Change logs for shadow source package in Zesty

  • shadow (1:4.2-3.2ubuntu1.17.04.2) zesty-security; urgency=medium
      * REGRESSION UPDATE: The patch for CVE-2017-2616 introduced a regression.
        If su received a signal like SIGTERM it wasn't propagated to the child.
        - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
          pid_child to 0 if the child process is still running.
        Thanks to Tobias Stoeckmann for the fix and Radu Duta for the report.
     -- Seth Arnold <email address hidden>  Mon, 15 May 2017 19:28:44 -0700
  • shadow (1:4.2-3.2ubuntu1.17.04.1) zesty-security; urgency=medium
      * SECURITY UPDATE: su could be used to kill arbitrary processes.
        - debian/patches/CVE-2017-2616.patch: Check process's exit status before
          sending signal
        - CVE-2017-2616
      * SECURITY UPDATE: getulong() function could accidentally parse negative
        numbers as large positive numbers.
        - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
        - CVE-2016-6252
     -- Seth Arnold <email address hidden>  Thu, 04 May 2017 01:00:33 -0700
  • shadow (1:4.2-3.2ubuntu1) yakkety; urgency=medium
      * Merge with Debian; remaining changes:
        - debian/passwd.upstart: Add an upstart job to clear locks on
        - debian/login.defs:
          + Update documentation of USERGROUPS_ENAB: with pam_umask, the UPG
            handling does not only apply to "former (pre-PAM) uses".
          + Update documentation of UMASK: Explain that USERGROUPS_ENAB
            will modify this default for UPGs.
        - debian/{,rules}: Add apport hook
        - Pass noupdate to pam_motd call for /run/motd.dynamic, to avoid running
          /etc/update-motd.d/* scripts twice.
        - debian/patches/1010_extrausers.patch: Add support to passwd for
        - debian/patches/1011_extrausers_toggle.patch: extrausers support for
          useradd and groupadd
        - debian/patches/userns/subuids-nonlocal-users: Don't limit
          subuid/subgid support to local users.
      * Dropped changes, included in Debian:
        - Allow LXC devices (lxc/console, lxc/tty[1234]), used from precise on.
        - Add uidmap package based on upstream patches that introduce
          newuidmap/newgidmap as well as /etc/subuid and /etc/subgid. Additional
          updates on those to widen the default allocation to 65536 uids and gids
          and only assign ranges to non-system users.
        - debian/patches/1020_fix_user_busy_errors: Call sub_uid_close in all
          error cases.
      * Dropped changes, included upstream:
        - debian/patches/495_stdout-encrypted-password: chpasswd can report
          password hashes on stdout.
        - debian/patches/496_su_kill_process_group: Kill the child process group,
          rather than just the immediate child.
      * Fix pam_motd calls so that the second pam_motd is the noupdate one rather
        than the first, ensuring /run/motd.dynamic is always populated and shown
        on the first login after boot.  LP: #1368864.
      * Don't call 'pam_exec uname', a change adopted in Debian without
        coordination with the Debian PAM maintainer
      * Use dh_installinit now for installing the upstart job, as we no longer
        generate a dependency on upstart-job.
      * Include /etc/sub[ug]id in the list of files to clear locks for on boot.
        LP: #1304505
      * Add a systemd unit to go with the upstart job, so that lock clearing works
        on newer Ubuntu releases.
      * add support for "chfn --extrausers" (LP: #1495580)
      * debian/patches/1010_extrausers.patch:
        - Fix usermod to handle a readonly /etc gracefully (LP: #1562872)
      * debian/patches/1010_extrausers.patch:
        - Fix usermod to look in extrausers location for basic changes to a
          user's passwd info.  Fixes changing user's real name in Touch via
          AccountsService.  (Does not address updating groups yet, since that's
          less useful now, as we can't update any system groups.)
      * d/p/1021_no_subuids_for_system_users.patch: fix the not creating subuids
        for system users.  (LP: #1545884)
      * Replace debian/passwd.service with debian/passwd.tmpfile, systemd tmpfile
        handling has support for removing files for us on boot.  Thanks to
        Martin Pitt <email address hidden> for the hint.
    shadow (1:4.2-3.2) unstable; urgency=medium
      * Non-maintainer upload.
      * Use HTTPS in Vcs-Git.
      * Stop using hardening-wrapper and instead use /usr/share/dpkg/
        Closes: #836653
     -- Matthias Klose <email address hidden>  Tue, 20 Sep 2016 09:43:54 +0200