Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#73246 - Shadow: CVE-2013-4235 fixed in Shadow-4.11.1
Attached to Project:
Arch Linux
Opened by Douglas R. Reno (renodr) - Monday, 03 January 2022, 18:41 GMT
Last edited by Allan McRae (Allan) - Thursday, 27 January 2022, 13:53 GMT
Opened by Douglas R. Reno (renodr) - Monday, 03 January 2022, 18:41 GMT
Last edited by Allan McRae (Allan) - Thursday, 27 January 2022, 13:53 GMT
|
DetailsDescription:
According to the release notes upstream, CVE-2013-4235 was fixed in Shadow. While it might be a Medium-severity CVE (per NVD), 8-9 years or so is still a very long time for a bug to be unfixed, regardless of the severity. Additional info: * package version(s) * config and/or log files etc. * link to upstream bug report, if any https://github.com/shadow-maint/shadow/releases/tag/v4.11 https://github.com/shadow-maint/shadow/issues/317 Steps to reproduce: N/A |
This task depends upon
Closed by Allan McRae (Allan)
Thursday, 27 January 2022, 13:53 GMT
Reason for closing: Fixed
Additional comments about closing: shadow-4.11.1-1
Thursday, 27 January 2022, 13:53 GMT
Reason for closing: Fixed
Additional comments about closing: shadow-4.11.1-1
Comment by loqs (loqs) -
Monday, 03 January 2022, 21:44 GMT
Do you have a path of trust from the signing key F1D08DB778185BF784002DFFE9FEEA06A85E3F9D to 66D0387DB85D320F8408166DB175CFA98F192AF2 which signed 4.10, 4.11 and 4.11.1?
Comment by Douglas R. Reno (renodr) -
Monday, 03 January 2022, 23:32 GMT
I'm not aware of any sorry, I'm just another distributor, not related to the Shadow project at all. :)