RHSA-2007:0276 - Security Advisory
Low: shadow-utils security and bug fix update
Security Advisory: Low
Updated shadow-utils packages that fix a security issue and various bugs
are now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
The shadow-utils package includes the necessary programs for converting
UNIX password files to the shadow password format, as well as programs for
managing user and group accounts.
A flaw was found in the useradd tool in shadow-utils. A new user's
mailbox, when created, could have random permissions for a short period.
This could allow a local attacker to read or modify the mailbox.
This update also fixes the following bugs:
- shadow-utils debuginfo package was empty.
- faillog was unusable on 64-bit systems. It checked every UID from 0 to
the max UID, which was an excessively large number on 64-bit systems.
- typo bug in login.defs file
All users of shadow-utils are advised to upgrade to these updated packages,
which contain backported patches to resolve these issues.
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for Power, big endian 4 ppc
- BZ - 176951 - shadow-utils-debuginfo is empty
- BZ - 177017 - faillog doesn't handle large UIDs well
- BZ - 188263 - typo in /etc/login.defs
- BZ - 193053 - CVE-2006-1174 shadow-utils mailbox creation race condition
Red Hat Enterprise Linux for Power, big endian 4