shadow (1:4.2-3.1ubuntu5.3) xenial-security; urgency=medium * REGRESSION UPDATE: The patch for CVE-2017-2616 introduced a regression. If su received a signal like SIGTERM it wasn't propagated to the child. - debian/patches/CVE-2017-2616-regression.patch: Do not reset the pid_child to 0 if the child process is still running. Thanks to Tobias Stoeckmann for the fix and Radu Duta for the report. -- Seth Arnold Mon, 15 May 2017 19:26:55 -0700 shadow (1:4.2-3.1ubuntu5.2) xenial-security; urgency=medium * SECURITY UPDATE: su could be used to kill arbitrary processes. - debian/patches/CVE-2017-2616.patch: Check process's exit status before sending signal - CVE-2017-2616 * SECURITY UPDATE: getulong() function could accidentally parse negative numbers as large positive numbers. - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long - CVE-2016-6252 -- Seth Arnold Thu, 04 May 2017 01:00:19 -0700 shadow (1:4.2-3.1ubuntu5) xenial; urgency=medium * debian/patches/1010_extrausers.patch: - Fix usermod to handle a readonly /etc gracefully (LP: #1562872) -- Michael Terry Mon, 28 Mar 2016 09:44:23 -0400 shadow (1:4.2-3.1ubuntu4) xenial; urgency=medium * debian/patches/1010_extrausers.patch: - Fix usermod to look in extrausers location for basic changes to a user's passwd info. Fixes changing user's real name in Touch via AccountsService. (Does not address updating groups yet, since that's less useful now, as we can't update any system groups.) -- Michael Terry Wed, 02 Mar 2016 15:01:19 -0500 shadow (1:4.2-3.1ubuntu3) xenial; urgency=medium * d/p/1021_no_subuids_for_system_users.patch: fix the not creating subuids for system users. (LP: #1545884) -- Serge Hallyn Wed, 17 Feb 2016 20:57:59 -0800 shadow (1:4.2-3.1ubuntu2) xenial; urgency=medium * Replace debian/passwd.service with debian/passwd.tmpfile, systemd tmpfile handling has support for removing files for us on boot. Thanks to Martin Pitt for the hint. -- Steve Langasek Thu, 04 Feb 2016 14:01:27 -0800 shadow (1:4.2-3.1ubuntu1) xenial; urgency=low * Merge from Debian unstable. - Includes pam_loginuid in login PAM config. LP: #1067779. - Fixes typo in usermod -h output. LP: #1348873. * Remaining changes: - debian/passwd.upstart: Add an upstart job to clear locks on [shadow-]passwd/group. - debian/login.defs: + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG handling does not only apply to "former (pre-PAM) uses". + Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify this default for UPGs. - debian/{source_shadow.py,rules}: Add apport hook - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running /etc/update-motd.d/* scripts twice. - debian/patches/1010_extrausers.patch: Add support to passwd for libnss-extrausers - debian/patches/1011_extrausers_toggle.patch: extrausers support for useradd and groupadd - debian/patches/userns/subuids-nonlocal-users: Don't limit subuid/subgid support to local users. * Dropped changes, included in Debian: - Allow LXC devices (lxc/console, lxc/tty[1234]), used from precise on. - Add uidmap package based on upstream patches that introduce newuidmap/newgidmap as well as /etc/subuid and /etc/subgid. Additional updates on those to widen the default allocation to 65536 uids and gids and only assign ranges to non-system users. - debian/patches/1020_fix_user_busy_errors: Call sub_uid_close in all error cases. * Dropped changes, included upstream: - debian/patches/495_stdout-encrypted-password: chpasswd can report password hashes on stdout. - debian/patches/496_su_kill_process_group: Kill the child process group, rather than just the immediate child. * Fix pam_motd calls so that the second pam_motd is the noupdate one rather than the first, ensuring /run/motd.dynamic is always populated and shown on the first login after boot. LP: #1368864. * Don't call 'pam_exec uname', a change adopted in Debian without coordination with the Debian PAM maintainer * Use dh_installinit now for installing the upstart job, as we no longer generate a dependency on upstart-job. * Include /etc/sub[ug]id in the list of files to clear locks for on boot. LP: #1304505 * Add a systemd unit to go with the upstart job, so that lock clearing works on newer Ubuntu releases. -- Steve Langasek Thu, 28 Jan 2016 22:21:41 -0800 shadow (1:4.2-3.1) unstable; urgency=medium * Non-maintainer upload. * Fix error handling in busy user detection. (Closes: #778287) -- Bastian Blank Thu, 12 Nov 2015 14:33:33 +0000 shadow (1:4.2-3) unstable; urgency=low * Enforce hardened builds to workaround cdbs sometimes not building with hardening flags as in 1:4.2-2+b1 Thanks to Dr. Markus Waldeck for pointing the issue and Simon Ruderich For providing a working patch. -- Christian Perrier Wed, 19 Nov 2014 21:59:09 +0100 shadow (1:4.2-2) unstable; urgency=low * The "Soumaintrain" release * The "Rigotte de Condrieu" release was 4.2-1 * Upload to unstable * Last upload integrates the use of dh_autoreconf which has the same effect then Eric Dorland's patch in 1:4.1.5.1-1.1 NMU to drop the use of automake1.9. Closes: #724434 [ Samuel Thibault ] * Enable the login package on hurd-any, but without /bin/login, still provided by the hurd package. Closes: #737805. This fix was accidentally forgotten in 1:4.2-1 [ Josh Triplett ] * use the new pam_exec functionality from pam 1.1.8-1 to implement the dynamic motd, rather than using /run/motd.dynamic from initscripts. This will allow initscripts to drop /etc/init.d/motd. Closes: #741129 [ Laurent Bigonville ] * Enable libaudit support. Closes: #745774 [ Trần Ngọc Quân ] * Vietnamese translation update. [ Christian Perrier ] * Add a lintian override for newuidmap and newgidmap setuid binaries * Add upstream signing key as debian/upstream-signing-key.asc * Check upstream signing key in debian/watch -- Christian Perrier Sun, 04 May 2014 19:39:07 +0200 # For older changelog entries, run 'apt-get changelog login'