[SECURITY] [DLA 838-1] shadow security update

2017-02-2623:29:19

lists.debian.org

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:N/I:N/A:C

0.0004 Low

EPSS

Percentile

5.3%

JSON

Package : shadow
Version : 4.1.5.1-1+deb7u1
CVE ID : CVE-2017-2616
Debian Bug : 855943

Tobias Stoeckmann discovered that su does not properly handle clearing a
child PID. A local attacker can take advantage of this flaw to send
SIGKILL to other processes with root privileges, resulting in denial of
service.

For Debian 7 "Wheezy", these problems have been fixed in version
4.1.5.1-1+deb7u1.

We recommend that you upgrade your shadow packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian7armhflogin< 1:4.1.5.1-1+deb7u1login_1:4.1.5.1-1+deb7u1_armhf.deb
Debian8kfreebsd-amd64login< 1:4.2-3+deb8u3login_1:4.2-3+deb8u3_kfreebsd-amd64.deb
Debian8s390xpasswd< 1:4.2-3+deb8u3passwd_1:4.2-3+deb8u3_s390x.deb
Debian8arm64login< 1:4.2-3+deb8u3login_1:4.2-3+deb8u3_arm64.deb
Debian8mipselpasswd< 1:4.2-3+deb8u3passwd_1:4.2-3+deb8u3_mipsel.deb
Debian8i386login< 1:4.2-3+deb8u3login_1:4.2-3+deb8u3_i386.deb
Debian8kfreebsd-amd64passwd< 1:4.2-3+deb8u3passwd_1:4.2-3+deb8u3_kfreebsd-amd64.deb
Debian7amd64login< 1:4.1.5.1-1+deb7u1login_1:4.1.5.1-1+deb7u1_amd64.deb
Debian8arm64uidmap< 1:4.2-3+deb8u3uidmap_1:4.2-3+deb8u3_arm64.deb
Debian8powerpcpasswd< 1:4.2-3+deb8u3passwd_1:4.2-3+deb8u3_powerpc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	armhf	login	< 1:4.1.5.1-1+deb7u1	login_1:4.1.5.1-1+deb7u1_armhf.deb
Debian	8	kfreebsd-amd64	login	< 1:4.2-3+deb8u3	login_1:4.2-3+deb8u3_kfreebsd-amd64.deb
Debian	8	s390x	passwd	< 1:4.2-3+deb8u3	passwd_1:4.2-3+deb8u3_s390x.deb
Debian	8	arm64	login	< 1:4.2-3+deb8u3	login_1:4.2-3+deb8u3_arm64.deb
Debian	8	mipsel	passwd	< 1:4.2-3+deb8u3	passwd_1:4.2-3+deb8u3_mipsel.deb
Debian	8	i386	login	< 1:4.2-3+deb8u3	login_1:4.2-3+deb8u3_i386.deb
Debian	8	kfreebsd-amd64	passwd	< 1:4.2-3+deb8u3	passwd_1:4.2-3+deb8u3_kfreebsd-amd64.deb
Debian	7	amd64	login	< 1:4.1.5.1-1+deb7u1	login_1:4.1.5.1-1+deb7u1_amd64.deb
Debian	8	arm64	uidmap	< 1:4.2-3+deb8u3	uidmap_1:4.2-3+deb8u3_arm64.deb
Debian	8	powerpc	passwd	< 1:4.2-3+deb8u3	passwd_1:4.2-3+deb8u3_powerpc.deb