[ubuntu/artful-proposed] shadow 1:4.2-3.2ubuntu2 (Accepted)

Thu May 18 18:47:13 UTC 2017

shadow (1:4.2-3.2ubuntu2) artful; urgency=medium

  * SECURITY UPDATE: su could be used to kill arbitrary processes.
    - debian/patches/CVE-2017-2616.patch: Check process's exit status before
      sending signal
    - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
      pid_child to 0 if the child process is still running.
    - CVE-2017-2616
  * SECURITY UPDATE: getulong() function could accidentally parse negative
    numbers as large positive numbers.
    - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
    - CVE-2016-6252

Date: Thu, 18 May 2017 14:39:32 -0400
Changed-By: Seth Arnold <seth.arnold at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/shadow/1:4.2-3.2ubuntu2
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 18 May 2017 14:39:32 -0400
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.2-3.2ubuntu2
Distribution: artful
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Seth Arnold <seth.arnold at canonical.com>
Description:
 login      - system login tools
 passwd     - change and administer password and group data
 uidmap     - programs to help use subuids
Changes:
 shadow (1:4.2-3.2ubuntu2) artful; urgency=medium
 .
   * SECURITY UPDATE: su could be used to kill arbitrary processes.
     - debian/patches/CVE-2017-2616.patch: Check process's exit status before
       sending signal
     - debian/patches/CVE-2017-2616-regression.patch: Do not reset the
       pid_child to 0 if the child process is still running.
     - CVE-2017-2616
   * SECURITY UPDATE: getulong() function could accidentally parse negative
     numbers as large positive numbers.
     - debian/patches/CVE-2016-6252.patch: parse directly into unsigned long
     - CVE-2016-6252
Checksums-Sha1:
 243c7fb21a7e30eb555799d1a13b8eb228bc8d48 2426 shadow_4.2-3.2ubuntu2.dsc
 57c447c937d3ae9d1a95ae74821e6fc206689e28 505468 shadow_4.2-3.2ubuntu2.debian.tar.xz
 67f8bba74782fc0f2722cc9b1cffc2a1e115dadf 7769 shadow_4.2-3.2ubuntu2_source.buildinfo
Checksums-Sha256:
 27a07adb9f34d8b5d28c0d5a1844cb0ecb1f844fa65ba30c1bcc55ed5adfc4ce 2426 shadow_4.2-3.2ubuntu2.dsc
 cf6ee576049e124e3f80116911ff81b37da1bfbae475b7a116412cbae79e7b81 505468 shadow_4.2-3.2ubuntu2.debian.tar.xz
 ae3b8b722fd7ed6472154df7d298f29ddccaa6239bec647b759621a529d25cd3 7769 shadow_4.2-3.2ubuntu2_source.buildinfo
Files:
 4e176821f81d29fd01110bebfd0c66e4 2426 admin required shadow_4.2-3.2ubuntu2.dsc
 69a4833dd1d4829861be079214474d95 505468 admin required shadow_4.2-3.2ubuntu2.debian.tar.xz
 46f606087b096ee5252b2c823935449e 7769 admin required shadow_4.2-3.2ubuntu2_source.buildinfo
Original-Maintainer: Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJZHesHAAoJEGVp2FWnRL6T55AP/3mGbY7fXcjPpJ1EAEKyo8m5
5d7y3AcFkwHzjDj26PBg62k3uL5t6c53Ty1SdnaCkGdUGfqQwXrLJ19CCRWqfb9V
bKDRfyhuqn2Ep25JPS3Sul4vKteHQpIX4h9wLwVBldVmbbr1mmRe4YmS5hXHGq2T
2UD1wkKKhVUdtrXz6ThB/LAKdh9kRU+2COAwhlgLlChAVMNRTpnXWsqullRtEzuo
Yor+GJafqZf0bTMcmv7KQYDBvCY7r5e75VJPQtxs+d4oBohMe27I00C/6vTL/bMk
LFBam/Siqj2ci5E9XEooOnsnSTmv/ztruofLquepTEUxQuCikO4hL/lgtKr6GBVu
6zpAc+uXzLbcbSDOtG5lLJ7hpuLzU0xkS+osEJ2AKIh4G6FHOA8xB9PAHEZFtqHF
uBzmOjdiqdlws3eB+1YEGI2BRDvSp5yhCeADzoxo6qaBqGpKQTJSkozaHE5Nh2kk
iPzK1v4Sq1ivHvlmsmYF9CkdDFOuo7JJuc5T34RrO8jQBFsn4NMa9PmHBcMAr408
hnV2UNApckoGIRkMYcdgaERRfy6MPHh+m0eXP3kfqcIAJhIK6cH1DHtjSeeGolWj
c4jkyju7GXtoXPD97vYfEXFVYSNf6n5ZWxWqnBFOzgOpm3bHFgPq3eiQ+CsHc8hS
+bMvTXzHzyKAk0fakfyd
=VYuM
-----END PGP SIGNATURE-----