Debian Package Tracker

general

source: shadow (main)
version: 1:4.7-2
maintainer: Shadow package maintainers (archive) (DMD)
uploaders: Balint Reczey [DMD] – Serge Hallyn [DMD]
arch: any
std-ver: 3.9.5
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:4.2-3+deb8u4
o-o-sec: 1:4.2-3+deb8u4
oldstable: 1:4.4-4.1
stable: 1:4.5-1.1
testing: 1:4.7-2
unstable: 1:4.7-2

versioned links

1:4.2-3+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.4-4.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.5-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.7-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

login (11 bugs: 0, 7, 4, 0)
passwd (27 bugs: 0, 15, 12, 0)
uidmap (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 4.8 high

A new upstream version 4.8 is available, you should consider packaging it.

Created: 2019-12-03 Last update: 2019-12-12 13:36

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 3.9.5).

Created: 2014-11-21 Last update: 2019-09-29 23:41

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2019-03-21 Last update: 2019-12-12 14:34

10 bugs tagged patch in the BTS normal

The BTS contains patches fixing 10 bugs, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-12-12 14:34

Depends on packages which need a new maintainer normal

The packages that shadow depends on which need a new maintainer are:

docbook-xml (#802368)
- Build-Depends: docbook-xml
docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2019-11-22 Last update: 2019-12-12 13:44

4 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 0a3492dd902c42b850e5b19ce8dcfc9b81d8c3ed
Author: Yuriy M. Kaminskiy <yumkam+debian@gmail.com>
Date:   Mon Nov 11 16:54:57 2019 +0100

    Mark uidmap and login as Multi-Arch: foreign
    
    Closes: #934473

commit 77901f41155dbe2e6d1c5fece1db5bb8ef151828
Author: Justin B Rye <justin.byam.rye@gmail.com>
Date:   Mon Nov 11 16:24:50 2019 +0100

    login: Update package description
    
    Closes: #808301

commit 042e76175a3f8f9b7d50f691154e09c3169a8768
Merge: 9bda99f 4d8a10d
Author: Balint Reczey <rbalint@debian.org>
Date:   Mon Sep 16 13:21:49 2019 +0000

    Merge branch 'pam_selinux' into 'master'
    
    Move the call to pam_motd before pam_selinux open
    
    See merge request debian/shadow!8

commit 4d8a10d86cca3de958a2d02d3db666f4c5c8a2cf
Author: Laurent Bigonville <bigon@debian.org>
Date:   Tue Sep 3 16:48:39 2019 +0200

    Move the call to pam_motd before pam_selinux open
    
    pam_selinux calls setexeccon() with the context of the user, that means
    that the first execve() after the call to "pam_selinux open" will be
    executed in the user's context.
    
    As pam_motd in debian calls system() to run run-parts to generate the
    motd dynamically we need to be sure that this is done before that so it
    runs in the context of the login executable.

Created: 2019-09-23 Last update: 2019-12-08 16:15

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-08-26 Last update: 2019-09-30 01:19

1 ignored security issue in buster low

There is 1 open security issue in buster.

1 issue skipped by the security teams:

CVE-2018-7169: An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

Please fix it.

Created: 2018-02-16 Last update: 2019-12-05 06:37

2 ignored security issues in jessie low

There are 2 open security issues in jessie.

2 issues skipped by the security teams:

CVE-2017-12424: In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
CVE-2018-7169: An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

Please fix them.

Created: 2017-08-05 Last update: 2019-12-05 06:37

2 ignored security issues in stretch low

There are 2 open security issues in stretch.

2 issues skipped by the security teams:

CVE-2017-12424: In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
CVE-2018-7169: An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

Please fix them.

Created: 2017-08-05 Last update: 2019-12-05 06:37

news

[rss feed]

[2019-07-22] shadow 1:4.7-2 MIGRATED to testing (Debian testing watch)
[2019-07-16] Accepted shadow 1:4.7-2 (source) into unstable (Balint Reczey)
[2019-07-14] shadow 1:4.7-1 MIGRATED to testing (Debian testing watch)
[2019-07-08] Accepted shadow 1:4.7-1 (source) into unstable (Balint Reczey)
[2018-08-03] shadow 1:4.5-1.1 MIGRATED to testing (Debian testing watch)
[2018-07-27] Accepted shadow 1:4.5-1.1 (source amd64) into unstable (Andreas Henriksson)
[2017-10-03] shadow 1:4.5-1 MIGRATED to testing (Debian testing watch)
[2017-09-27] Accepted shadow 1:4.5-1 (source) into unstable (Balint Reczey)
[2017-05-31] Accepted shadow 1:4.2-3+deb8u4 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2017-05-24] shadow 1:4.4-4.1 MIGRATED to testing (Debian testing watch)
[2017-05-22] Accepted shadow 1:4.4-4.1 (source) into unstable (Salvatore Bonaccorso)
[2017-04-30] Accepted shadow 1:4.2-3+deb8u3 (source) into proposed-updates->stable-new, proposed-updates (Balint Reczey) (signed by: Salvatore Bonaccorso)
[2017-04-30] Accepted shadow 1:4.2-3+deb8u2 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2017-02-26] Accepted shadow 1:4.1.5.1-1+deb7u1 (source amd64) into oldstable (Balint Reczey)
[2017-02-26] shadow 1:4.4-4 MIGRATED to testing (Debian testing watch)
[2017-02-24] Accepted shadow 1:4.4-4 (source) into unstable (Balint Reczey)
[2017-02-05] shadow 1:4.4-3 MIGRATED to testing (Debian testing watch)
[2017-01-25] Accepted shadow 1:4.4-3 (source) into unstable (Balint Reczey)
[2017-01-19] Accepted shadow 1:4.4-2 (source) into unstable (Balint Reczey)
[2017-01-17] shadow 1:4.4-1 MIGRATED to testing (Debian testing watch)
[2017-01-06] Accepted shadow 1:4.4-1 (source) into unstable (Balint Reczey)
[2016-12-03] shadow 1:4.2-3.3 MIGRATED to testing (Debian testing watch)
[2016-11-27] Accepted shadow 1:4.2-3.3 (source amd64) into unstable (Samuel Thibault)
[2016-09-25] shadow 1:4.2-3.2 MIGRATED to testing (Debian testing watch)
[2016-09-19] Accepted shadow 1:4.2-3.2 (source) into unstable (Mattia Rizzolo)
[2015-11-19] Accepted shadow 1:4.2-3+deb8u1 (source amd64) into proposed-updates->stable-new, proposed-updates (Bastian Blank)
[2015-11-18] shadow 1:4.2-3.1 MIGRATED to testing (Britney)
[2015-11-12] Accepted shadow 1:4.2-3.1 (source) into unstable (Bastian Blank)
[2014-12-01] shadow 1:4.2-3 MIGRATED to testing (Britney)
[2014-11-20] Accepted shadow 1:4.2-3 (source i386) into unstable (Christian Perrier)

bugs [bug history graph]

all: 52 53
RC: 0
I&N: 28 29
M&W: 24
F&P: 0
patch: 10
help: 1

links

homepage
lintian (0, 4)
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:4.5-1.1ubuntu4
95 bugs (3 patches)
patches for 1:4.5-1.1ubuntu4