SUSE-RU-2026:1228-1
Vulnerability from csaf_suse - Published: 2026-04-09 08:27 - Updated: 2026-04-09 08:27Summary
Recommended update for shadow
Severity
Important
Notes
Title of the patch: Recommended update for shadow
Description of the patch: This update for shadow fixes the following issues:
shadow is updated to 4.17.2 to bring lots of features and bug fixes.
- util-linux-2.41 introduced new variable: LOGIN_ENV_SAFELIST. Recognize
it and update dependencies.
- Set SYS_{UID,GID}_MIN to 201:
After repeated similar requests to change the ID ranges we set the
above mentioned value to 201. The max value will stay at 499.
This range should be sufficient and will give us leeway for the
future.
It's not straightforward to find out which static UIDs/GIDs are
used in all packages.
Update to 4.17.2:
* src/login_nopam.c: Fix compiler warnings #1170
* lib/chkname.c: Put limits for LOGIN_NAME_MAX and sysconf(_SC_LOGIN_NAME_MAX) #1169
* Use HTTPS in link to Wikipedia article on password strength #1164
* lib/attr.h: use C23 attributes only with gcc >= 10 #1172
* login: Fix no-pam authorization regression #1174
* man: Add Portuguese translation #1178
* Update French translation #1177
* Add cheap defense mechanisms #1171
* Add Romanian translation #1176
Update to 4.17.1:
* Fix `su -` regression #1163
Update to 4.17.0:
* Fix the lower part of the domain of csrand_uniform()
* Fix use of volatile pointer
* Use str2[u]l() instead of atoi(3)
* Use a2i() in various places
* Fix const correctness
* Use uid_t for holding UIDs (and GIDs)
* Move all sprintf(3)-like APIs to a subdirectory
* Move all copying APIs to a subdirectory
* Fix forever loop on ENOMEM
* Fix REALLOC() nmemb calculation
* Remove id(1)
* Remove groups(1)
* Use local time for human-readable dates
* Use %F instead of %Y-%m-%d with strftime(3)
* is_valid{user,group}_name(): Set errno to distinguish the reasons
* Recommend --badname only if it is useful
* Add fmkomstemp() to fix mode of /etc/default/useradd
* Fix use-after-free bug in sgetgrent()
* Update Catalan translation
* Remove references to cppw, cpgr
* groupadd, groupmod: Update gshadow file with -U
* Added option -a for listing active users only, optimized using if aflg,return
* Added information in lastlog man page for new option '-a'
* Plenty of code cleanup and clarifications
- Disable flushing sssd caches. The sssd's files provider is no
longer available.
Update to 4.16.0:
* The shadow implementations of id(1) and groups(1) are deprecated
in favor of the GNU coreutils and binutils versions.
They will be removed in 4.17.0.
* The rlogind implementation has been removed.
* The libsubid major version has been bumped, since it now requires
specification of the module's free() implementation.
Update to 4.15.1:
* Fix a bug that caused spurious error messages about unknown
login.defs configuration options #967
* Adding checks for fd omission #964
* Use temporary stat buffer #974
* Fix wrong french translation #975
Update to 4.15.0
* libshadow:
+ Use utmpx instead of utmp. This fixes a regression introduced
in 4.14.0.
+ Fix build error (parameter name omitted).
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
+ Merge libshadow and libmisc into a single libshadow. This fixes
problems in the linker, which were reported at least in Gentoo.
+ Fix build with musl libc.
+ Support out of tree builds
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
Update to 4.14.6:
* login(1):
+ Fix off-by-one bugs.
* passwd(1):
+ Don't silently truncate passwords of length >= 200 characters.
Instead, accept a length of PASS_MAX, and reject longer ones.
* libshadow:
+ Fix calculation in strtoday(), which caused a wrong half-day
offset in some cases (bsc#1176006)
+ Fix parsing of dates in get_date() (bsc#1176006)
+ Use utmpx instead of utmp. This fixes a regression introduced in
4.14.0.
Update to 4.14.5:
* Build system:
+ Fix regression introduced in 4.14.4, due to a typo. chgpasswd had
been deleted from a Makefile variable, but it should have been
chpasswd.
Update to 4.14.4:
* Build system:
+ Link correctly with libdl.
+ Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
* libshadow:
+ Fix build error (parameter name omitted).
+ Fix off-by-one bug.
+ Remove warning.
Update to 4.14.3:
* libshadow: Avoid null pointer dereference (#904)
* Remove pam_keyinit from PAM configuration. (bsc#1199026 bsc#1203823)
This was introduced for bsc#1144060.
Update to 4.14.2:
* libshadow:
+ Fix build with musl libc.
+ Avoid NULL dereference.
+ Update utmp at an initial login
* useradd(8):
+ Set proper SELinux labels for def_usrtemplate
* Manual:
+ Document --prefix in chage(1), chpasswd(8), and passwd(1)
Update to 4.14.1:
Build system: Merge libshadow and libmisc into a single libshadow.
