Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted shadow 1:4.8.1-1+deb11u1 (source) into oldstable-security
Date: Fri, 18 Apr 2025 19:10:20 +0000
Signed by: Sylvain Beucler <beuc@beuc.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 18 Apr 2025 15:46:55 +0200
Source: shadow
Architecture: source
Version: 1:4.8.1-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 1034482 1051062
Changes:
 shadow (1:4.8.1-1+deb11u1) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2023-4641: When asking for a new password, shadow-utils asks the
     password twice. If the password fails on the second attempt,
     shadow-utils fails in cleaning the buffer used to store the first
     entry. This may allow an attacker with enough access to retrieve the
     password from the memory. (Closes: #1051062)
   * CVE-2023-29383: It is possible to inject control characters into
     fields provided to the SUID program chfn (change finger). Although it
     is not possible to exploit this directly (e.g., adding a new user
     fails because \n is in the block list), it is possible to misrepresent
     the /etc/passwd file when viewed. (Closes: #1034482)
   * Add Salsa-CI configuration.
   * Silence lintian error that can't be fixed after freeze.
Checksums-Sha1:
 316371d38200c5064ce10871df618af2bd3fe539 2247 shadow_4.8.1-1+deb11u1.dsc
 63457a0ba58dc4e81b2663b839dc6c89d3343f12 1611196 shadow_4.8.1.orig.tar.xz
 14d7ccaeddc77c4be7207c7fe8fa6f4d15e8cc7a 78248 shadow_4.8.1-1+deb11u1.debian.tar.xz
 d6d0b02015464646a2855b7994c0eced4c7d3b4c 8523 shadow_4.8.1-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
 aaa0ac5c9639c762e9b459a7f0500fa7c24fa2aa37265ef5a30598add64ccc0e 2247 shadow_4.8.1-1+deb11u1.dsc
 a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62 1611196 shadow_4.8.1.orig.tar.xz
 68ce171dc78e6fc9c51da4b3a4c8f70b0927ab7e6c40cbebd67908be5ca27aaa 78248 shadow_4.8.1-1+deb11u1.debian.tar.xz
 77cb85ad987c41278f65f39145904a4d4669644a344f8b717051d8ebeafdd63a 8523 shadow_4.8.1-1+deb11u1_amd64.buildinfo
Files:
 b8cdabad6ddfaf5eeb5eab590951453e 2247 admin required shadow_4.8.1-1+deb11u1.dsc
 4b05eff8a427cf50e615bda324b5bc45 1611196 admin required shadow_4.8.1.orig.tar.xz
 fe5e2b8b3144a6609a2d8ea16c3bceef 78248 admin required shadow_4.8.1-1+deb11u1.debian.tar.xz
 a3d55a700514e2c77af6b74bfbc6ac9a 8523 admin required shadow_4.8.1-1+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmgCnq0ACgkQDTl9HeUl
XjDWAg/+KrGC2B9aSz/F7mfWkngT1nXb+a8JZ3cDEqtdVwv3PTcchqWUT43KH0a1
kC8UjK1IOhXC3COSfKbElKxs0gGOGjtXp+h1d6jonIe6LqgRHhwtGaEAraX2pLVz
c6nKm/tGegNEiN2hsNyxrguGqaCA6lFRbTB0Ie7MOAD5puQ759GQlt+HZHSi+e0q
d8CSg6T4ZN+ASb67JsWFZtFSqponVOEd08uAwyXX1T7nub4kkOVbqcUPpQzxt8ru
c/SjudJhj+htwJwg1pkyp/H4RNEC5Iw5/L6/OE3yv6P8iuB+99UtaWFGEzZ+SLn8
2vObvNCCmVuRtK76jNC8noZ7riJ2ugqLs+PfrOEXOEaaqzPOFhd7d3soaXJc8QBX
wMWjU1JeDXN5Utv2gerUhrD2CYcts6YZ4NkprZAE8kWz4xPPQPsNw/xO5vd7nqqN
dOCTOPOwY6F8TFUge1iT9dBOxYQUB0V+5V9vM3JmIJznW0yW9Ag9Yqio+rwg545x
JKRCx7/dpZBgUTLJbpczqChrrXXMac181XS0+CFyQd64ByVIUAitzoWiNtTIfAo+
wz1XG4H9iNDi4JqzDpiCbgOUE0GTYSja5pXRWMvd5RPStq9OXM5jyOmj64sBg2m0
RHpnvrpmtVLSgZOiKtk04GTFqkSuNZ0jJAx6kBGlxHqROCzmsOA=
=lFN2
-----END PGP SIGNATURE-----
News for package shadow
