Executive Summary
Summary | |
---|---|
Title | New shadow packages fix unintended behaviour |
Informations | |||
---|---|---|---|
Name | DSA-585 | First vendor Publication | 2004-11-05 |
Vendor | Debian | Last vendor Modification | 2004-11-05 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.6 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability has been discovered in the shadow suite which provides programs like chfn and chsh. It is possible for a user, who is logged in but has an expired password to alter his account information with chfn or chsh without having to change the password. The problem was originally thought to be more severe. For the stable distribution (woody) this problem has been fixed in version 20000902-12woody1. For the unstable distribution (sid) this problem has been fixed in version 4.0.3-30.3. We recommend that you upgrade your passwd package (from the shadow suite). |
Original Source
Url : http://www.debian.org/security/2004/dsa-585 |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2008-09-24 | Name : Gentoo Security Advisory GLSA 200411-09 (shadow) File : nvt/glsa_200411_09.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 585-1 (shadow) File : nvt/deb_585_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
11173 | Shadow chfn/chsh Arbitrary Account Property Modification Shadow chfn/chsh contain flaws that may allow a malicious user to modify their own account information. The issue is due to a validation error in the passwd_check() function in 'libmisc/pwdcheck.c'. It is possible that the flaw may allow unauthorized modifications to certain account properties such as full name or login shell, resulting in a loss of integrity. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-17-1.nasl - Type : ACT_GATHER_INFO |
2004-11-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-585.nasl - Type : ACT_GATHER_INFO |
2004-11-05 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200411-09.nasl - Type : ACT_GATHER_INFO |
2004-11-05 | Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2004-126.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:33:34 |
|