This fixes problems in the linker, which were reported at least
in Gentoo. #791
- Set proper SELinux labels for new homedirs.
Update to 4.14.0:
* configure: add with-libbsd option
* Code cleanup
* Replace utmp interface #757
* new option enable-logind #674
* shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh
* chsh: warn if root sets a shell not listed in /etc/shells #535
* newgrp: fix potential string injection
* lastlog: fix alignment of Latest header
* Fix yescrypt support #748
* chgpasswd: Fix segfault in command-line options
* gpasswd: Fix password leak (bsc#1214806, CVE-2023-4641)
* Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)
* usermod: fix off-by-one issues #701
* ch(g)passwd: Check selinux permissions upon startup #675
* sub_[ug]id_{add,remove}: fix return values
* chsh: Verify that login shell path is absolute #730
* process_prefix_flag: Drop privileges
* run_parts for groupadd and groupdel #706
* newgrp/useradd: always set SIGCHLD to default
* useradd/usermod: add --selinux-range argument #698
* sssd: skip flushing if executable does not exist #699
* semanage: Do not set default SELinux range #676
* Add control character check #687
* usermod: respect --prefix for --gid option
* Fix null dereference in basename
* newuidmap and newgidmap: support passing pid as fd
* Prevent out of boundary access #633
* Explicitly override only newlines #633
* Correctly handle illegal system file in tz #633
* Supporting vendor given -shells- configuration file #599
* Warn if failed to read existing /etc/nsswitch.conf
* chfn: new_fields: fix wrong fields printed
* Allow supplementary groups to be added via config file #586
* useradd: check if subid range exists for user #592 (rh#2012929)
- Rename lastlog to lastlog.legacy to be able to switch to
Y2038 safe lastlog2 as default [jsc#PED-3144]
- bsc#1205502: Fix useradd audit event logging of ID field
Update to 4.13:
* useradd.8: fix default group ID
* Revert drop of subid_init()
* Georgian translation
* useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog
* relax username restrictions
* selinux: check MLS enabled before setting serange
* copy_tree: use fchmodat instead of chmod
* copy_tree: don't block on FIFOs
* add shell linter
* copy_tree: carefully treat permissions
* lib/commonio: make lock failures more detailed
* lib: use strzero and memzero where applicable
* Update Dutch translation
* Don't test for NULL before calling free
* Use libc MAX() and MIN()
* chage: Fix regression in print_date
* usermod: report error if homedir does not exist
* libmisc: minimum id check for system accounts
* fix usermod -rG x y wrongly adding a group
* man: add missing space in useradd.8.xml
* lastlog: check for localtime() return value
* Raise limit for passwd and shadow entry length
* Remove adduser-old.c
* useradd: Fix buffer overflow when using a prefix
* Don't warn when failed to open /etc/nsswitch.conf
Update to 4.12.3:
Revert removal of subid_init, which should have bumped soname.
So note that 4.12 through 4.12.2 were broken for subid users.
Update to 4.12.2:
* Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
Update to 4.12.1:
* Fix uk manpages
Update to 4.12:
* Add absolute path hint to --root
* Various cleanups
* Fix Ubuntu release used in CI tests
* add -F options to userad
* useradd manpage updates
* Check for ownerid (not just username) in subid ranges
* Declare file local functions static
* Use strict prototypes
* Do not drop const qualifier for Basename
* Constify various pointers
* Don't return uninitialized memory
* Don't let compiler optimize away memory cleaning
* Remove many obsolete compatibility checks and defines
* Modify ID range check in useradd
* Use 'extern 'C'' to make libsubid easier to use from C++
* French translation updates
* Fix s/with-pam/with-libpam/
* Spanish translation updates
* French translation fixes
* Default max group name length to 32
* Fix PAM service files without-selinux
* Improve manpages
- groupadd, useradd, usermod
- groups and id
- pwck
* Fix condition under which pw_dir check happens
* logoutd: switch to strncat
* AUTHORS: improve markdown output
* Handle ERANGE errors correctly
* Check for fopen NULL return
* Split get_salt() into its own fn juyin)
* Get salt before chroot to ensure /dev/urandom.
* Chpasswd code cleanup
* Work around git safe.directory enforcement
* Alphabetize order in usermod help
* Erase password copy on error branches
* Suggest using --badname if needed
* Update translation files
* Correct badnames option to badname
* configure: replace obsolete autoconf macros
* tests: replace egrep with grep -E
* Update Ukrainian translations
* Cleanups
- Remove redeclared variable
- Remove commented out code and FIXMEs
- Add header guards
- Initialize local variables
* CI updates
- Create github workflow to install dependencies
- Enable CodeQL
- Update actions version
* libmisc: use /dev/urandom as fallback if other methods fail
Provide /etc/login.defs.d on SLE15 since we support and use it
Update to 4.11.1:
* build: include lib/shadowlog_internal.h in dist tarballs
Update to 4.11:
* Handle possible TOCTTOU issues in usermod/userdel
- (CVE-2013-4235)
- Use O_NOFOLLOW when copying file
- Kill all user tasks in userdel
* Fix useradd -D segfault
* Clean up obsolete libc feature-check ifdefs
* Fix -fno-common build breaks due to duplicate Prog declarations
* Have single date_to_str definition
* Fix libsubid SONAME version
* Clarify licensing info, use SPDX.
