[Pkg-shadow-devel] Bug#1103832: Bug#1103832: Bug#1103832: shadow: CVE-2024-56433
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 14 13:21:03 BST 2026
Hi Chris,
On Fri, Jun 12, 2026 at 02:19:20PM +0200, Chris Hofstaedtler wrote:
> On Wed, Apr 30, 2025 at 06:02:52PM +0200, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Fri, Apr 25, 2025 at 03:10:10PM +0000, Moritz Mühlenhoff wrote:
> > > On Wed, Apr 23, 2025 at 05:04:22PM -0500, Serge E. Hallyn wrote:
> > > > On Tue, Apr 22, 2025 at 09:46:14PM +0200, Chris Hofstaedtler wrote:
> > > > > * Serge E. Hallyn <serge at hallyn.com> [250422 15:48]:
> > > > > > On Mon, Apr 21, 2025 at 08:08:50PM +0200, Salvatore Bonaccorso wrote:
> > > > > > > Thought this will not really be fixable in code, it depends on how
> > > > > > > uids were assigned in within a group of systems form system
> > > > > > > administrators. Let's link downstream bugreport and upstream and maybe
> > > > > > > they come up with a documentation update reflecting the issue?
> > > > > > >
> > > > > > > For further information see:
> > > > > > >
> > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-56433
> > > > > > > https://www.cve.org/CVERecord?id=CVE-2024-56433
> > > > > > > [1] https://github.com/shadow-maint/shadow/issues/1157
> > > > > >
> > > > > > There is no id range that couldn't possibly conflict with some
> > > > > > site's network ids. The only default safe for that concern is
> > > > > > to not automatically enable any subids.
> > > > >
> > > > > Indeed. The question really is: what are we gonna do?
> > > > >
> > > > > Should there be some form of documentation update, like a README?
> > > >
> > > > Maybe debian changelog?
> > >
> > > Or maybe simply add a note in the existing README.Debian?
> >
> > In my opinion if it can be added to upstream documentation that would
> > be ideal, but agree that for Debian purposes otherwise we can add a
> > note on the problem to the README.Debian (or both in the end).
> >
> > Chris, what do you think with you maintainer hat on here?
>
> I was hoping there would be some upstream activity on this.
> Unfortunately https://github.com/shadow-maint/shadow/issues/1157
> seems completely stalled.
>
> Not sure it makes sense to keep tracking this.
I asked in
https://github.com/shadow-maint/shadow/issues/1157#issuecomment-4701723167
. I would say if there is no plan to otherwise handle it upstream with
a documentation update then it might be still worth as Moritz suggested
to a Debian specific README.Debian and be done with it.
Regards,
Salvatore
More information about the Pkg-shadow-devel
mailing list