Freeze exception for shadow

Dear RMs,

I would like to make an update for shadow to fix a bug in the SHA password
encryption method.

I don't think this patch would be required for security reasons (I consider
the current SHA method, with the bug, still more secure as the MD5 password
encryption method), but I would prefer to get it right in stable.

The patch, already applied upstream, is attached.

Together with that update, I would like to backport some patches for the
manpages:
- Document the -r, --system option in the useradd, groupadd, and newusers
  manpages.
- Document the -c, --crypt-method and -s, --sha-rounds options in the
  newusers manpage.
- Document the -k, --skel option in the useradd manpage.

And document some of the Debian patches (basically indicating that some of
them are now applied upstream).

Would an upload be OK for
 * the fix for the SHA password encrypt method
 * documentation of options
 * documentation of patches

Best Regards,
--
Nekral

---

Index: libmisc/salt.c
===================================================================
--- libmisc/salt.c (révision 1988)
+++ libmisc/salt.c (copie de travail)
@@ -90,9 +90,10 @@
  */
 static unsigned int SHA_salt_size (void)
 {
- double rand_rounds = 9 * random ();
- rand_rounds /= RAND_MAX;
- return 8 + rand_rounds;
+ double rand_size;
+ seedRNG ();
+ rand_size = (double) 9.0 * random () / RAND_MAX;
+ return 8 + rand_size;
 }
 
 /* ! Arguments evaluated twice ! */
@@ -131,8 +132,8 @@
  if (min_rounds > max_rounds)
  max_rounds = min_rounds;
 
- srand (time (NULL));
- rand_rounds = (max_rounds-min_rounds+1) * random ();
+ seedRNG ();
+ rand_rounds = (double) (max_rounds-min_rounds+1.0) * random ();
  rand_rounds /= RAND_MAX;
  rounds = min_rounds + rand_rounds;
  } else if (0 == *prefered_rounds)
Index: ChangeLog
===================================================================
--- ChangeLog (révision 1994)
+++ ChangeLog (copie de travail)
@@ -1,5 +1,15 @@
 2008-05-20  Nicolas François  <nicolas.francois@...>
 
+ * NEWS, libmisc/salt.c (SHA_salt_size): Seed the RNG, and fix a
+ overflow. These caused the SHA salt size to always be 8 bytes,
+ instead of being in the 8-16 range. Thanks to Peter Vrabec
+ pvrabec@... for noticing.
+ * NEWS, libmisc/salt.c (SHA_salt_rounds): Seed the RNG with
+ seedRNG instead of srand, and fix the same overflow. This caused
+ the number of rounds to always be the smallest one.
+
+2008-05-20  Nicolas François  <nicolas.francois@...>
+
  * man/newusers.8.xml man/groupmems.8.xml man/groupdel.8.xml
  man/useradd.8.xml man/groupadd.8.xml man/newgrp.1.xml man/sg.1.xml
  man/chgpasswd.8.xml man/groupmod.8.xml: Tag the section which
Index: NEWS
===================================================================
--- NEWS (révision 1994)
+++ NEWS (copie de travail)
@@ -2,6 +2,15 @@
 
 shadow-4.1.1 -> shadow-4.1.2 UNRELEASED
 
+*** security:
+- generation of SHA encrypted passwords (chpasswd, gpasswd, newusers,
+  chgpasswd; and also passwd if configured without PAM support).
+  The number of rounds and number of salt bytes was fixed to their lower
+  allowed values (resp. configurable and 8), hence voiding some of the
+  advantages of this encryption method. Dictionary attacks with
+  precomputed tables were easier than expected, but still harder than with
+  the MD5 (or DES) methods.
+
 *** general:
 - packaging
   * Distribute the chfn, chsh, and userdel PAM configuration file.