Update to 4.10:
* From this release forward, su from this package should be
considered deprecated. Please replace any users of it with su
rom util-linux
* libsubid fixes
* Rename the test program list_subid_ranges to getsubids, write
a manpage, so distros can ship it.
* Add libeconf dep for new*idmap
* Allow all group types with usermod -G
* Avoid useradd generating empty subid range
* Handle NULL pw_passwd
* Fix default value SHA_get_salt_rounds
* Use https where possible in README
* Update content and format of README
* Translation updates
* Switch from xml2po to itstool in 'make dist'
* Fix double frees
* Add LOG_INIT configurable to useradd
* Add CREATE_MAIL_SPOOL documentation
* Create a security.md
* Fix su never being SIGKILLd when trapping TERM
* Fix wrong SELinux labels in several possible cases
* Fix missing chmod in chadowtb_move
* Handle malformed hushlogins entries
* Fix groupdel segv when passwd does not exist
* Fix covscan-found newgrp segfault
* Remove trailing slash on hoedir
* Fix passwd -l message - it does not change expirey
* Fix SIGCHLD handling bugs in su and vipw
* Remove special case for '' in usermod
* Implement usermod -rG to remove a specific group
* call pam_end() after fork in child path for su and login
* useradd: In absence of /etc/passwd, assume 0 == root
* lib: check NULL before freeing data
* Fix pwck segfault
- Really enable USERGROUPS_ENAB [bsc#1189139].
Added hardening to systemd service(s) (bsc#1181400).
* Add LOGIN_KEEP_USERNAME to login.defs.
* Remove PREVENT_NO_AUTH from login.defs. Only used by the
unpackaged login and su.
* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,
YESCRYPT_COST_FACTOR, not supported by the current
configuratiton.
* login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to
be compatible with other Linux distros and the other tools
creating user accounts in use on openSUSE. Set HOME_MODE to 700
for security reasons and compatibility. [bsc#1189139] [bsc#1182850]
Update to 4.9:
* Updated translations
* Major salt updates
* Various coverity and cleanup fixes
* Consistently use 0 to disable PASS_MIN_DAYS in man
* Implement NSS support for subids and a libsubid
* setfcap: retain setfcap when mapping uid 0
* login.defs: include HMAC_CRYPTO_ALGO key
* selinux fixes
* Fix path prefix path handling
* Manpage updates
* Treat an empty passwd field as invalid(Haelwenn Monnier)
* newxidmap: allow running under alternative gid
* usermod: check that shell is executable
* Add yescript support
* useradd memleak fixes
* useradd: use built-in settings by default
* getdefs: add foreign
* buffer overflow fixes
* Adding run-parts style for pre and post useradd/del
- login.defs/MOTD_FILE: Use '' instead of blank entry [bsc#1187536]
- Add /etc/login.defs.d directory
- Enable shadowgrp so that we can set more secure group passwords
using shadow.
- Disable MOTD_FILE to allow the use of pam_motd to unify motd
message output [bsc#1185897]. Else motd entries of e.g. cockpit
will not be shown.
Patchnames: SUSE-2026-1228,SUSE-SLE-Module-Basesystem-15-SP7-2026-1228,openSUSE-SLE-15.6-2026-1228
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.7 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Recommended update for shadow",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for shadow fixes the following issues:\n\nshadow is updated to 4.17.2 to bring lots of features and bug fixes.\n\n- util-linux-2.41 introduced new variable: LOGIN_ENV_SAFELIST. Recognize\n it and update dependencies.\n \n- Set SYS_{UID,GID}_MIN to 201:\n After repeated similar requests to change the ID ranges we set the\n above mentioned value to 201. The max value will stay at 499.\n This range should be sufficient and will give us leeway for the\n future.\n It\u0027s not straightforward to find out which static UIDs/GIDs are\n used in all packages.\n \n \nUpdate to 4.17.2:\n\n* src/login_nopam.c: Fix compiler warnings #1170\n* lib/chkname.c: Put limits for LOGIN_NAME_MAX and sysconf(_SC_LOGIN_NAME_MAX) #1169\n* Use HTTPS in link to Wikipedia article on password strength #1164\n* lib/attr.h: use C23 attributes only with gcc \u003e= 10 #1172\n* login: Fix no-pam authorization regression #1174\n* man: Add Portuguese translation #1178\n* Update French translation #1177\n* Add cheap defense mechanisms #1171\n* Add Romanian translation #1176\n\nUpdate to 4.17.1:\n\n* Fix `su -` regression #1163\n \nUpdate to 4.17.0:\n\n* Fix the lower part of the domain of csrand_uniform()\n* Fix use of volatile pointer\n* Use str2[u]l() instead of atoi(3)\n* Use a2i() in various places\n* Fix const correctness\n* Use uid_t for holding UIDs (and GIDs)\n* Move all sprintf(3)-like APIs to a subdirectory\n* Move all copying APIs to a subdirectory\n* Fix forever loop on ENOMEM\n* Fix REALLOC() nmemb calculation\n* Remove id(1)\n* Remove groups(1)\n* Use local time for human-readable dates\n* Use %F instead of %Y-%m-%d with strftime(3)\n* is_valid{user,group}_name(): Set errno to distinguish the reasons\n* Recommend --badname only if it is useful\n* Add fmkomstemp() to fix mode of /etc/default/useradd\n* Fix use-after-free bug in sgetgrent()\n* Update Catalan translation\n* Remove references to cppw, cpgr\n* groupadd, groupmod: Update gshadow file with -U\n* Added option -a for listing active users only, optimized using if aflg,return\n* Added information in lastlog man page for new option \u0027-a\u0027\n* Plenty of code cleanup and clarifications\n\n- Disable flushing sssd caches. The sssd\u0027s files provider is no\n longer available.