Bug#1102139: bookworm-pu: package shadow/4.13+dfsg1-2
Hi Chris,
[not authoritative answer, as not part of the release team]
Thanks a lot for prepraring an update for CVE fixes.
On Sat, Apr 05, 2025 at 05:22:41PM +0200, Chris Hofstaedtler wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: shadow@packages.debian.org, team@security.debian.org
> Control: affects -1 + src:shadow
>
> [ Reason ]
>
> Fixes two security issues, long fixed in unstable.
>
> CVE-2023-4641 and CVE-2023-29383
>
> [ Impact ]
>
> gpasswd and chfn utilities are the targets of the fixes.
>
> [ Tests ]
>
> For CVE-2023-29383 I've performed a manual test showing that the issue
> is fixed. For CVE-2023-4641 I'm not sure how to trigger that.
>
> [ Risks ]
>
> Both CVEs have upstream fixes, which got cherry-picked into unstable in
> 1:4.13+dfsg1-2 and 1:4.13+dfsg1-3. The patches are not very long.
>
>
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
>
> Two patches to fix the security issues and a regression fix for the
> second fix are cherry picked from upstream. We had these in
> 1:4.13+dfsg1-3 for a long time.
>
> I've also updated the Uploaders: field to match unstable.
>
> [ Other info ]
>
> Nothing I'm aware of.
> diff -Nru shadow-4.13+dfsg1/debian/changelog shadow-4.13+dfsg1/debian/changelog
> --- shadow-4.13+dfsg1/debian/changelog 2022-11-11 09:28:15.000000000 +0100
> +++ shadow-4.13+dfsg1/debian/changelog 2025-04-05 17:02:05.000000000 +0200
> @@ -1,3 +1,17 @@
> +shadow (1:4.13+dfsg1-2) bookworm; urgency=medium
I think you will need to pick up 1:4.13+dfsg1-1+deb12u1 instread.
Regards,
Salvatore
Reply to: