Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted shadow 1:4.4-4.1+deb9u1 (source) into oldstable
Date: Wed, 17 Mar 2021 12:50:12 +0000
Signed by: Sylvain Beucler <beuc@beuc.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 17 Mar 2021 10:27:01 +0100
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.4-4.1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
 login      - system login tools
 passwd     - change and administer password and group data
 uidmap     - programs to help use subuids
Closes: 756630
Changes:
 shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2017-20002: revert adding pts/0 and pts/1 to securetty.
     Adding pts/* defeats the purpose of securetty. Let containers add it
     if needed as described in #830255.
     (cherry-picked from 1:4.5-1)
     See also #877374 (previous proposed update) and #914957
     (/etc/securetty will be dropped in bullseye).
   * CVE-2017-12424: the newusers tool could be made to manipulate internal
     data structures in ways unintended by the authors. Malformed input may
     lead to crashes (with a buffer overflow or other memory corruption) or
     other unspecified behaviors. This crosses a privilege boundary in, for
     example, certain web-hosting environments in which a Control Panel
     allows an unprivileged user account to create subaccounts.
     (Closes: #756630)
Checksums-Sha1:
 685135e254cfb9368d9fbae04bb80b01f0d088a8 2326 shadow_4.4-4.1+deb9u1.dsc
 78d965cad860744e9e919c5a6168e6820200d5e7 3003036 shadow_4.4.orig.tar.gz
 81f196609fc471ab8b867abc361227adf876cb94 601380 shadow_4.4-4.1+deb9u1.debian.tar.xz
 829cc7da8cab8b5c1b5a1561e5234ed41be3cbc9 8168 shadow_4.4-4.1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 b26ba339cc5a60a15173eb6fa3d4f700aece86c6f34e89e04f9d8e11a589e8f7 2326 shadow_4.4-4.1+deb9u1.dsc
 1323e7e932836e03dbfa441f7eeb349ede2c92d62b788ade0732411fd516be3d 3003036 shadow_4.4.orig.tar.gz
 d9cb3b85cac743cc2b16e07601d1a6ccc261981117948694058e557d7baeec08 601380 shadow_4.4-4.1+deb9u1.debian.tar.xz
 e45c9eab306ea513ce973289bd4f3e33fe6f49a7329ca7bc1f0f10ca3bb0d1bd 8168 shadow_4.4-4.1+deb9u1_amd64.buildinfo
Files:
 6060e5119590fd4bca315bc6c97358d7 2326 admin required shadow_4.4-4.1+deb9u1.dsc
 8b4123557c71e4c010c2188747be07ef 3003036 admin required shadow_4.4.orig.tar.gz
 2b952c8322269dee9f01037e7b8d3d94 601380 admin required shadow_4.4-4.1+deb9u1.debian.tar.xz
 bf6e4e13e9aa307709a3ac4b047c767b 8168 admin required shadow_4.4-4.1+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmBR+AUACgkQDTl9HeUl
XjB8Nw//YHqU6VuogSWs6sa+cCN/7Ko0Y+Y0Y8AqwVzOJKZHweQ+Q8mj+YcAKE85
wzcwvjcVgNY7bbhd7OG8xT5eUQD5egAFfj8y1TWQt0QvOoRb6xxE8v61UQRByb0a
IWfilmPS8W2eHrtwnf53h+mQTXOApcTPrWnCelWBIVxz3wuB0bvFB8UNOg4Y1iK4
cudjQPaROdXG8DPU1RwCHy6CIZQg9fDDA7aRyaAi95iATssO+sr3AmVXayQzjyCL
cC6VR7vLTRbscTTjAjB3ebnLOzX8B4wrb+cTAF/Fekbuf9BLMH83fOIoLzXya0ym
LDKjX8i2IZwv/6GXMP7gZdj4upue0Ba5XSZyI4QeBwwcRdxZyfD2zsuqwnpOseoC
W2gEtFejx/mZxslFU3u+mpZpVjU7/XH9oEzLGHazqeYbJtV7Kb5vxKGJnri4TuuX
oadlx3isJUBsN7yysjHOPky2/fMZxxpdaBW6o6u11b9AUmMiyV2UC5XPabvfzRU0
Lr3Wl7bY18imIMQKt50grQKYtdTkiO792iVgtOaappIE9/YZU9zbJYAwhTyq0P4s
0fEm+cilcSIbgQSuF2AJp8+ZkTn80oQqu9jO0NIuJr7h0Dimv86XBVenk4Wy3IYl
TL69c2FTmY9UPwlQy+rcjME9HF69Jr0GuY2mO8t0DOHS+oCcd+Y=
=gspW
-----END PGP SIGNATURE-----
News for package shadow