\n\nUpdate to 4.16.0:\n\n* The shadow implementations of id(1) and groups(1) are deprecated\n in favor of the GNU coreutils and binutils versions.\n They will be removed in 4.17.0.\n* The rlogind implementation has been removed.\n* The libsubid major version has been bumped, since it now requires\n specification of the module\u0027s free() implementation.\n\nUpdate to 4.15.1:\n\n* Fix a bug that caused spurious error messages about unknown\n login.defs configuration options #967\n* Adding checks for fd omission #964\n* Use temporary stat buffer #974\n* Fix wrong french translation #975\n\nUpdate to 4.15.0\n\n* libshadow:\n + Use utmpx instead of utmp. This fixes a regression introduced\n in 4.14.0.\n + Fix build error (parameter name omitted).\n* Build system:\n + Link correctly with libdl.\n + Install pam configs for chpasswd(8) and newusers(8) when using\n ./configure --with-libpam --disable-account-tools-setuid.\n + Merge libshadow and libmisc into a single libshadow. This fixes\n problems in the linker, which were reported at least in Gentoo.\n + Fix build with musl libc.\n + Support out of tree builds\n* useradd(8):\n + Set proper SELinux labels for def_usrtemplate\n\nUpdate to 4.14.6:\n\n* login(1):\n + Fix off-by-one bugs.\n* passwd(1):\n + Don\u0027t silently truncate passwords of length \u003e= 200 characters.\n Instead, accept a length of PASS_MAX, and reject longer ones.\n* libshadow:\n + Fix calculation in strtoday(), which caused a wrong half-day\n offset in some cases (bsc#1176006)\n + Fix parsing of dates in get_date() (bsc#1176006)\n + Use utmpx instead of utmp. This fixes a regression introduced in\n 4.14.0.\n\nUpdate to 4.14.5:\n\n* Build system:\n + Fix regression introduced in 4.14.4, due to a typo. chgpasswd had\n been deleted from a Makefile variable, but it should have been\n chpasswd.\n\nUpdate to 4.14.4:\n\n* Build system:\n + Link correctly with libdl.\n + Install pam configs for chpasswd(8) and newusers(8) when using\n ./configure --with-libpam --disable-account-tools-setuid.\n* libshadow:\n + Fix build error (parameter name omitted).\n + Fix off-by-one bug.\n + Remove warning.\n\nUpdate to 4.14.3:\n\n* libshadow: Avoid null pointer dereference (#904)\n\n* Remove pam_keyinit from PAM configuration. (bsc#1199026 bsc#1203823)\n This was introduced for bsc#1144060.\n\nUpdate to 4.14.2:\n\n\n* libshadow:\n\n + Fix build with musl libc.\n + Avoid NULL dereference.\n + Update utmp at an initial login\n\n* useradd(8):\n\n + Set proper SELinux labels for def_usrtemplate\n\n* Manual:\n\n + Document --prefix in chage(1), chpasswd(8), and passwd(1)\n\nUpdate to 4.14.1:\n\n Build system: Merge libshadow and libmisc into a single libshadow.\n This fixes problems in the linker, which were reported at least\n in Gentoo. #791\n\n- Set proper SELinux labels for new homedirs.\n\nUpdate to 4.14.0:\n\n* configure: add with-libbsd option\n* Code cleanup\n* Replace utmp interface #757 \n* new option enable-logind #674\n* shadow userdel: add the adaptation to the busybox ps in 01-kill_user_procs.sh\n* chsh: warn if root sets a shell not listed in /etc/shells #535\n* newgrp: fix potential string injection\n* lastlog: fix alignment of Latest header\n* Fix yescrypt support #748\n* chgpasswd: Fix segfault in command-line options\n* gpasswd: Fix password leak (bsc#1214806, CVE-2023-4641)\n* Add --prefix to passwd, chpasswd and chage #714 (bsc#1206627)\n* usermod: fix off-by-one issues #701\n* ch(g)passwd: Check selinux permissions upon startup #675\n* sub_[ug]id_{add,remove}: fix return values\n* chsh: Verify that login shell path is absolute #730\n* process_prefix_flag: Drop privileges\n* run_parts for groupadd and groupdel #706\n* newgrp/useradd: always set SIGCHLD to default\n* useradd/usermod: add --selinux-range argument #698\n* sssd: skip flushing if executable does not exist #699\n* semanage: Do not set default SELinux range #676\n* Add control character check #687\n* usermod: respect --prefix for --gid option\n* Fix null dereference in basename\n* newuidmap and newgidmap: support passing pid as fd\n* Prevent out of boundary access #633\n* Explicitly override only newlines #633\n* Correctly handle illegal system file in tz #633\n* Supporting vendor given -shells- configuration file #599\n* Warn if failed to read existing /etc/nsswitch.conf\n* chfn: new_fields: fix wrong fields printed\n* Allow