UbuntuUpdates.org

Package "shadow"

Name: shadow

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • system login tools
  • change and administer password and group data
  • programs to help use subuids

Latest version: 1:4.1.5.1-1ubuntu9.5
Release: trusty (14.04)
Level: security
Repository: main

Links



Other versions of "shadow" in Trusty

Repository Area Version
base main 1:4.1.5.1-1ubuntu9
updates main 1:4.1.5.1-1ubuntu9.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:4.1.5.1-1ubuntu9.5 2017-05-17 02:06:41 UTC

  shadow (1:4.1.5.1-1ubuntu9.5) trusty-security; urgency=medium

  * REGRESSION UPDATE: The patch for CVE-2017-2616 introduced a regression.
    If su received a signal like SIGTERM it wasn't propagated to the child.
    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
      pid_child to 0 if the child process is still running.
    Thanks to Tobias Stoeckmann for the fix and Radu Duta for the report.

 -- Seth Arnold <email address hidden> Mon, 15 May 2017 19:22:49 -0700

Source diff to previous version
CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su

Version: 1:4.1.5.1-1ubuntu9.4 2017-05-05 06:06:59 UTC

  shadow (1:4.1.5.1-1ubuntu9.4) trusty-security; urgency=medium

  * SECURITY UPDATE: su could be used to kill arbitrary processes.
    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
      sending signal
    - CVE-2017-2616
  * SECURITY UPDATE: su could be used to kill arbitrary processes.
    - debian/patches/reset-caught-on-sigtstp.patch: Check process's SIGTSTP
      status before sending signal. No CVE is currently assigned.
  * SECURITY UPDATE: getulong() function could accidentally parse negative
    numbers as large positive numbers.
    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
    - CVE-2016-6252

 -- Seth Arnold <email address hidden> Thu, 04 May 2017 01:00:09 -0700

CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su
CVE-2016-6252 Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.



About   -   Send Feedback to @ubuntu_updates