Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0943 shadow security update 18 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: shadow Publisher: Debian Operating System: Debian GNU/Linux Linux variants Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-20002 CVE-2017-12424 Original Bulletin: https://www.debian.org/lts/security/2021/dla-2596 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running shadow check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2596-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler March 17, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : shadow Version : 1:4.4-4.1+deb9u1 CVE ID : CVE-2017-12424 CVE-2017-20002 Debian Bug : 756630 914957 Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may escalate privileges in specific configurations. CVE-2017-20002 Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges. It should be noted however that /etc/securetty will be dropped in Debian 11/bullseye. CVE-2017-12424 The newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. For Debian 9 stretch, these problems have been fixed in version 1:4.4-4.1+deb9u1. We recommend that you upgrade your shadow packages. For the detailed security status of shadow please refer to its security tracker page at: https://security-tracker.debian.org/tracker/shadow Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmBR/ToACgkQDTl9HeUl XjA89g//dGhD8r80YlY0Fsz/tXKIqdxZ+amDVNcmi5V5qmI76yMpSYVQNR7rXbcq d5LS8hMSvksextF9cwu9oo9JUXkY7mUg1O+dzehF9UtQn8Jv9BdQmt9Nn+O9jPmD ypKxHApNs0MfOmAvP7LZzykxmLovXGoyy+OpaxIAZpiNwzKRmifSa79kanm/41mr O8roJ4bV6wm2q7kvhBkR12kMaIM6ft8p3Fq4NXCQ/VVjydNYypn/rwAn/0JjQQvC AP606tEvRoApPhs9299q2YZ2tA3I6W2ZwjwiM+qgiOc3Hd8OnhQ/QInYy0YdC6iA h60xxj98kof8diwS9eYwntM6a1BwsM2XwK18Ye11odlwVUBap7uO7+LlxrqQz/gF CpAXyJiEZJE1t6yBAhGHhb2QzkbYXiq40aujZ7Tpu9VQJz76ARuchm78OELYy07Z r8Bvrz/DDt7sS0MfCEqRCvDhpH3Bh3FX5SG2nBBEpm5rMFDL5hND2541h/PEK35s ZBtlki4fU2YBqsALpGeW6QkvHRE3kyiZrDh9bdM/XtSXLaUmBLyBESoFUGxx+PMN ffNj84BgJsasLk+RQG/IHpNIjnwsrTnnWE5CyiMId1lA/em3tHHX2mW00hnCtV07 E3FOUo0mm5ljZiHz0qhodGRWTW3K6C1m3vb0I3COX6XzWx+6XNQ= =Nqeb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYFKSOONLKJtyKPYoAQjsFA/7B/5bvkTdnQ7BwAoeKHjycyHOuljs8/SG X89mIdBgf5qbek2TnRPr3AvlcH7Dj6mQVHu9ry/WIfWdSHthi/BhuhFTXxjQyPA/ kuAw+g1yxI6GlUr/eUOzsc2B3N/jSB28DnbjsUyJMyalr6ZB9hGtj5dsKBseQlfg 4fbAlkleVKMMyYvQpjbBWCmCAzcP50vrY4FJsUeiuhB604eVdvv9n4EBp/5psrSQ 2WVbwV2PT3x/+N05RUQ4zVeg67DAHXOGbkNXtnXLL5zm4FrR0bAHRqnLv+LQcpUh 2gkERyku7H2rMjVv+gXfdhqWZmWAYkHQZ2eQqYq7jGgzaAVTBOFdgzYv+59XzAHg k1BM9l2tBxKBZ3IYqtyEQ0xqy9/AL7Tmr8INKkHJWBmu08POe5h1gwRhgFtsn95P bjXAo11e3Hf50bFvMfnfCSRWPxdQENiqTOeu41Hd6tC7KXt/JiZd94k0AZHi9But cBW2DIPi/7L8OfD82eHhBAHtpA3OhIWqS64A1Lxkjoq8L/JzrdNwyr5eUfxYnodp jSPXba9eK+7WEBjPl5ZQiOLsYNNMDP5aYYV6ASK++cDV2l7Owss7f8ZqBc4e0mI9 ton11DtERyLOJyimMMDxiXOtIzfFJsBAOLNB5VocD8g+Q+QTtUwnShVF+fWycDS1 AaTO7qK+2ck= =dV4A -----END PGP SIGNATURE-----