[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please prepare for a request to hint shadow

Quoting Christian Perrier (bubulle@debian.org):
> shadow 4.0.3-30.5 just hit sid yesterday.

And should certainly NOT be hinted for sarge.

> -The chpasswd code was changed to allow MD5 encoding of generated
>  passwords. chpasswd is a utility for changing user passwords in batch
>  mode, from an input file with clear text or encrypted passwords
>  In former versions, chpasswd could only generate DES-encrypted
>  passwords which could confuse users with MD5 ncryption for passwords
>  The code for adding this was contirbuted by Ian Gulliver and reviewed
>  both by upstream and Sam Hartman
>  The security team was kept informed of the issue even if this is not
>  considered as a security issue, strictly speaking

I unfortunately made the mistake of incorporating the changes made by
*upstream* after he saw Ian Gulliver patch. This was *wrong* : I
should have used Ian Gulliver patch as is.

As a consequence, chpasswd is completely broken in shadow 4.0.3-30.5
which makes the package definitely out of release quality. The
relevant bug has been reopened (it is not a RC bug...but very close to

I have already prepared a 4.0.3-30.6 version with a fixed chpasswd
binary (far more tested at the price of yet another too short night)
and will upload it today.

chpasswd is not a critical utility, for sure, when compared to other
programs in shadow, but we certainly cannot release with it being
broken as it is in 4.0.3-30.5

Another mail will soon try to make a status update about shadow...

Reply to: