Quoting Christian Perrier ([EMAIL PROTECTED]): > shadow 4.0.3-30.5 just hit sid yesterday.
And should certainly NOT be hinted for sarge. > -The chpasswd code was changed to allow MD5 encoding of generated > passwords. chpasswd is a utility for changing user passwords in batch > mode, from an input file with clear text or encrypted passwords > In former versions, chpasswd could only generate DES-encrypted > passwords which could confuse users with MD5 ncryption for passwords > > The code for adding this was contirbuted by Ian Gulliver and reviewed > both by upstream and Sam Hartman > > The security team was kept informed of the issue even if this is not > considered as a security issue, strictly speaking I unfortunately made the mistake of incorporating the changes made by *upstream* after he saw Ian Gulliver patch. This was *wrong* : I should have used Ian Gulliver patch as is. As a consequence, chpasswd is completely broken in shadow 4.0.3-30.5 which makes the package definitely out of release quality. The relevant bug has been reopened (it is not a RC bug...but very close to it). I have already prepared a 4.0.3-30.6 version with a fixed chpasswd binary (far more tested at the price of yet another too short night) and will upload it today. chpasswd is not a critical utility, for sure, when compared to other programs in shadow, but we certainly cannot release with it being broken as it is in 4.0.3-30.5 Another mail will soon try to make a status update about shadow...
