UbuntuUpdates.org

Package "passwd"

Name: passwd

Description:

change and administer password and group data

Latest version: 1:4.2-3.1ubuntu5.4
Release: xenial (16.04)
Level: updates
Repository: main
Head package: shadow
Homepage: http://pkg-shadow.alioth.debian.org/

Links


Download "passwd"


Other versions of "passwd" in Xenial

Repository Area Version
base main 1:4.2-3.1ubuntu5
security main 1:4.2-3.1ubuntu5.3

Changelog

Version: 1:4.2-3.1ubuntu5.4 2019-04-25 11:06:20 UTC

  shadow (1:4.2-3.1ubuntu5.4) xenial; urgency=medium

  * patches/1012_extrausers_chfn.patch:
    - add --extrausers option to "chfn" (LP: #1495580)
  * debian/patches/1013_extrausers_deluser.patch:
    - add --extrausers option to "userdel" (LP: #1659534)
  * debian/patches/2000_fix-su-pam-env-handling:
    - fix "su -l" to correctly use pam_getenvlist (LP: #984390)

 -- Michael Vogt <email address hidden> Fri, 22 Mar 2019 20:22:06 +0100

Source diff to previous version
1495580 chfn needs to learn about the --extrausers argument and use libnss-extrausers files when set
1659534 userdel doesn't supports extrausers
984390 $PATH is taken from login.defs not /etc/environment

Version: 1:4.2-3.1ubuntu5.3 2017-05-17 03:06:37 UTC

  shadow (1:4.2-3.1ubuntu5.3) xenial-security; urgency=medium

  * REGRESSION UPDATE: The patch for CVE-2017-2616 introduced a regression.
    If su received a signal like SIGTERM it wasn't propagated to the child.
    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
      pid_child to 0 if the child process is still running.
    Thanks to Tobias Stoeckmann for the fix and Radu Duta for the report.

 -- Seth Arnold <email address hidden> Mon, 15 May 2017 19:26:55 -0700

Source diff to previous version
CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su

Version: 1:4.2-3.1ubuntu5.2 2017-05-05 07:07:00 UTC

  shadow (1:4.2-3.1ubuntu5.2) xenial-security; urgency=medium

  * SECURITY UPDATE: su could be used to kill arbitrary processes.
    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
      sending signal
    - CVE-2017-2616
  * SECURITY UPDATE: getulong() function could accidentally parse negative
    numbers as large positive numbers.
    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
    - CVE-2016-6252

 -- Seth Arnold <email address hidden> Thu, 04 May 2017 01:00:19 -0700

CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su
CVE-2016-6252 Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.



About   -   Send Feedback to @ubuntu_updates