Hi Chris, [not authoritative answer, as not part of the release team]
Thanks a lot for prepraring an update for CVE fixes. On Sat, Apr 05, 2025 at 05:22:41PM +0200, Chris Hofstaedtler wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: sha...@packages.debian.org, t...@security.debian.org > Control: affects -1 + src:shadow > > [ Reason ] > > Fixes two security issues, long fixed in unstable. > > CVE-2023-4641 and CVE-2023-29383 > > [ Impact ] > > gpasswd and chfn utilities are the targets of the fixes. > > [ Tests ] > > For CVE-2023-29383 I've performed a manual test showing that the issue > is fixed. For CVE-2023-4641 I'm not sure how to trigger that. > > [ Risks ] > > Both CVEs have upstream fixes, which got cherry-picked into unstable in > 1:4.13+dfsg1-2 and 1:4.13+dfsg1-3. The patches are not very long. > > > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > Two patches to fix the security issues and a regression fix for the > second fix are cherry picked from upstream. We had these in > 1:4.13+dfsg1-3 for a long time. > > I've also updated the Uploaders: field to match unstable. > > [ Other info ] > > Nothing I'm aware of. > diff -Nru shadow-4.13+dfsg1/debian/changelog > shadow-4.13+dfsg1/debian/changelog > --- shadow-4.13+dfsg1/debian/changelog 2022-11-11 09:28:15.000000000 > +0100 > +++ shadow-4.13+dfsg1/debian/changelog 2025-04-05 17:02:05.000000000 > +0200 > @@ -1,3 +1,17 @@ > +shadow (1:4.13+dfsg1-2) bookworm; urgency=medium I think you will need to pick up 1:4.13+dfsg1-1+deb12u1 instread. Regards, Salvatore
