[Pkg-shadow-devel] Re: Security fix for shadow in sarge

Moritz Muehlenhoff jmm at inutil.org
Fri Jun 30 17:57:00 UTC 2006


Martin Schulze wrote:
> Christian Perrier wrote:
> > Back in March, after a password leaking problem was discovered first
> > in Ubuntu then in sarge default installs under certain conditions, a
> > fix for the shadow package has been sent to you. This fix needed to be
> > coordinated with a base-config fix which has been recently processed
> > for r3 inclusion.
> > 
> > We (shadow team) did NOT upload a fixed version of shadow anywhere.
> 
> There's an updated shadow package in the security queue, and I
> remember asking for help with this issue, but didn't get a response.

IIRC the necessary fix required both changes to base-config and shadow.
While we had the shadow fix in the queue we were waiting for the base-config
fix by Joey Hess. I prodded him at DebConf, but it seems as if he uploaded
it directly to stable-proposed-updates instead of stable-security or
sending it to us. So the update should be fine now.

Meanwhile another shadow issue popped up: CVE-2006-1174 (missing args passed
to open(), so that random memory might be used instead). It's of very low
impact, but could you check, whether Sarge is affected?
http://cvs.pld.org.pl/shadow/NEWS?rev=1.109

Cheers,
        Moritz



More information about the Pkg-shadow-devel mailing list