diff --git a/ChangeLog b/ChangeLog
index 89fe7f75..d872829c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2007-11-17  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/su.c: Avoid terminating the PAM library in the forked
+	child.  This is done later in the parent after closing the PAM
+	session. This fixes http://bugs.debian.org/412061.
+	Debian patch 405_su_no_pam_end_before_exec.
+
 2007-11-17  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* man/newgrp.1.xml: Mention sg in the newgrp manpage.
diff --git a/NEWS b/NEWS
index 6682ec06..d4021ae4 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2					UNRELEASED
   addition* to editing the password field.  Debian patch 494_passwd_lock.
 - pwck: Remove the SHADOWPWD preprocessor check. Some check for /etc/shadow
   were always missing.
+- su: Avoid terminating the PAM library in the forked child. This is done
+  later in the parent after closing the PAM session.
 
 shadow-4.0.18.1 -> shadow-4.0.18.2					28-10-2007
 
diff --git a/src/su.c b/src/su.c
index a48e5296..2568f101 100644
--- a/src/su.c
+++ b/src/su.c
@@ -183,7 +183,12 @@ static void run_shell (const char *shellstr, char *args[], int doshell,
 
 	child = fork ();
 	if (child == 0) {	/* child shell */
-		pam_end (pamh, PAM_SUCCESS);
+		/*
+		 * PAM_DATA_SILENT is not supported by some modules, and
+		 * there is no strong need to clean up the process space's
+		 * memory since we will either call exec or exit.
+		pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+		 */
 
 		if (doshell)
 			(void) shell (shellstr, (char *) args[0], envp);