- Issued:
- 2007-06-11
- Updated:
- 2007-06-11
RHSA-2007:0431 - Security Advisory
Synopsis
Low: shadow-utils security and bug fix update
Type/Severity
Security Advisory: Low
Topic
An updated shadow-utils package that fixes a security issue and several
bugs is now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Description
The shadow-utils package includes the necessary programs for converting
UNIX password files to the shadow password format, as well as programs
for managing user and group accounts.
A flaw was found in the useradd tool in shadow-utils. A new user's
mailbox, when created, could have random permissions for a short period.
This could allow a local attacker to read or modify the mailbox.
(CVE-2006-1174)
This update also fixes the following bugs:
- shadow-utils debuginfo package was empty.
- chage.1 and chage -l gave incorrect information about sp_inact.
All users of shadow-utils are advised to upgrade to this updated
package, which contains backported patches to resolve these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
Affected Products
- Red Hat Enterprise Linux Server 3 x86_64
- Red Hat Enterprise Linux Server 3 ia64
- Red Hat Enterprise Linux Server 3 i386
- Red Hat Enterprise Linux Workstation 3 x86_64
- Red Hat Enterprise Linux Workstation 3 ia64
- Red Hat Enterprise Linux Workstation 3 i386
- Red Hat Enterprise Linux Desktop 3 x86_64
- Red Hat Enterprise Linux Desktop 3 i386
- Red Hat Enterprise Linux for IBM z Systems 3 s390x
- Red Hat Enterprise Linux for IBM z Systems 3 s390
- Red Hat Enterprise Linux for Power, big endian 3 ppc
Fixes
- BZ - 176949 - shadow-utils-debuginfo is empty
- BZ - 216635 - chage does not show the Account Expires if its shadow field is 0.
- BZ - 229194 - CVE-2006-1174 shadow-utils mailbox creation race condition
CVEs
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.