supplementary groups to be added via config file #586\n* useradd: check if subid range exists for user #592 (rh#2012929)\n\n- Rename lastlog to lastlog.legacy to be able to switch to\n Y2038 safe lastlog2 as default [jsc#PED-3144]\n\n- bsc#1205502: Fix useradd audit event logging of ID field\n\nUpdate to 4.13:\n\n* useradd.8: fix default group ID\n* Revert drop of subid_init()\n* Georgian translation\n* useradd: Avoid taking unneeded space: do not reset non-existent data in lastlog\n* relax username restrictions\n* selinux: check MLS enabled before setting serange\n* copy_tree: use fchmodat instead of chmod\n* copy_tree: don\u0027t block on FIFOs\n* add shell linter\n* copy_tree: carefully treat permissions\n* lib/commonio: make lock failures more detailed\n* lib: use strzero and memzero where applicable\n* Update Dutch translation\n* Don\u0027t test for NULL before calling free\n* Use libc MAX() and MIN()\n* chage: Fix regression in print_date\n* usermod: report error if homedir does not exist\n* libmisc: minimum id check for system accounts\n* fix usermod -rG x y wrongly adding a group\n* man: add missing space in useradd.8.xml\n* lastlog: check for localtime() return value\n* Raise limit for passwd and shadow entry length\n* Remove adduser-old.c\n* useradd: Fix buffer overflow when using a prefix\n* Don\u0027t warn when failed to open /etc/nsswitch.conf\n\nUpdate to 4.12.3:\n\nRevert removal of subid_init, which should have bumped soname.\nSo note that 4.12 through 4.12.2 were broken for subid users.\n\nUpdate to 4.12.2:\n\n* Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]\n\nUpdate to 4.12.1:\n\n* Fix uk manpages\n\nUpdate to 4.12:\n\n* Add absolute path hint to --root\n* Various cleanups\n* Fix Ubuntu release used in CI tests\n* add -F options to userad\n* useradd manpage updates\n* Check for ownerid (not just username) in subid ranges\n* Declare file local functions static\n* Use strict prototypes\n* Do not drop const qualifier for Basename\n* Constify various pointers\n* Don\u0027t return uninitialized memory\n* Don\u0027t let compiler optimize away memory cleaning\n* Remove many obsolete compatibility checks and defines\n* Modify ID range check in useradd\n* Use \u0027extern \u0027C\u0027\u0027 to make libsubid easier to use from C++\n* French translation updates\n* Fix s/with-pam/with-libpam/\n* Spanish translation updates\n* French translation fixes\n* Default max group name length to 32\n* Fix PAM service files without-selinux\n* Improve manpages\n - groupadd, useradd, usermod\n - groups and id\n - pwck\n* Fix condition under which pw_dir check happens\n* logoutd: switch to strncat\n* AUTHORS: improve markdown output\n* Handle ERANGE errors correctly\n* Check for fopen NULL return\n* Split get_salt() into its own fn juyin)\n* Get salt before chroot to ensure /dev/urandom.\n* Chpasswd code cleanup\n* Work around git safe.directory enforcement\n* Alphabetize order in usermod help\n* Erase password copy on error branches\n* Suggest using --badname if needed\n* Update translation files\n* Correct badnames option to badname\n* configure: replace obsolete autoconf macros\n* tests: replace egrep with grep -E\n* Update Ukrainian translations\n* Cleanups\n - Remove redeclared variable\n - Remove commented out code and FIXMEs\n - Add header guards\n - Initialize local variables\n* CI updates\n - Create github workflow to install dependencies\n - Enable CodeQL\n - Update actions version\n* libmisc: use /dev/urandom as fallback if other methods fail\n\nProvide /etc/login.defs.d on SLE15 since we support and use it\n\nUpdate to 4.11.1:\n\n* build: include lib/shadowlog_internal.h in dist tarballs\n\nUpdate to 4.11:\n* Handle possible TOCTTOU issues in usermod/userdel\n\t- (CVE-2013-4235)\n\t- Use O_NOFOLLOW when copying file\n\t- Kill all user tasks in userdel\n* Fix useradd -D segfault\n* Clean up obsolete libc feature-check ifdefs\n* Fix -fno-common build breaks due to duplicate Prog declarations\n* Have single date_to_str definition\n* Fix libsubid SONAME version\n* Clarify licensing info, use SPDX.\n\nUpdate to 4.10:\n\n* From this release forward, su from this package should be\n considered deprecated. Please replace any users of it with su\nrom util-linux\n* libsubid fixes\n* Rename the test program list_subid_ranges to getsubids, write\n a manpage, so distros can ship it.\n* Add libeconf dep for new*idmap\n* Allow all group types with usermod -G\n* Avoid useradd generating empty subid range\n* Handle NULL pw_passwd\n* Fix default value SHA_get_salt_rounds\n* Use https where possible in README\n* Update content and format of README\n* Translation updates\n* Switch from xml2po to itstool in \u0027make dist\u0027\n* Fix double frees\n* Add LOG_INIT configurable to useradd\n* Add CREATE_MAIL_SPOOL documentation\n* Create a security.md\n* Fix su never being SIGKILLd when trapping TERM\n* Fix wrong SELinux labels in several possible cases\n* Fix missing chmod in chadowtb_move\n* Handle malformed hushlogins entries\n* Fix groupdel segv when passwd does not exist\n* Fix covscan-found newgrp segfault\n* Remove trailing slash on hoedir\n* Fix passwd -l message - it does not change expirey\n* Fix SIGCHLD handling bugs in su and vipw\n* Remove special case for \u0027\u0027 in usermod\n* Implement usermod -rG to remove a specific group\n* call pam_end() after fork in child path for su and login\n* useradd: In absence of /etc/passwd, assume 0 == root\n* lib: check NULL before freeing data\n* Fix pwck segfault\n\n- Really enable USERGROUPS_ENAB [bsc#1189139].