shadow (1:4.8.1-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team.
* CVE-2023-4641: When asking for a new password, shadow-utils asks the
password twice. If the password fails on the second attempt,
shadow-utils fails in cleaning the buffer used to store the first
entry. This may allow an attacker with enough access to retrieve the
password from the memory. (Closes: #1051062)
* CVE-2023-29383: It is possible to inject control characters into
fields provided to the SUID program chfn (change finger). Although it
is not possible to exploit this directly (e.g., adding a new user
fails because \n is in the block list), it is possible to misrepresent
the /etc/passwd file when viewed. (Closes: #1034482)
* Add Salsa-CI configuration.
* Silence lintian error that can't be fixed after freeze.
The following needed massaging to apply:
* debian/patches/508_nologin_in_usr_sbin
* debian/patches/401_cppw_src.dpatch
The remaining patches just got trivial quilt refresh updates,
except debian/patches/506_relaxed_usernames which needed
special attention to be correctly refreshed.
The shadow package did now ship the su program even before this,
Debian uses the util-linux implementation of su (since Buster).
In shadow 4.8 there's now an explicit configure flag that can be
used to disable su explicitly, rather than just not shipping it in
the resulting debian package.
See commit 88de51965d
"Stop shipping su and break old util-linux version. (See #833256)"
pam_selinux calls setexeccon() with the context of the user, that means
that the first execve() after the call to "pam_selinux open" will be
executed in the user's context.
As pam_motd in debian calls system() to run run-parts to generate the
motd dynamically we need to be sure that this is done before that so it
runs in the context of the login executable.
It was added in 2010 (#554170) as a split off from a previous cron
job. I haven't seen an arguement for why it's useful to keep.
Depending on when a mistake occurs in one of the files it backups
it will provide variable recovery time of 0 to 24hours.
Sylvain Beucler
Balint Reczey
Andreas Henriksson
Yuriy M. Kaminskiy
Justin B Rye
Balint Reczey
Laurent Bigonville
Gaudenz Steinlin
Bryan Quigley