---

Hello,

Here is the patch I would like to get accepted:
 debian/patches/300_SHA_crypt_method                                     |   36 +
 debian/patches/301_manpages_missing_options                             |  197 ++++++++++
 shadow-4.1.1/debian/changelog                                           |   26 +
 shadow-4.1.1/debian/login.defs                                          |   36 +
 shadow-4.1.1/debian/patches/008_su_get_PAM_username                     |   23 -
 shadow-4.1.1/debian/patches/406_vipw_resume_properly                    |    2
 shadow-4.1.1/debian/patches/414_remove-unwise-advices                   |   10
 shadow-4.1.1/debian/patches/434_login_stop_checking_args_after--        |    4
 shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message         |    2
 shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection |    2
 shadow-4.1.1/debian/patches/series                                      |    2
 11 files changed, 325 insertions(+), 15 deletions(-)

Compared to my previous mail, I added some comments in /etc/login.defs.
300_SHA_crypt_method is the only code change. Other changes are
documentation.

Can I upload it?

The full diff is attached.

Thanks in advance,
--
Nekral

---

diff -u shadow-4.1.1/debian/login.defs shadow-4.1.1/debian/login.defs
--- shadow-4.1.1/debian/login.defs
+++ shadow-4.1.1/debian/login.defs
@@ -176,12 +176,18 @@
 #
 UID_MIN 1000
 UID_MAX 60000
+# System accounts
+#SYS_UID_MIN  100
+#SYS_UID_MAX  999
 
 #
 # Min/max values for automatic gid selection in groupadd
 #
 GID_MIN  100
 GID_MAX 60000
+# System accounts
+#SYS_GID_MIN  100
+#SYS_GID_MAX  999
 
 #
 # Max number of login retries if password is bad. This will most likely be
@@ -266,8 +272,38 @@
 #
 # This variable is used by chpasswd, gpasswd and newusers.
 #
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
 #MD5_CRYPT_ENAB no
 
+#
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+#ENCRYPT_METHOD DES
+
+#
+# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
+#
+# Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password.
+# But note also that it more CPU resources will be needed to authenticate
+# users.
+#
+# If not specified, the libc will choose the default number of rounds (5000).
+# The values must be inside the 1000-999999999 range.
+# If only one of the MIN or MAX values is set, then this value will be used.
+# If MIN > MAX, the highest value will be used.
+#
+# SHA_CRYPT_MIN_ROUNDS 5000
+# SHA_CRYPT_MAX_ROUNDS 5000
+
 ################# OBSOLETED BY PAM ##############
 # #
 # These options are now handled by PAM. Please #
diff -u shadow-4.1.1/debian/changelog shadow-4.1.1/debian/changelog
--- shadow-4.1.1/debian/changelog
+++ shadow-4.1.1/debian/changelog
@@ -1,3 +1,29 @@
+shadow (1:4.1.1-2) UNRELEASED; urgency=low
+
+  * The "Brie de Meaux" and "Brie de Melun" double cheese release.
+  * Backported patches from upstream
+    - debian/patches/300_SHA_crypt_method:
+      This fixes bugs in the SHA encryption method that force the salt to have
+      8 bytes (instead of a random length between 8 and 16 bytes), and force
+      the number of SHA rounds to be equal to the lowest limit (at least 1000
+      SHA rounds).
+    - debian/patches/301_manpages_missing_options:
+      This add the missing documentation of options in useradd, groupadd, and
+      newusers.
+  * Tag patches already applied upstream
+    - debian/patches/487_passwd_chauthtok_failed_message
+    - debian/patches/406_vipw_resume_properly
+    - debian/patches/008_su_get_PAM_username
+    - debian/patches/491_configure.in_friendly_selinux_detection
+    - debian/patches/434_login_stop_checking_args_after--
+    - debian/patches/414_remove-unwise-advices
+  * Added description of new variables in /etc/login.defs:
+    - SYS_UID_MIN, SYS_UID_MAX, SYS_GID_MIN, SYS_GID_MAX
+    - ENCRYPT_METHOD
+    - SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@...>  Wed, 21 May 2008 22:13:49 +0200
+
 shadow (1:4.1.1-1) unstable; urgency=low
 
   * New upstream release. This closes the following bugs:
diff -u shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message
--- shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message
+++ shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message
@@ -4,7 +4,7 @@
 
 Fixes: #352137
 
-Status wrt upstream: not forwarded yet
+Status wrt upstream: Applied upstream.
 
