Your message dated Wed, 07 Jan 2026 23:19:29 +0000
with message-id <[email protected]>
and subject line Bug#1124835: fixed in shadow 1:4.19.0-4
has caused the Debian Bug report #1124835,
regarding chpasswd hash check goes too far
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124835: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124835
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: passwd
Version: 1:4.19.0-2
Severity: important
File: /usr/sbin/chpasswd
Hi,
it has been for decades a method to disable an account while preserving
the password to prefix the password hash in /etc/shadow with !. This is
documented in shadow(5):
| encrypted password
| If the password field is empty, the user can log in without a
| password. However, some applications that read the /etc/shadow file
| might block access if the password field is empty.
|
| If the password field begins with an exclamation mark !, the
| password is locked. The remaining characters on the line represent
| the password field before the password was locked.
chpasswd in shadow 4.19.0 does not allow that any more:
| # echo "aust:\!foobar" | chpasswd --encrypted
| chpasswd: (line 1, user aust) invalid password hash
| chpasswd: error detected, changes ignored
I think this goes too far. Please consider revisiting this check.
(btw, this breaks adduser's future lock/unlock functionality.).
Greetings
Marc
-- System Information:
Debian Release: forky/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'oldstable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'),
(500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.17.13+deb14-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages passwd depends on:
ii base-passwd 3.6.8
ii libacl1 2.3.2-2+b1
ii libattr1 1:2.5.2-3
ii libaudit1 1:4.1.2-1+b1
ii libbsd0 0.12.2-2
ii libc6 2.42-7
ii libcrypt1 1:4.5.1-1
ii libpam-modules 1.7.0-5
ii libpam0g 1.7.0-5
ii libselinux1 3.9-4+b1
ii libsemanage2 3.9-1+b1
ii login.defs 1:4.18.0-2
Versions of packages passwd recommends:
ii sensible-utils 0.0.26
passwd suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.19.0-4
Done: Chris Hofstaedtler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Hofstaedtler <[email protected]> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 08 Jan 2026 00:01:00 +0100
Source: shadow
Architecture: source
Version: 1:4.19.0-4
Distribution: unstable
Urgency: medium
Maintainer: Shadow package maintainers
<[email protected]>
Changed-By: Chris Hofstaedtler <[email protected]>
Closes: 1124835
Changes:
shadow (1:4.19.0-4) unstable; urgency=medium
.
* Import upstream patches to fix hash check (Closes: #1124835)
Checksums-Sha1:
10efba30224f8961a89b7b92b6c71f6d5cd275e9 2872 shadow_4.19.0-4.dsc
1d0c889c6dca87fc7cc6689166615a4065f7e7c7 167552 shadow_4.19.0-4.debian.tar.xz
774631c53d1737d0d994a8849c26c1c134a9f671 9348 shadow_4.19.0-4_arm64.buildinfo
Checksums-Sha256:
894b9875f82c59a54dae2e40be23c394450c0e5b434e8c5fded1636cace5c222 2872
shadow_4.19.0-4.dsc
8899d73e789d4ca21c0b7751d77a31981e07de813d0f54ce29885726022a465d 167552
shadow_4.19.0-4.debian.tar.xz
df1366fdbd22710cb43f8fcd46725dc01dda1a2be8a4f73d80b92ab3551d0a43 9348
shadow_4.19.0-4_arm64.buildinfo
Files:
bf0fc12f45659b6e1655a8fb7f09152f 2872 admin required shadow_4.19.0-4.dsc
34c15b4db571fdc710a133ad5ccc0001 167552 admin required
shadow_4.19.0-4.debian.tar.xz
b9e7356c8a769ac1b30428a9c54978bc 9348 admin required
shadow_4.19.0-4_arm64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAmle6ZUACgkQXBPW25MF
LgNvbxAAm+moAF0EaGEAzhR8asQ0UrMLCa8w4896/YViyRXheVhfSxP1hqemXy7I
xwSae/Bpg7X3Q875/47RynrQI6I93ZUKb5UUwTjOq2ubxocOFp0QH5EBRA9Y87kO
mTWKVAVlSyrY5cJitIJVMKkkAOQ4yAOScGgBV1Nk9ISSFDQME5GLdvgSqGMiJP/E
cTuACpCRmSD0emdCo9rRxQnfSr0YMq/JpNhVgucY62oTy1/scrZQ905TIT8zNnMe
BPLU5yemdizkT1gsEjz5U3pVvL2EET+5dJcWvC7Ca101+VQ9rQh3Obdg/HLhI5Tu
IRxpaGnTQiXCCmkTef9agFOrPnm/ibjkRYIivUj7hcaWm4CGXczpSJzALLLwa3Uo
BZsDkvE7ohdLeRnwnxeQtCgCTCLOSv9Y5ueDHqnD49n2QdE0kZq7O7yNq7jLvXpG
YPYrLhazhMG2jz0hHrUet6EFz6YHArf43g89TWLPvo0R8BCElL1k0uh51WoXGXt7
BpisSQfN2LP1ocM/c9MaML/cg3mQoVsRsO4zr71i1f+DiIQRJYiuP5GEEzqngOTv
c1tfP+eYFe3s2hafV6PcaerH39k3fIDPv15P1muT4om/U6/aNnBon5hJZ5c2Iyxb
FVqldH5iQKhfLPkFPh7b0pkMIdPH3F4ct98oigiJqkV7UGKUrVs=
=zpbc
-----END PGP SIGNATURE-----
pgpNxl_FYRCeO.pgp
Description: PGP signature
--- End Message ---
