Security update for shadow

Announcement ID:	SUSE-SU-2024:0939-1
Rating:	moderate
References:	bsc#1144060 bsc#1176006 bsc#1188307 bsc#1203823 bsc#1205502 bsc#1206627 bsc#1210507 bsc#1213189
Cross-References:	CVE-2023-29383
CVSS scores:	CVE-2023-29383 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-29383 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected Products:	openSUSE Leap Micro 5.4 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro for Rancher 5.4

An update that solves one vulnerability and has seven security fixes can now be installed.

Description:

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

The following non-security bugs were fixed:

• bsc#1176006: Fix chage date miscalculation
• bsc#1188307: Fix passwd segfault
• bsc#1203823: Remove pam_keyinit from PAM config files
• bsc#1213189: Change lock mechanism to file locking to prevent lock files after power interruptions
• bsc#1206627: Add --prefix support to passwd, chpasswd and chage
• bsc#1205502: useradd audit event user id field cannot be interpretedd

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap Micro 5.4
  zypper in -t patch openSUSE-Leap-Micro-5.4-2024-939=1
• SUSE Linux Enterprise Micro for Rancher 5.4
  zypper in -t patch SUSE-SLE-Micro-5.4-2024-939=1
• SUSE Linux Enterprise Micro 5.4
  zypper in -t patch SUSE-SLE-Micro-5.4-2024-939=1

Package List:

• openSUSE Leap Micro 5.4 (noarch)
  • login_defs-4.8.1-150400.3.6.1
• openSUSE Leap Micro 5.4 (aarch64 s390x x86_64)
  • shadow-debuginfo-4.8.1-150400.3.6.1
  • shadow-4.8.1-150400.3.6.1
  • shadow-debugsource-4.8.1-150400.3.6.1
• SUSE Linux Enterprise Micro for Rancher 5.4 (noarch)
  • login_defs-4.8.1-150400.3.6.1
• SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
  • shadow-debuginfo-4.8.1-150400.3.6.1
  • shadow-4.8.1-150400.3.6.1
  • shadow-debugsource-4.8.1-150400.3.6.1
• SUSE Linux Enterprise Micro 5.4 (noarch)
  • login_defs-4.8.1-150400.3.6.1
• SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
  • shadow-debuginfo-4.8.1-150400.3.6.1
  • shadow-4.8.1-150400.3.6.1
  • shadow-debugsource-4.8.1-150400.3.6.1

References:

• https://www.suse.com/security/cve/CVE-2023-29383.html
• https://bugzilla.suse.com/show_bug.cgi?id=1144060
• https://bugzilla.suse.com/show_bug.cgi?id=1176006
• https://bugzilla.suse.com/show_bug.cgi?id=1188307
• https://bugzilla.suse.com/show_bug.cgi?id=1203823
• https://bugzilla.suse.com/show_bug.cgi?id=1205502
• https://bugzilla.suse.com/show_bug.cgi?id=1206627
• https://bugzilla.suse.com/show_bug.cgi?id=1210507
• https://bugzilla.suse.com/show_bug.cgi?id=1213189