UbuntuUpdates.org

Package "passwd"

Name: passwd

Description:

change and administer password and group data

Latest version: 1:4.1.5.1-1ubuntu9.5
Release: trusty (14.04)
Level: security
Repository: main
Head package: shadow
Homepage: http://pkg-shadow.alioth.debian.org/

Links


Download "passwd"


Other versions of "passwd" in Trusty

Repository Area Version
base main 1:4.1.5.1-1ubuntu9
updates main 1:4.1.5.1-1ubuntu9.5

Changelog

Version: 1:4.1.5.1-1ubuntu9.5 2017-05-17 02:06:41 UTC

  shadow (1:4.1.5.1-1ubuntu9.5) trusty-security; urgency=medium

  * REGRESSION UPDATE: The patch for CVE-2017-2616 introduced a regression.
    If su received a signal like SIGTERM it wasn't propagated to the child.
    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
      pid_child to 0 if the child process is still running.
    Thanks to Tobias Stoeckmann for the fix and Radu Duta for the report.

 -- Seth Arnold <email address hidden> Mon, 15 May 2017 19:22:49 -0700

Source diff to previous version
CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su

Version: 1:4.1.5.1-1ubuntu9.4 2017-05-05 06:06:59 UTC

  shadow (1:4.1.5.1-1ubuntu9.4) trusty-security; urgency=medium

  * SECURITY UPDATE: su could be used to kill arbitrary processes.
    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
      sending signal
    - CVE-2017-2616
  * SECURITY UPDATE: su could be used to kill arbitrary processes.
    - debian/patches/reset-caught-on-sigtstp.patch: Check process's SIGTSTP
      status before sending signal. No CVE is currently assigned.
  * SECURITY UPDATE: getulong() function could accidentally parse negative
    numbers as large positive numbers.
    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
    - CVE-2016-6252

 -- Seth Arnold <email address hidden> Thu, 04 May 2017 01:00:09 -0700

CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su
CVE-2016-6252 Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.



About   -   Send Feedback to @ubuntu_updates