 Index: shadow-4.1.0/libmisc/pam_pass.c
 ===================================================================
diff -u shadow-4.1.1/debian/patches/series shadow-4.1.1/debian/patches/series
--- shadow-4.1.1/debian/patches/series
+++ shadow-4.1.1/debian/patches/series
@@ -30,0 +31,2 @@
+300_SHA_crypt_method
+301_manpages_missing_options
diff -u shadow-4.1.1/debian/patches/406_vipw_resume_properly shadow-4.1.1/debian/patches/406_vipw_resume_properly
--- shadow-4.1.1/debian/patches/406_vipw_resume_properly
+++ shadow-4.1.1/debian/patches/406_vipw_resume_properly
@@ -4,7 +4,7 @@
 
 Author: dean gaudet <dean@...>
 
-Status wrt upstream: should be forwarded
+Status wrt upstream: Fixed upstream
 
 Index: shadow-4.1.0/src/vipw.c
 ===================================================================
diff -u shadow-4.1.1/debian/patches/008_su_get_PAM_username shadow-4.1.1/debian/patches/008_su_get_PAM_username
--- shadow-4.1.1/debian/patches/008_su_get_PAM_username
+++ shadow-4.1.1/debian/patches/008_su_get_PAM_username
@@ -1,9 +1,22 @@
-Goal: ???
+Goal: Retrieve the PAM username in case a module changed the PAM_USER
+      item.
 
-Notes:
- * It still needs more investigation.
-   I don't know what this patch is used for. IMO, the user name is
-   already known before calling pam_get_item(pamh, PAM_USER, ...)
+According to Linux-PAM_ADG:
+ * Note, modules can change the values of PAM_USER and PAM_RUSER during
+   any of the pam_*() library calls. For this reason, the application
+   should take care to use the pam_get_item() every time it wishes to
+   establish who the authenticated user is (or will currently be).
+
+PAM_USER description:
+
+    The username of the entity under whose identity service will be given. That
+    is, following authentication, PAM_USER identifies the local entity that
+    gets to use the service. Note, this value can be mapped from something
+    (eg., "anonymous") to something else (eg. "guest119") by any module in the
+    PAM stack. As such an application should consult the value of PAM_USER
+    after each call to a PAM function.
+
+See also: https://www.redhat.com/archives/pam-list/2008-May/msg00009.html
 
 Index: shadow-4.1.0/src/su.c
 ===================================================================
diff -u shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection
--- shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection
+++ shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection
@@ -5,7 +5,7 @@
 
 Author: Mike Frysinger <vapier@...>
 
-Status wrt upstream: reported by Mike, not applied yet
+Status wrt upstream: Fixed upstream.
 
 Index: shadow-4.1.0/configure.in
 ===================================================================
diff -u shadow-4.1.1/debian/patches/434_login_stop_checking_args_after-- shadow-4.1.1/debian/patches/434_login_stop_checking_args_after--
--- shadow-4.1.1/debian/patches/434_login_stop_checking_args_after--
+++ shadow-4.1.1/debian/patches/434_login_stop_checking_args_after--
@@ -1,9 +1,7 @@
 Goal: terminate argument validation in login when it hits a '--'.
 Fixes: #66368
 
-Status wrt upstream: It could certainly be submitted to upstream.
-                     Upstream comment: "Better will be rewrite login
-                     for use getopt_long()."
+Status wrt upstream: Applied upstream.
 
