oss-security - Re: util-linux 2.29.2 fixes CVE-2017-2616

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <CAK0OdpxiQO7Mt6TCSn-92D+nwnj3iJCwU4OTiuZ1=Kn5Rx_-xg@mail.gmail.com>
Date: Thu, 23 Feb 2017 17:31:42 +0100
From: Bálint Réczey <balint@...intreczey.hu>
To: oss-security@...ts.openwall.com
Subject: Re: util-linux 2.29.2 fixes CVE-2017-2616

Hi,

2017-02-23 17:08 GMT+01:00 Hanno Böck <hanno@...eck.de>:
> On Thu, 23 Feb 2017 07:56:51 -0500
> Assaf Gordon <assafgordon@...il.com> wrote:
>
>> GNU Coreutils stopped installing 'su' by default in 2007,
>> and completely removed 'su' (including the 'su.c' source file)
>> in 2012.
>
> That's good to know, so now there are only 2 competing versions of su
> instead of 3 in major packages :-)
>
> Anyone have a good idea who is using shadow vs. util-linux su? Do they
> have specific advantages/disadvantages, would it be reasonable to try
> to get all distros to use them same one?

In Debian we are looking into switching to util-linux from shadow for
commands provided by both packages:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833256

Cheers,
Balint

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.