[Pkg-shadow-devel] shadow 4.1.2.1 released - security bug fix
Nicolas François
nicolas.francois at centraliens.net
Thu Jun 26 21:04:05 UTC 2008
Hello,
I've released shadow 4.1.2.1 to fix a security bug similar to CVE-2008-1926.
It affects login when compiled with audit support.
* Debian is not affected (not configured with audit support)
* Fedora is not affected (the login used by Fedora is coming from
util-linux-ng)
You can find the 4.1.2.1 archive in:
ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-4.1.2.1.tar.bz2
ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-4.1.2.1.tar.bz2.sig
Here is the comprehensive changelog for this release:
shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008
*** security
- Fix an "audit log injection" vulnerability in login.
This vulnerability makes it easier for attackers to hide activities by
modifying portions of log events, e.g. by appending an addr= statement
to the login name.
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list