Information on source package shadow

Available versions

ReleaseVersion
jessie1:4.2-3+deb8u5
stretch1:4.4-4.1+deb9u2
stretch (security)1:4.4-4.1+deb9u1
buster1:4.5-1.1+deb10u1
bullseye1:4.8.1-1
bookworm1:4.13+dfsg1-1
trixie1:4.16.0-5
sid1:4.16.0-5

Open issues

BugjessiestretchbusterbullseyebookwormtrixiesidDescription
CVE-2023-29383vulnerable (no DSA)fixedfixedvulnerable (no DSA)vulnerable (no DSA)fixedfixedIn Shadow 4.13, it is possible to inject control characters into field ...
CVE-2023-4641vulnerable (no DSA)fixedfixedvulnerable (no DSA)vulnerable (no DSA)fixedfixedA flaw was found in shadow-utils. When asking for a new password, shad ...

Open unimportant issues

BugjessiestretchbusterbullseyebookwormtrixiesidDescription
TEMP-0628843-DBAD28vulnerablevulnerablevulnerablevulnerablevulnerablevulnerablevulnerablemore related to CVE-2005-4890
CVE-2013-4235vulnerablevulnerablevulnerablevulnerablefixedfixedfixedshadow: TOCTOU (time-of-check time-of-use) race condition when copying ...
CVE-2007-5686vulnerablevulnerablevulnerablevulnerablevulnerablevulnerablevulnerableinitscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...

Resolved issues

BugDescription
TEMP-0000000-6F6CD4Insecure mailbox generation in passwd's useradd
CVE-2019-19882shadow 4.8, in certain circumstances affecting at least Gentoo, Arch L ...
CVE-2018-16588Privilege escalation can occur in the SUSE useradd.c code in useradd, ...
CVE-2018-7169An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is ...
CVE-2017-20002The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists ...
CVE-2017-12424In shadow before 4.5, the newusers tool could be made to manipulate in ...
CVE-2017-2616A race condition was found in util-linux before 2.32.1 in the way su h ...
CVE-2016-6252Integer overflow in shadow 4.2.1 allows local users to gain privileges ...
CVE-2011-0721Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in sh ...
CVE-2008-5394/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other ...
CVE-2006-3597passwd before 1:4.0.13 on Ubuntu 6.06 LTS leaves the root password bla ...
CVE-2006-3378passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called ...
CVE-2006-1844The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.5 ...
CVE-2006-1376The installation of Debian GNU/Linux 3.1r1 from the network install CD ...
CVE-2006-1183The Ubuntu 5.10 installer does not properly clear passwords from the i ...
CVE-2006-1174useradd in shadow-utils before 4.0.3, and possibly other versions befo ...
CVE-2005-4890There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo ...
CVE-2004-1001Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, ...
CVE-2002-1594Buffer overflow in (1) grpck and (2) pwck, if installed setuid on a sy ...

Security announcements

DSA / DLADescription
ELA-1220-1shadow - security update
ELA-555-1shadow - security update
DLA-2596-1shadow - security update
DSA-3793-2shadow - regression update
DLA-838-1shadow - security update
DSA-3793-1shadow - security update
DSA-2164-1shadow - missing input sanitization
DSA-1709-1shadow - privilege escalation
DSA-1150-1shadow - programming error
DSA-585-1shadow - programming error

Search for package or bug name: Reporting problems