[lfs-dev] Bug#832170: shadow: CVE-2016-6252: Incorrect integer handling
kb0iic at berzerkula.org
Sat Jul 23 18:46:18 PDT 2016
On Sat, 23 Jul 2016 11:24:58 -0500
"Douglas R. Reno" <renodr at linuxfromscratch.org> wrote:
> Bruce Dubbs wrote:
> > I can find no description for this vulnerability. The links just say
> > that the Debian version is vulnerable and unfixed. Looking at Mitre,
> > they just say the CVE entry is reserved.
> > Without any detail, there is nothing we can do.
> > RedHat does say the vulnerabilty is 'local'
> > I did find this:
> > http://seclists.org/oss-sec/2016/q3/115
> > -- Bruce
> The CVE will remain reserved as long as a company like Novell (SuSE) or
> RedHat feels like it. There is no policy on that. There are several that
> have been released publicly that still say reserved thanks to the
> actions of those companies. Canonical is probably the same way. See the
> emails I forwarded privately for patches and such. I don't think Mailman
> would approve of me forwarding all 7 of them at one time.
Thank you for the Shadow resources. I've also been watching the pkg-shadow-devel list for a long time. There are many updates since the last Shadow release, and a new maintainer is also in the mix. They are planning a Shadow 4.3 release which fixes a lot of issues. Be on the lookout for it in a few weeks/months. The release has been slow moving.
Please review changes at https://github.com/shadow-maint/shadow
William Harrington <kb0iic at berzerkula.org>
More information about the lfs-dev