 Index: shadow-4.1.0/src/login.c
 ===================================================================
diff -u shadow-4.1.1/debian/patches/414_remove-unwise-advices shadow-4.1.1/debian/patches/414_remove-unwise-advices
--- shadow-4.1.1/debian/patches/414_remove-unwise-advices
+++ shadow-4.1.1/debian/patches/414_remove-unwise-advices
@@ -1,7 +1,7 @@
 Goal: Remove quite unwise password choice advices in passwd manpage
 Fixes: #386818
 
-Status wrt upstream: Forwarded without patch but ignored up to now
+Status wrt upstream: Applied upstream
 
 Note:
 
@@ -9,14 +9,16 @@
 ===================================================================
 --- shadow-4.1.0.orig/man/passwd.1.xml
 +++ shadow-4.1.0/man/passwd.1.xml
-@@ -114,35 +114,9 @@
+@@ -113,36 +113,10 @@
+       </para>
 
        <para>
- Your password must be easily remembered so that you will not be forced
+- Your password must be easily remembered so that you will not be forced
 - to write it on a piece of paper. This can be accomplished by
 - appending two small words together and separating each with a
 - special character or digit. For example, Pass%word.
-+ to write it on a piece of paper.
++ You can find advices on how to choose a strong password on
++ http://en.wikipedia.org/wiki/Password_strength
        </para>
 