\n\nAdded hardening to systemd service(s) (bsc#1181400).\n* Add LOGIN_KEEP_USERNAME to login.defs.\n\n* Remove PREVENT_NO_AUTH from login.defs. Only used by the\n unpackaged login and su.\n\n* Remove variables BCRYPT_MIN_ROUNDS, BCRYPT_MAX_ROUNDS,\n YESCRYPT_COST_FACTOR, not supported by the current\n configuratiton.\n\n* login.defs: Enable USERGROUPS_ENAB and CREATE_HOME to\n be compatible with other Linux distros and the other tools\n creating user accounts in use on openSUSE. Set HOME_MODE to 700\n for security reasons and compatibility. [bsc#1189139] [bsc#1182850]\n\nUpdate to 4.9:\n\n* Updated translations\n* Major salt updates\n* Various coverity and cleanup fixes\n* Consistently use 0 to disable PASS_MIN_DAYS in man\n* Implement NSS support for subids and a libsubid\n* setfcap: retain setfcap when mapping uid 0\n* login.defs: include HMAC_CRYPTO_ALGO key\n* selinux fixes\n* Fix path prefix path handling\n* Manpage updates\n* Treat an empty passwd field as invalid(Haelwenn Monnier)\n* newxidmap: allow running under alternative gid\n* usermod: check that shell is executable\n* Add yescript support\n* useradd memleak fixes\n* useradd: use built-in settings by default\n* getdefs: add foreign\n* buffer overflow fixes\n* Adding run-parts style for pre and post useradd/del\n\n- login.defs/MOTD_FILE: Use \u0027\u0027 instead of blank entry [bsc#1187536]\n- Add /etc/login.defs.d directory\n\n- Enable shadowgrp so that we can set more secure group passwords\n using shadow.\n\n- Disable MOTD_FILE to allow the use of pam_motd to unify motd\n message output [bsc#1185897]. Else motd entries of e.g. cockpit\n will not be shown.\n ",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1228,SUSE-SLE-Module-Basesystem-15-SP7-2026-1228,openSUSE-SLE-15.6-2026-1228",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-ru-2026_1228-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-RU-2026:1228-1",
"url": "https://www.suse.com/support/update/announcement//suse-ru-20261228-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-RU-2026:1228-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045360.html"
},
{
"category": "self",
"summary": "SUSE Bug 1144060",
"url": "https://bugzilla.suse.com/1144060"
},
{
"category": "self",
"summary": "SUSE Bug 1176006",
"url": "https://bugzilla.suse.com/1176006"
},
{
"category": "self",
"summary": "SUSE Bug 1181400",
"url": "https://bugzilla.suse.com/1181400"
},
{
"category": "self",
"summary": "SUSE Bug 1182850",
"url": "https://bugzilla.suse.com/1182850"
},
{
"category": "self",
"summary": "SUSE Bug 1185897",
"url": "https://bugzilla.suse.com/1185897"
},
{
"category": "self",
"summary": "SUSE Bug 1187536",
"url": "https://bugzilla.suse.com/1187536"
},
{
"category": "self",
"summary": "SUSE Bug 1189139",
"url": "https://bugzilla.suse.com/1189139"
},
{
"category": "self",
"summary": "SUSE Bug 1199026",
"url": "https://bugzilla.suse.com/1199026"
},
{
"category": "self",
"summary": "SUSE Bug 1203823",
"url": "https://bugzilla.suse.com/1203823"
},
{
"category": "self",
"summary": "SUSE Bug 1205502",
"url": "https://bugzilla.suse.com/1205502"
},
{
"category": "self",
"summary": "SUSE Bug 1206627",
"url": "https://bugzilla.suse.com/1206627"
},
{
"category": "self",
"summary": "SUSE Bug 1214806",
"url": "https://bugzilla.suse.com/1214806"
},
{
"category": "self",
"summary": "SUSE Bug 1246052",
"url": "https://bugzilla.suse.com/1246052"
},
{
"category": "self",
"summary": "SUSE Bug 916845",
"url": "https://bugzilla.suse.com/916845"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2013-4235 page",
"url": "https://www.suse.com/security/cve/CVE-2013-4235/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-4641 page",
"url": "https://www.suse.com/security/cve/CVE-2023-4641/"
}
],
"title": "Recommended update for shadow",
"tracking": {
"current_release_date": "2026-04-09T08:27:26Z",
"generator": {
"date": "2026-04-09T08:27:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-RU-2026:1228-1",
"initial_release_date": "2026-04-09T08:27:26Z",
"revision_history": [
{
"date": "2026-04-09T08:27:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"product": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"product_id": "libsubid-devel-4.17.2-150600.17.18.1.aarch64"
}
},
{
"category": "product_version",
"name": "libsubid5-4.17.2-150600.17.18.1.aarch64",
"product": {
