Re: Please prepare for a request to hint shadow
Quoting Christian Perrier (bubulle@debian.org):
> shadow 4.0.3-30.5 just hit sid yesterday.
And should certainly NOT be hinted for sarge.
> -The chpasswd code was changed to allow MD5 encoding of generated
> passwords. chpasswd is a utility for changing user passwords in batch
> mode, from an input file with clear text or encrypted passwords
> In former versions, chpasswd could only generate DES-encrypted
> passwords which could confuse users with MD5 ncryption for passwords
>
> The code for adding this was contirbuted by Ian Gulliver and reviewed
> both by upstream and Sam Hartman
>
> The security team was kept informed of the issue even if this is not
> considered as a security issue, strictly speaking
I unfortunately made the mistake of incorporating the changes made by
*upstream* after he saw Ian Gulliver patch. This was *wrong* : I
should have used Ian Gulliver patch as is.
As a consequence, chpasswd is completely broken in shadow 4.0.3-30.5
which makes the package definitely out of release quality. The
relevant bug has been reopened (it is not a RC bug...but very close to
it).
I have already prepared a 4.0.3-30.6 version with a fixed chpasswd
binary (far more tested at the price of yet another too short night)
and will upload it today.
chpasswd is not a critical utility, for sure, when compared to other
programs in shadow, but we certainly cannot release with it being
broken as it is in 4.0.3-30.5
Another mail will soon try to make a status update about shadow...
Reply to: