=('libpam.so' 'libpamc.so' 'libpam_misc.so')
 backup=(etc/security/{access.conf,faillock.conf,group.conf,limits.conf,namespace.conf,namespace.init,pwhistory.conf,pam_env.conf,time.conf} etc/environment)
 source=(https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver{,-docs}.tar.xz{,.asc}
+        https://github.com/linux-pam/linux-pam/commit/470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch
+        https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620.patch
         $pkgname.tmpfiles)
 validpgpkeys=(
         '8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB' # Thorsten Kukuk
@@ -24,10 +26,25 @@ sha256sums=('fff4a34e5bbee77e2e8f1992f27631e2329bcbf8a0563ddeb5c3389b4e3169ad'
             'SKIP'
             '3e82730d3350795c42f3708f6609a92c1df841d518aa17c28fd702fe5ec23a32'
             'SKIP'
+            'ee7333ad2c8b2a710c73d8a2d202027d0c79d3628fefe58073f2d78ecefa121e'
+            '450760e1989f036acee157f91a3028264f8ce7fb0cbdd65eccf8a0fc0084497c'
             '5631f224e90c4f0459361c2a5b250112e3a91ba849754bb6f67d69d683a2e5ac')
 
 options=('!emptydirs')
 
+prepare() {
+  cd Linux-PAM-$pkgver
+  # apply patch from the source array (should be a pacman feature)
+  local src
+  for src in "${source[@]}"; do
+    src="${src%%::*}"
+    src="${src##*/}"
+    [[ $src = *.patch ]] || continue
+    echo "Applying patch $src..."
+    patch -Np1 < "../$src"
+  done
+}
+
 build() {
   cd Linux-PAM-$pkgver
   ./configure \
diff --git a/pam/b7b96362087414e52524d3d9d9b3faa21e1db620.patch b/pam/b7b96362087414e52524d3d9d9b3faa21e1db620.patch
new file mode 100644
index 0000000..75bc954
--- /dev/null
+++ b/pam/b7b96362087414e52524d3d9d9b3faa21e1db620.patch
@@ -0,0 +1,73 @@
+From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed, 24 Jan 2024 18:57:42 +0100
+Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
+
+The geteuid check does not cover all cases. If a program runs with
+elevated capabilities like CAP_SETUID then we can still check
+credentials of other users.
+
+Keep logging for future analysis though.
+
+Resolves: https://github.com/linux-pam/linux-pam/issues/747
+Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
+ modules/pam_unix/support.c       | 14 +++++++-------
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0d..7ffcb9e3f 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+       _exit(PAM_AUTHINFO_UNAVAIL);
+     }
+ 
+-    if (geteuid() == 0) {
+-      /* must set the real uid to 0 so the helper will not error
+-         out if pam is called from setuid binary (su, sudo...) */
+-      if (setuid(0) == -1) {
+-          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+-          printf("-1\n");
+-          fflush(stdout);
+-          _exit(PAM_AUTHINFO_UNAVAIL);
++    /* must set the real uid to 0 so the helper will not error
++       out if pam is called from setuid binary (su, sudo...) */
++    if (setuid(0) == -1) {
++      uid_t euid = geteuid();
++      pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
++      if (euid == 0) {
++	printf("-1\n");
++	fflush(stdout);
++	_exit(PAM_AUTHINFO_UNAVAIL);
+       }
+     }
+ 
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index d391973f9..69811048e 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ 		_exit(PAM_AUTHINFO_UNAVAIL);
+ 	}
+ 
+-	if (geteuid() == 0) {
+-          /* must set the real uid to 0 so the helper will not error
+-	     out if pam is called from setuid binary (su, sudo...) */
+-	  if (setuid(0) == -1) {
+-             D(("setuid failed"));
+-	     _exit(PAM_AUTHINFO_UNAVAIL);
+-          }
++	/* must set the real uid to 0 so the helper will not error
++	   out if pam is called from setuid binary (su, sudo...) */
++	if (setuid(0) == -1) {
++	   D(("setuid failed"));
++	   if (geteuid() == 0) {
++	      _exit(PAM_AUTHINFO_UNAVAIL);
++	   }
+ 	}
+ 
+ 	/* exec binary helper */