[Pkg-shadow-devel] Bug#309587: shadow: CAN-2004-1001 still in sarge

Christian Perrier Christian Perrier <bubulle@debian.org>, 309587@bugs.debian.org
Wed, 18 May 2005 07:44:37 +0200


Package: shadow
Severity: normal
Tags: security sarge sid

It appears that, for some mysterious reason, the patch we applied in
4.0.3-30.3 for shadow is currently NOT applied in 4.0.3-31sarge4.

As a consequence, the version of shadow in sarge IS affected and I hereby
tag this bug as release critical.

I'm preparing an urgent upload to t-p-u to fix this. The next upload to the
unstable branch will also fix shadow there

Martin and security team people, CAN-2004-1001 stated that sid (and now
sarge) are fixed, which they were back in November 2004.

I'm very probably responsible for the mistake at some moment in the
complicated life of the shadow package these months. Please receive my
apologies for the possible extra work if a security announcement is to be
issued.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)