| Release | Version |
|---|---|
| buster | 1:4.5-1.1 |
| bullseye | 1:4.8.1-1 |
| bookworm | 1:4.13+dfsg1-1 |
| trixie | 1:4.13+dfsg1-3 |
| sid | 1:4.13+dfsg1-3 |
| Bug | buster | bullseye | bookworm | trixie | sid | Description |
|---|---|---|---|---|---|---|
| CVE-2023-29383 | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | In Shadow 4.13, it is possible to inject control characters into field ... |
| CVE-2023-4641 | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable (no DSA) | fixed | fixed | gpasswd(1) password leak |
| CVE-2018-7169 | vulnerable (no DSA) | fixed | fixed | fixed | fixed | An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is ... |
| Bug | buster | bullseye | bookworm | trixie | sid | Description |
|---|---|---|---|---|---|---|
| TEMP-0628843-DBAD28 | vulnerable | vulnerable | vulnerable | vulnerable | vulnerable | more related to CVE-2005-4890 |
| CVE-2019-19882 | vulnerable | vulnerable | vulnerable | vulnerable | vulnerable | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch L ... |
| CVE-2013-4235 | vulnerable | vulnerable | fixed | fixed | fixed | shadow: TOCTOU (time-of-check time-of-use) race condition when copying ... |
| CVE-2007-5686 | vulnerable | vulnerable | vulnerable | vulnerable | vulnerable | initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ... |
| Bug | Description |
|---|---|
| TEMP-0000000-6F6CD4 | Insecure mailbox generation in passwd's useradd |
| CVE-2018-16588 | Privilege escalation can occur in the SUSE useradd.c code in useradd, ... |
| CVE-2017-20002 | The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists ... |
| CVE-2017-12424 | In shadow before 4.5, the newusers tool could be made to manipulate in ... |
| CVE-2017-2616 | A race condition was found in util-linux before 2.32.1 in the way su h ... |
| CVE-2016-6252 | Integer overflow in shadow 4.2.1 allows local users to gain privileges ... |
| CVE-2011-0721 | Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in sh ... |
| CVE-2008-5394 | /bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other ... |
| CVE-2006-3597 | passwd before 1:4.0.13 on Ubuntu 6.06 LTS leaves the root password bla ... |
| CVE-2006-3378 | passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called ... |
| CVE-2006-1844 | The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.5 ... |
| CVE-2006-1376 | The installation of Debian GNU/Linux 3.1r1 from the network install CD ... |
| CVE-2006-1183 | The Ubuntu 5.10 installer does not properly clear passwords from the i ... |
| CVE-2006-1174 | useradd in shadow-utils before 4.0.3, and possibly other versions befo ... |
| CVE-2005-4890 | There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo ... |
| CVE-2004-1001 | Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, ... |
| CVE-2002-1594 | Buffer overflow in (1) grpck and (2) pwck, if installed setuid on a sy ... |
| DSA / DLA | Description |
|---|---|
| DLA-2596-1 | shadow - security update |
| DSA-3793-2 | shadow - regression update |
| DLA-838-1 | shadow - security update |
| DSA-3793-1 | shadow - security update |
| DSA-2164-1 | shadow - missing input sanitization |
| DSA-1709-1 | shadow - privilege escalation |
| DSA-1150-1 | shadow - programming error |
| DSA-585-1 | shadow - programming error |