 -      <para>
only in patch2:
unchanged:
--- shadow-4.1.1.orig/debian/patches/300_SHA_crypt_method
+++ shadow-4.1.1/debian/patches/300_SHA_crypt_method
@@ -0,0 +1,36 @@
+Goal: Fix bugs in the SHA encryption method that force the salt to have 8
+      bytes (instead of a random length between 8 and 16 bytes), and force
+      the number of SHA rounds to be equal to the lowest limit (at least
+      1000 SHA rounds).
+
+Status wrt upstream: Already applied upstream.
+
+Index: shadow-4.1.1/libmisc/salt.c
+===================================================================
+--- shadow-4.1.1.orig/libmisc/salt.c 2008-02-03 18:23:31.000000000 +0100
++++ shadow-4.1.1/libmisc/salt.c 2008-05-21 22:24:32.734281067 +0200
+@@ -90,9 +90,10 @@
+  */
+ static unsigned int SHA_salt_size (void)
+ {
+- double rand_rounds = 9 * random ();
+- rand_rounds /= RAND_MAX;
+- return 8 + rand_rounds;
++ double rand_size;
++ seedRNG ();
++ rand_size = (double) 9.0 * random () / RAND_MAX;
++ return 8 + rand_size;
+ }
+
+ /* ! Arguments evaluated twice ! */
+@@ -131,8 +132,8 @@
+ if (min_rounds > max_rounds)
+ max_rounds = min_rounds;
+
+- srand (time (NULL));
+- rand_rounds = (max_rounds-min_rounds+1) * random ();
++ seedRNG ();
++ rand_rounds = (double) (max_rounds-min_rounds+1.0) * random ();
+ rand_rounds /= RAND_MAX;
+ rounds = min_rounds + rand_rounds;
+ } else if (0 == *prefered_rounds)
only in patch2:
unchanged:
--- shadow-4.1.1.orig/debian/patches/301_manpages_missing_options
+++ shadow-4.1.1/debian/patches/301_manpages_missing_options
@@ -0,0 +1,197 @@
+Goal: Add missing documentation of options in useradd, groupadd and
+      newusers
+
+Status wrt upstream: Already applied.
+
+Index: shadow-4.1.1/man/useradd.8.xml
+===================================================================
+--- shadow-4.1.1.orig/man/useradd.8.xml 2008-05-21 22:44:47.654281023 +0200
++++ shadow-4.1.1/man/useradd.8.xml 2008-05-21 23:04:47.679903645 +0200
+@@ -189,23 +189,25 @@
+       </varlistentry>
+       <varlistentry>
+ <term>
+-  <option>-m</option>, <option>--create-home</option>
++  <option>-k</option>, <option>--skel</option>
++  <replaceable>SKEL_DIR</replaceable>
+ </term>
+ <listitem>
+  <para>
+-    The user's home directory will be created if it does not exist.
+-    The files contained in <replaceable>SKEL_DIR</replaceable> will
+-    be copied to the home directory if the <option>-k</option>
+-    option is used, otherwise the files contained in
+-    <filename>/etc/skel</filename> will be used instead. Any
+-    directories contained in <replaceable>SKEL_DIR</replaceable> or
+-    <filename>/etc/skel</filename> will be created in the user's
+-    home directory as well. The <option>-k</option> option is only
+-    valid in conjunction with the <option>-m</option> option. The
+-    default is to not create the directory and to not copy any
+-    files.
+-    This option may not function correctly if the username has a / in it.
++    The skeleton directory, which contains files and directories
++    to be copied in the user's home directory, when the home
++    directory is created by <command>useradd</command>.
++  </para>
++  <para>
++    This option is only valid if the <option>-m</option> (or
++    <option>--create-home</option>) option is specified.
+  </para>
++  <para>
++    If this option is not set, the skeleton directory is defined
++    in <filename>/etc/default/useradd</filename> or, by default,
++    <filename>/etc/skel</filename>.
++  </para>
++  <para>This option may not function correctly if the username has a / in it.</para>
+ </listitem>
+       </varlistentry>
+       <varlistentry>
+@@ -255,6 +257,22 @@
+       </varlistentry>
+       <varlistentry>
+ <term>
++  <option>-m</option>, <option>--create-home</option>
++ </term>
++ <listitem>
++  <para>
++    Create the user's home directory if it does not exist.
++    The files and directories contained in the skeleton directory
++    (which can be defined with the <option>-k</option> option)
++    will be copied to the home directory.
++  </para>
++  <para>
++    By default, no home directories are created.
++  </para>
++ </listitem>
++      </varlistentry>
++      <varlistentry>
++ <term>
+  <option>-N</option>, <option>--no-user-group</option>
+ </term>
+ <listitem>
+@@ -295,6 +313,25 @@
+       </varlistentry>
+       <varlistentry>
+ <term>
++  <option>-r</option>, <option>--system</option>
++ </term>
++ <listitem>
++  <para>
++    Create a system account.
++  </para>
++  <para>
++    System users will be created with no aging information in
++    <filename>/etc/shadow</filename>, and their numeric
++    identifiers are choosen in the
++    <option>SYS_UID_MIN</option>-<option>SYS_UID_MAX</option>
++    range, defined in <filename>login.defs</filename>, instead of
++    <option>UID_MIN</option>-<option>UID_MAX</option> (and their
++    <option>GID</option> counterparts for the creation of groups).
++  </para>
++ </listitem>
++      </varlistentry>
++      <varlistentry>
++ <term>
+  <option>-s</option>, <option>--shell</option>
+  <replaceable>SHELL</replaceable>
+ </term>
+Index: shadow-4.1.1/man/groupadd.8.xml
+===================================================================
+--- shadow-4.1.1.orig/man/groupadd.8.xml 2008-02-25 22:14:56.000000000 +0100
++++ shadow-4.1.1/man/groupadd.8.xml 2008-05-21 22:44:47.702280863 +0200
+@@ -126,6 +126,22 @@
+  </para>
+ </listitem>
+       </varlistentry>
++      <varlistentry>
++ <term>
++  <option>-r</option>, <option>--system</option>
++ </term>
++ <listitem>
++  <para>
++    Create a system group.
++  </para>
++  <para>
++    The numeric identifiers of new system groups are choosen in
++    the <option>SYS_GID_MIN</option>-<option>SYS_GID_MAX</option>
++    range, defined in <filename>login.defs</filename>, instead of
++    <option>GID_MIN</option>-<option>GID_MAX</option>.
++  </para>
++ </listitem>
++      </varlistentry>
+     </variablelist>
+   </refsect1>
+
+Index: shadow-4.1.1/man/newusers.8.xml
+===================================================================
+--- shadow-4.1.1.orig/man/newusers.8.xml 2008-02-25 22:14:56.000000000 +0100
++++ shadow-4.1.1/man/newusers.8.xml 2008-05-21 22:44:47.702280863 +0200
+@@ -94,6 +94,68 @@
+     </para>
+   </refsect1>
+
++  <refsect1 id='options'>
++    <title>OPTIONS</title>
++    <para>The options which apply to the <command>newusers</command> command are:
++    </para>
++    <variablelist remap='IP'>
++      <varlistentry>
++ <term><option>-c</option>, <option>--crypt-method</option></term>
++ <listitem>
++  <para>Use the specified method to encrypt the passwords.</para>
++  <para>
++    The available methods are DES, MD5, NONE, and SHA256 or SHA512
++    if your libc support these methods.
++  </para>
++ </listitem>
++      </varlistentry>
++      <varlistentry>
++ <term>
++  <option>-r</option>, <option>--system</option>
++ </term>
++ <listitem>
++  <para>
++    Create a system account.
++  </para>
++  <para>
++    System users will be created with no aging information in
++    <filename>/etc/shadow</filename>, and their numeric
++    identifiers are choosen in the
++    <option>SYS_UID_MIN</option>-<option>SYS_UID_MAX</option>
++    range, defined in <filename>login.defs</filename>, instead of
++    <option>UID_MIN</option>-<option>UID_MAX</option> (and their
++    <option>GID</option> counterparts for the creation of groups).
++  </para>
++ </listitem>
++      </varlistentry>
++      <varlistentry condition="sha_crypt">
++ <term><option>-s</option>, <option>--sha-rounds</option></term>
++ <listitem>
++  <para>
++    Use the specified number of rounds to encrypt the passwords.
++  </para>
++  <para>
++    The value 0 means that the system will choose the default
++    number of rounds for the crypt method (5000).
++  </para>
++  <para>
++    A minimal value of 1000 and a maximal value of 999,999,999
++    will be enforced.
++  </para>
++  <para>
++    You can only use this option with the SHA256 or SHA512
++    crypt method.
++  </para>
++  <para>
++    By default, the number of rounds is defined by the
++    SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
++    <filename>/etc/login.defs</filename>.
++  </para>
++ </listitem>
++      </varlistentry>
++    </variablelist>
++  </refsect1>
++
+   <refsect1 id='caveats'>
+     <title>CAVEATS</title>
+     <para>

