Thanks, Leo!

Maxim

On Thu, Feb 23, 2017 at 1:04 PM, Leo Famulari <leo@famulari.name> wrote:

> In commit 1c851cbe0c562894bd38c0f9f39d12be306b3e59 I added a patch
> to the shadow package that fixes CVE-2017-2616 in `su`.
>
> This bug makes it possible for any local user to send SIGKILL to other
> processes with root privileges. For example, you could use this bug to
> make another user's screen locker exit.
>
> It is recommended to update your GuixSD systems, since shadow provides
> `su` on GuixSD.
>
> More information:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
> http://seclists.org/oss-sec/2017/q1/490
> http://seclists.org/oss-sec/2017/q1/474
> https://github.com/shadow-maint/shadow/commit/
> 08fd4b69e84364677a10e519ccb25b71710ee686
>
> I also fixed the bug in util-linux by grafting this patch:
>
> https://github.com/karelzak/util-linux/commit/
> dffab154d29a288aa171ff50263ecc8f2e14a891
>