Karl, I have just recently browsed the passwd packages bugs and there are
quite a number of them who have not been addressed (some) for over a year.
Many of these bugs could be considered security related because some of
the tools provided will not work with MD5 passwods (recommended in Debian
installation).

Many bug reports do not even have a followup by the maintainer saying: 
"this is true, will fix". There is a new release upstream (as #150237
says) that seems to fix some of the bugs (such as #142070, #89803, #81721)
since PAM support has been added (as far as I can see in
http://cvs.pld.org.pl/shadow/ChangeLog?rev=1.1)  also these entries are
important:

* src/useradd.c:
        - fix a security bug (adduser could overwrite previously existing
          groups (shadow-19990827-group.patch from RH),
* lib/commonio.c:
        - installed fix for SEGV when using pwck -s on /etc/passwd file
with
          empty lines in it

Most other changes are documentation-related (translated manpages).

Do you need help with this package? You could consider uploading a new
upstream version up to experimental and ask bug-trackers to follow it and
see if it fixes (some of) the bugs that are currently over a year old.

Best regards

        Javi

PS: CCing QA since there is the people that might provide help
PS: Incidently I just filed a bug against xscreensaver and against passwd,
sorry :(

Attachment: pgpEc6iYjZhG5.pgp
Description: PGP signature

Reply via email to