---

[Nicolas François]
> Compared to my previous mail, I added some comments in /etc/login.defs.

Will the comments in /etc/login.defs trigger a conffile prompt from
dpkg on installations where the local admin had edited login.defs
before the upgrade?  If so, I urge you to not make such change in a
stable update.

Happy hacking,
--
Petter Reinholdtsen


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Petter Reinholdtsen <pere@...> writes:

> [Nicolas François]
>> Compared to my previous mail, I added some comments in /etc/login.defs.
>
> Will the comments in /etc/login.defs trigger a conffile prompt from
> dpkg on installations where the local admin had edited login.defs
> before the upgrade?  If so, I urge you to not make such change in a
> stable update.

This indeed makes sense. A lot of users tend to use non-interactive
upgrade process in servers and that would break that.

--
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@...      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://otavio.ossystems.com.br
---------------------------------------------
"Microsoft sells you Windows ... Linux gives
 you the whole house."


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Wed, May 21, 2008 at 07:14:51PM -0300, Otavio Salvador wrote:

Sorry, I did not specify it, and the distribution was still UNRELEASED
I'm targeting an unstable upload (and shadow (login) is Essential, thus frozen).

For Etch -> Lenny upgrades, another change in this conf file will already
require a prompt (/usr/bin/X11 removed from PATH).

Best Regards,
--
Nekral


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Nicolas François wrote:
> Dear RMs,

Hi

> I would like to make an update for shadow to fix a bug in the SHA password
> encryption method.

I guess that's for unstable? If so, please go ahead.

Cheers

Luk


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hi,

On Tue, Jun 10, 2008 at 07:32:45PM +0200, Luk Claes wrote:
> Nicolas François wrote:
>
> > I would like to make an update for shadow to fix a bug in the SHA password
> > encryption method.
>
> I guess that's for unstable? If so, please go ahead.

shadow is now 10 days old.
No significant bugs were raised since then.

Please unblock shadow/1:4.1.1-2 for Lenny.

Thanks in advance,
--
Nekral


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Nicolas François wrote:
unblocked

Cheers

Luk


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...