UbuntuUpdates.org

Package "passwd"

Name: passwd

Description:

change and administer password and group data
Latest version: 1:4.2-3.1ubuntu5.3
Release: xenial (16.04)
Level: security
Repository: main
Head package: shadow
Homepage: http://pkg-shadow.alioth.debian.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "passwd"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "passwd" in Xenial

Repository Area Version
base main 1:4.2-3.1ubuntu5
updates main 1:4.2-3.1ubuntu5.4

Changelog

Version: 1:4.2-3.1ubuntu5.3 2017-05-17 02:06:44 UTC

  shadow (1:4.2-3.1ubuntu5.3) xenial-security; urgency=medium

  * REGRESSION UPDATE: The patch for CVE-2017-2616 introduced a regression.
    If su received a signal like SIGTERM it wasn't propagated to the child.
    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
      pid_child to 0 if the child process is still running.
    Thanks to Tobias Stoeckmann for the fix and Radu Duta for the report.

 -- Seth Arnold <email address hidden> Mon, 15 May 2017 19:26:55 -0700
Source diff to previous version
CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su

Version: 1:4.2-3.1ubuntu5.2 2017-05-05 06:07:02 UTC

  shadow (1:4.2-3.1ubuntu5.2) xenial-security; urgency=medium

  * SECURITY UPDATE: su could be used to kill arbitrary processes.
    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
      sending signal
    - CVE-2017-2616
  * SECURITY UPDATE: getulong() function could accidentally parse negative
    numbers as large positive numbers.
    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
    - CVE-2016-6252

 -- Seth Arnold <email address hidden> Thu, 04 May 2017 01:00:19 -0700
CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su
CVE-2016-6252 Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.


About   -   Send Feedback to @ubuntu_updates