"name": "libsubid5-4.17.2-150600.17.18.1.aarch64",
"product_id": "libsubid5-4.17.2-150600.17.18.1.aarch64"
}
},
{
"category": "product_version",
"name": "shadow-4.17.2-150600.17.18.1.aarch64",
"product": {
"name": "shadow-4.17.2-150600.17.18.1.aarch64",
"product_id": "shadow-4.17.2-150600.17.18.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libsubid-devel-4.17.2-150600.17.18.1.i586",
"product": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.i586",
"product_id": "libsubid-devel-4.17.2-150600.17.18.1.i586"
}
},
{
"category": "product_version",
"name": "libsubid5-4.17.2-150600.17.18.1.i586",
"product": {
"name": "libsubid5-4.17.2-150600.17.18.1.i586",
"product_id": "libsubid5-4.17.2-150600.17.18.1.i586"
}
},
{
"category": "product_version",
"name": "shadow-4.17.2-150600.17.18.1.i586",
"product": {
"name": "shadow-4.17.2-150600.17.18.1.i586",
"product_id": "shadow-4.17.2-150600.17.18.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "login_defs-4.17.2-150600.17.18.1.noarch",
"product": {
"name": "login_defs-4.17.2-150600.17.18.1.noarch",
"product_id": "login_defs-4.17.2-150600.17.18.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"product": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"product_id": "libsubid-devel-4.17.2-150600.17.18.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libsubid5-4.17.2-150600.17.18.1.ppc64le",
"product": {
"name": "libsubid5-4.17.2-150600.17.18.1.ppc64le",
"product_id": "libsubid5-4.17.2-150600.17.18.1.ppc64le"
}
},
{
"category": "product_version",
"name": "shadow-4.17.2-150600.17.18.1.ppc64le",
"product": {
"name": "shadow-4.17.2-150600.17.18.1.ppc64le",
"product_id": "shadow-4.17.2-150600.17.18.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "libsubid-devel-4.17.2-150600.17.18.1.s390x",
"product": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.s390x",
"product_id": "libsubid-devel-4.17.2-150600.17.18.1.s390x"
}
},
{
"category": "product_version",
"name": "libsubid5-4.17.2-150600.17.18.1.s390x",
"product": {
"name": "libsubid5-4.17.2-150600.17.18.1.s390x",
"product_id": "libsubid5-4.17.2-150600.17.18.1.s390x"
}
},
{
"category": "product_version",
"name": "shadow-4.17.2-150600.17.18.1.s390x",
"product": {
"name": "shadow-4.17.2-150600.17.18.1.s390x",
"product_id": "shadow-4.17.2-150600.17.18.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"product": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"product_id": "libsubid-devel-4.17.2-150600.17.18.1.x86_64"
}
},
{
"category": "product_version",
"name": "libsubid5-4.17.2-150600.17.18.1.x86_64",
"product": {
"name": "libsubid5-4.17.2-150600.17.18.1.x86_64",
"product_id": "libsubid5-4.17.2-150600.17.18.1.x86_64"
}
},
{
"category": "product_version",
"name": "shadow-4.17.2-150600.17.18.1.x86_64",
"product": {
"name": "shadow-4.17.2-150600.17.18.1.x86_64",
"product_id": "shadow-4.17.2-150600.17.18.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.aarch64"
},
"product_reference": "libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.ppc64le"
},
"product_reference": "libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.s390x"
},
"product_reference": "libsubid-devel-4.17.2-150600.17.18.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.x86_64"
},
"product_reference": "libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid5-4.17.2-150600.17.18.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.aarch64"
},
"product_reference": "libsubid5-4.17.2-150600.17.18.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid5-4.17.2-150600.17.18.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.ppc64le"
},
"product_reference": "libsubid5-4.17.2-150600.17.18.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid5-4.17.2-150600.17.18.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.s390x"
},
"product_reference": "libsubid5-4.17.2-150600.17.18.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid5-4.17.2-150600.17.18.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.x86_64"
},
"product_reference": "libsubid5-4.17.2-150600.17.18.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "login_defs-4.17.2-150600.17.18.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:login_defs-4.17.2-150600.17.18.1.noarch"
},
"product_reference": "login_defs-4.17.2-150600.17.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "shadow-4.17.2-150600.17.18.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.aarch64"
},
"product_reference": "shadow-4.17.2-150600.17.18.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "shadow-4.17.2-150600.17.18.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.ppc64le"
},
"product_reference": "shadow-4.17.2-150600.17.18.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "shadow-4.17.2-150600.17.18.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.s390x"
},
"product_reference": "shadow-4.17.2-150600.17.18.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "shadow-4.17.2-150600.17.18.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.x86_64"
