[Pkg-shadow-devel] Bug#309587: marked as done (shadow: CAN-2004-1001 still in sarge)

Debian Bug Tracking System owner@bugs.debian.org
Wed, 18 May 2005 00:33:11 -0700 

Your message dated Wed, 18 May 2005 03:17:43 -0400
with message-id <E1DYIoJ-0008Pj-00@newraff.debian.org>
and subject line Bug#309587: fixed in shadow 1:4.0.3-31sarge5
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 18 May 2005 06:01:49 +0000
>From bubulle@debian.org Tue May 17 23:01:49 2005
Return-path: <bubulle@debian.org>
Received: from onera.onera.fr [144.204.65.4] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DYHcq-0006lU-00; Tue, 17 May 2005 23:01:48 -0700
Received: from cc-mykerinos.onera (localhost [127.0.0.1])
        by onera.onera.fr  with ESMTP id j4I61lrI024941;
        Wed, 18 May 2005 08:01:47 +0200 (MEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 7426)
	id DF3ED2329F; Wed, 18 May 2005 07:44:37 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Christian Perrier <bubulle@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shadow: CAN-2004-1001 still in sarge
X-Mailer: reportbug 3.12
Date: Wed, 18 May 2005 07:44:37 +0200
X-Debbugs-Cc: team@security.debian.org
Message-Id: <20050518054437.DF3ED2329F@mykerinos.kheops.frmug.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: shadow
Severity: normal
Tags: security sarge sid

It appears that, for some mysterious reason, the patch we applied in
4.0.3-30.3 for shadow is currently NOT applied in 4.0.3-31sarge4.

As a consequence, the version of shadow in sarge IS affected and I hereby
tag this bug as release critical.

I'm preparing an urgent upload to t-p-u to fix this. The next upload to the
unstable branch will also fix shadow there

Martin and security team people, CAN-2004-1001 stated that sid (and now
sarge) are fixed, which they were back in November 2004.

I'm very probably responsible for the mistake at some moment in the
complicated life of the shadow package these months. Please receive my
apologies for the possible extra work if a security announcement is to be
issued.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

---------------------------------------
Received: (at 309587-close) by bugs.debian.org; 18 May 2005 07:23:03 +0000
>From katie@ftp-master.debian.org Wed May 18 00:23:03 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DYItS-0001Nb-00; Wed, 18 May 2005 00:23:02 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DYIoJ-0008Pj-00; Wed, 18 May 2005 03:17:43 -0400
From: Christian Perrier <bubulle@debian.org>
To: 309587-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#309587: fixed in shadow 1:4.0.3-31sarge5
Message-Id: <E1DYIoJ-0008Pj-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Wed, 18 May 2005 03:17:43 -0400
Delivered-To: 309587-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: shadow
Source-Version: 1:4.0.3-31sarge5

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.3-31sarge5_i386.deb
  to pool/main/s/shadow/login_4.0.3-31sarge5_i386.deb
passwd_4.0.3-31sarge5_i386.deb
  to pool/main/s/shadow/passwd_4.0.3-31sarge5_i386.deb
shadow_4.0.3-31sarge5.diff.gz
  to pool/main/s/shadow/shadow_4.0.3-31sarge5.diff.gz
shadow_4.0.3-31sarge5.dsc
  to pool/main/s/shadow/shadow_4.0.3-31sarge5.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 309587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 18 May 2005 07:35:04 +0200
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-31sarge5
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 309587
Changes: 
 shadow (1:4.0.3-31sarge5) testing-proposed-updates; urgency=high
 .
   * Re-apply the debian/patches/036_CAN-2004-1001_passwd_check patch
     which fixed the "Adjusted password check to fix authentication bypass"
     security issue (CAN-2004-1001)
     Closes: #309587
Files: 
 ce5a6a846b83087bfea49bf4b9ee580e 839 base required shadow_4.0.3-31sarge5.dsc
 9a9c1dac3608118854f7c3315130bbdb 1319694 base required shadow_4.0.3-31sarge5.diff.gz
 8de629a8c268473b8c91a41fa7769d17 528570 base required passwd_4.0.3-31sarge5_i386.deb
 17aebc85bd0c21f1511934eba61b0dac 575772 base required login_4.0.3-31sarge5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCiuKH1OXtrMAUPS0RAi/RAJ91JWjiZh+jqDStcd7EtWb74I0F3gCfTsJ6
wPHu3s4TsiuK5Tq2m2hxagY=
=y5Im
-----END PGP SIGNATURE-----