[1967] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: shadow-971001

daemon@ATHENA.MIT.EDU (M Taylor)
Sun Jul 12 03:31:53 1998

Date: Sat, 11 Jul 1998 21:08:17 -0300
To: High Tide <hightide@ginch.org>
From: M Taylor <mctaylor@mta.ca>
Cc: linux-security@redhat.com
In-Reply-To: <Pine.NEB.3.94.980710174906.15562L-100000@xanadu.commix.com
 >
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

At 06:02 PM 7/10/98 -0500, you wrote:
>I think I may have found a security weakness w/ login in shadow-971001.  I
>can't imagine this being a large problem if no one has run into it yet,
>but I know that's not the way to run security.
>...
>I appologize for being out of coding long enough to put together a patch
>and contact the _right_ people before hand (I'm getting back though),
>however if this does in fact need to be patched, it should be as simple as
>what's done in su.c from the same package:
>...

Did you inform the shadow package maintainer? 

If you have the source, or even the docs this shouldn't be much of a
problem an email address should be included, a simple CC would suffice. 

Please, everyone, if you have an issue with a package, inform:
a) the original author
or
b) the Linux 'port' maintainer, if not already a.
or
c) both, if it might affects multiple platforms.

In fact, I think it was the maintainer of the shadow package who complained
that vendors or users (don't remember) were producing their own patches,
yet not informing him of the risk or the patch.

If it is the package I think it is then:
Author:         jfh@tab.com (Julianne F. Haugh)
Maintained-by:  marekm@piast.t19.ds.pwr.wroc.pl (Marek Michalkiewicz)
(according to http://sunsite.unc.edu/pub/Linux/system/admin/shadow.lsm)

Current version appears to be 980628 first off...

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post