},
"product_reference": "shadow-4.17.2-150600.17.18.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.aarch64"
},
"product_reference": "libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.ppc64le"
},
"product_reference": "libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.s390x"
},
"product_reference": "libsubid-devel-4.17.2-150600.17.18.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid-devel-4.17.2-150600.17.18.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.x86_64"
},
"product_reference": "libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid5-4.17.2-150600.17.18.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.aarch64"
},
"product_reference": "libsubid5-4.17.2-150600.17.18.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid5-4.17.2-150600.17.18.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.ppc64le"
},
"product_reference": "libsubid5-4.17.2-150600.17.18.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid5-4.17.2-150600.17.18.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.s390x"
},
"product_reference": "libsubid5-4.17.2-150600.17.18.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsubid5-4.17.2-150600.17.18.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.x86_64"
},
"product_reference": "libsubid5-4.17.2-150600.17.18.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "login_defs-4.17.2-150600.17.18.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:login_defs-4.17.2-150600.17.18.1.noarch"
},
"product_reference": "login_defs-4.17.2-150600.17.18.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "shadow-4.17.2-150600.17.18.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.aarch64"
},
"product_reference": "shadow-4.17.2-150600.17.18.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "shadow-4.17.2-150600.17.18.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.ppc64le"
},
"product_reference": "shadow-4.17.2-150600.17.18.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "shadow-4.17.2-150600.17.18.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.s390x"
},
"product_reference": "shadow-4.17.2-150600.17.18.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "shadow-4.17.2-150600.17.18.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.x86_64"
},
"product_reference": "shadow-4.17.2-150600.17.18.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-4235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2013-4235"
}
],
"notes": [
{
"category": "general",
"text": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:login_defs-4.17.2-150600.17.18.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:login_defs-4.17.2-150600.17.18.1.noarch",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2013-4235",
"url": "https://www.suse.com/security/cve/CVE-2013-4235"
},
{
"category": "external",
"summary": "SUSE Bug 916845 for CVE-2013-4235",
"url": "https://bugzilla.suse.com/916845"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:login_defs-4.17.2-150600.17.18.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:login_defs-4.17.2-150600.17.18.1.noarch",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:login_defs-4.17.2-150600.17.18.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:login_defs-4.17.2-150600.17.18.1.noarch",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-09T08:27:26Z",
"details": "moderate"
}
],
"title": "CVE-2013-4235"
},
{
"cve": "CVE-2023-4641",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-4641"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:login_defs-4.17.2-150600.17.18.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:login_defs-4.17.2-150600.17.18.1.noarch",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-4641",
"url": "https://www.suse.com/security/cve/CVE-2023-4641"
},
{
"category": "external",
"summary": "SUSE Bug 1214806 for CVE-2023-4641",
"url": "https://bugzilla.suse.com/1214806"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:login_defs-4.17.2-150600.17.18.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:login_defs-4.17.2-150600.17.18.1.noarch",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:libsubid5-4.17.2-150600.17.18.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:login_defs-4.17.2-150600.17.18.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:shadow-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid-devel-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:libsubid5-4.17.2-150600.17.18.1.x86_64",
"openSUSE Leap 15.6:login_defs-4.17.2-150600.17.18.1.noarch",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.aarch64",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.ppc64le",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.s390x",
"openSUSE Leap 15.6:shadow-4.17.2-150600.17.18.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-09T08:27:26Z",
"details": "low"
}
],
"title": "CVE-2023-4641"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…