shadow - Debian Package Tracker

general

source: shadow (main)
version: 1:4.8.1-1
maintainer: Shadow package maintainers (archive) (DMD)
uploaders: Balint Reczey [DMD] – Serge Hallyn [DMD]
arch: any
std-ver: 3.9.5
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:4.2-3+deb8u4
o-o-sec: 1:4.2-3+deb8u4
oldstable: 1:4.4-4.1
stable: 1:4.5-1.1
testing: 1:4.8.1-1
unstable: 1:4.8.1-1

versioned links

1:4.2-3+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.4-4.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.5-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.8.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

login (12 bugs: 0, 8, 4, 0)
passwd (26 bugs: 0, 15, 11, 0)
uidmap

action needed

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 3.9.5).

Created: 2014-11-21 Last update: 2020-11-17 05:41

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2019-03-21 Last update: 2021-02-25 20:02

8 bugs tagged patch in the BTS normal

The BTS contains patches fixing 8 bugs, consider including or untagging them.

Created: 2020-10-19 Last update: 2021-02-25 20:02

Depends on packages which need a new maintainer normal

The packages that shadow depends on which need a new maintainer are:

docbook-xml (#802368)
- Build-Depends: docbook-xml
docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2019-11-22 Last update: 2021-02-25 18:06

4 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit cfc17bfaa78993b802e255d7d57e193b6d39862c
Merge: c7baab6 fe2a40a
Author: Balint Reczey <rbalint@debian.org>
Date:   Mon Apr 20 21:28:07 2020 +0000

    Merge branch 'clean-up-old-passwd-maintscript' into 'master'
    
    Remove obsolete code from passwd maintscripts
    
    See merge request debian/shadow!11

commit fe2a40ab85c2d7df29ac1e104bfdf3ef3109373e
Author: Niels Thykier <niels@thykier.net>
Date:   Sat Apr 18 09:03:08 2020 +0000

    Remove obsolete code from passwd maintscripts
    
    The transitional behaviour was complete before oldoldstable and is no
    longer relevant.  Moving this snippet will eventually enable us to
    remove the preinst for passwd completely (when the
    /etc/cron.daily/passwd removal is complete).  This will both reduce
    the total number of maintscripts and also enable us to simplify
    deployment DPKG_ROOT (the InstallBootstrap spec).
    
      * https://wiki.debian.org/Teams/Dpkg/Spec/InstallBootstrap
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

commit c7baab653470fe217a76e7821913bec2426a3d62
Merge: 7456cef 92b40af
Author: Balint Reczey <rbalint@debian.org>
Date:   Sat Apr 18 09:00:17 2020 +0000

    Merge branch 'clean-up-old-login-preinst' into 'master'
    
    Remove obsolete login.preinst
    
    See merge request debian/shadow!10

commit 92b40afe1389661f8528309af13bcafc9a9bcdfc
Author: Niels Thykier <niels@thykier.net>
Date:   Sat Apr 18 08:50:51 2020 +0000

    Remove obsolete login.preinst
    
    The transitional behaviour was complete before oldoldstable and is no
    longer relevant.  Moving this snippet will eventually enable us to
    remove the preinst for login completely (when the /etc/securetty
    removal is complete).  This will both reduce the total number of
    maintscripts and also enable us to simplify deployment DPKG_ROOT (the
    InstallBootstrap spec).
    
     * https://wiki.debian.org/Teams/Dpkg/Spec/InstallBootstrap
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

Created: 2020-04-24 Last update: 2021-02-21 07:04

2 low-priority security issues in stretch low

There are 2 open security issues in stretch.

2 issues left for the package maintainer to handle:

CVE-2017-12424: (needs triaging) In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
CVE-2018-7169: (needs triaging) An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-02-25 09:13

1 low-priority security issue in buster low

There is 1 open security issue in buster.

1 issue left for the package maintainer to handle:

CVE-2018-7169: (needs triaging) An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.

You can find information about how to handle this issue in the security team's documentation.

Created: 2021-02-19 Last update: 2021-02-25 09:13

news

[rss feed]

[2020-02-13] shadow 1:4.8.1-1 MIGRATED to testing (Debian testing watch)
[2020-02-07] Accepted shadow 1:4.8.1-1 (source) into unstable (Balint Reczey)
[2020-01-06] shadow 1:4.8-1 MIGRATED to testing (Debian testing watch)
[2019-12-20] Accepted shadow 1:4.8-1 (source) into unstable (Balint Reczey)
[2019-07-22] shadow 1:4.7-2 MIGRATED to testing (Debian testing watch)
[2019-07-16] Accepted shadow 1:4.7-2 (source) into unstable (Balint Reczey)
[2019-07-14] shadow 1:4.7-1 MIGRATED to testing (Debian testing watch)
[2019-07-08] Accepted shadow 1:4.7-1 (source) into unstable (Balint Reczey)
[2018-08-03] shadow 1:4.5-1.1 MIGRATED to testing (Debian testing watch)
[2018-07-27] Accepted shadow 1:4.5-1.1 (source amd64) into unstable (Andreas Henriksson)
[2017-10-03] shadow 1:4.5-1 MIGRATED to testing (Debian testing watch)
[2017-09-27] Accepted shadow 1:4.5-1 (source) into unstable (Balint Reczey)
[2017-05-31] Accepted shadow 1:4.2-3+deb8u4 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2017-05-24] shadow 1:4.4-4.1 MIGRATED to testing (Debian testing watch)
[2017-05-22] Accepted shadow 1:4.4-4.1 (source) into unstable (Salvatore Bonaccorso)
[2017-04-30] Accepted shadow 1:4.2-3+deb8u3 (source) into proposed-updates->stable-new, proposed-updates (Balint Reczey) (signed by: Salvatore Bonaccorso)
[2017-04-30] Accepted shadow 1:4.2-3+deb8u2 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2017-02-26] Accepted shadow 1:4.1.5.1-1+deb7u1 (source amd64) into oldstable (Balint Reczey)
[2017-02-26] shadow 1:4.4-4 MIGRATED to testing (Debian testing watch)
[2017-02-24] Accepted shadow 1:4.4-4 (source) into unstable (Balint Reczey)
[2017-02-05] shadow 1:4.4-3 MIGRATED to testing (Debian testing watch)
[2017-01-25] Accepted shadow 1:4.4-3 (source) into unstable (Balint Reczey)
[2017-01-19] Accepted shadow 1:4.4-2 (source) into unstable (Balint Reczey)
[2017-01-17] shadow 1:4.4-1 MIGRATED to testing (Debian testing watch)
[2017-01-06] Accepted shadow 1:4.4-1 (source) into unstable (Balint Reczey)
[2016-12-03] shadow 1:4.2-3.3 MIGRATED to testing (Debian testing watch)
[2016-11-27] Accepted shadow 1:4.2-3.3 (source amd64) into unstable (Samuel Thibault)
[2016-09-25] shadow 1:4.2-3.2 MIGRATED to testing (Debian testing watch)
[2016-09-19] Accepted shadow 1:4.2-3.2 (source) into unstable (Mattia Rizzolo)
[2015-11-19] Accepted shadow 1:4.2-3+deb8u1 (source amd64) into proposed-updates->stable-new, proposed-updates (Bastian Blank)

bugs [bug history graph]

all: 50 51
RC: 0
I&N: 26 27
M&W: 24
F&P: 0
patch: 8
help: 1

links

homepage
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
l10n (65, 54)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:4.8.1-1ubuntu8
79 bugs (3 patches)
patches for 1:4.8.1-1ubuntu8