X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=NEWS;h=267196faf38b0ce35ad00c49cea7b9481261e582;hb=7d8ca29bea79a86af90d9146cf8d1f59c4014b0e;hp=4067c818c0a0877b938f4f35cc4ffde55c24cffd;hpb=a24058d660aa3a9e29dfbbf4befde1597aa0835b;p=shadow

diff --git a/NEWS b/NEWS
index 4067c818..267196fa 100644
--- a/NEWS
+++ b/NEWS
@@ -1,19 +1,251 @@
 $Id$
 
+shadow-4.1.4.3 -> shadow-4.1.5					UNRELEASED
+
+*** security
+  * su -c could be abused by the executed command to invoke commands with
+    the caller privileges. See below.
+
+*** general
+  * report usage error to stderr, but report usage help to stdout (and return
+    zero) when explicitly requested (e.g. with --help).
+  * initial support for tcb (http://openwall.com/tcb/) for useradd,
+    userdel, usermod, chage, pwck, vipw.
+  * Added support for ACLs and Extended Attributes in useradd and usermod.
+    Support shall be enabled with the new --with-acl or --with-attr
+    configure options.
+  * Added diagnosis for lock failures.
+
+- chage
+  * Add --root option.
+- chfn
+  * Add --root option.
+- chgpasswd
+  * When the gshadow file exists but there are no gshadow entries, an entry
+    is created if the password is changed and group requires a
+    shadow entry.
+  * Add --root option.
+- chpasswd
+  * PAM enabled versions: restore the -e option to allow restoring
+    passwords without knowing those passwords. Restore together the -m
+    and -c options. (These options were removed in shadow-4.1.4 on PAM
+    enabled versions)
+  * When the shadow file exists but there are no shadow entries, an entry
+    is created if the password is changed and passwd requires a
+    shadow entry.
+  * Add --root option.
+- chsh
+  * Add --root option.
+- faillog
+  * The -l, -m, -r, -t options only act on the existing users, unless -a is
+    specified.
+  * Add --root option.
+- gpasswd
+  * Add --root option.
+- groupadd
+  * Add --root option.
+- groupdel
+  * Add --root option.
+- groupmems
+  * Fix parsing of gshadow entries.
+  * Add --root option.
+- groupmod
+  * Fixed groupmod when configured with --enable-account-tools-setuid.
+  * When the gshadow file exists but there are no gshadow entries, an entry
+    is created if the password is changed and group requires a
+    shadow entry.
+  * Add --root option.
+- grpck
+  * Add --root option.
+  * NIS entries were dropped by -s (sort).
+- grpconv
+  * Add --root option.
+- grpunconv
+  * Add --root option.
+- lastlog
+  * Add --root option.
+- login
+  * Fixed limits support (non PAM enabled versions only)
+  * Added support for infinite limits and group based limits (non PAM
+    enabled versions only)
+  * Fixed infinite loop when CONSOLE is configured with a colon-separated
+    list of TTYs.
+  * Fixed warning and support for CONSOLE_GROUPS for users member of more
+    than 16 groups.
+  * Do not log into utmp(x) or wtmp when PAM is enabled. This is done by
+    pam_lastlog.
+- newgrp, sg
+  * Fix parsing of gshadow entries.
+- passwd
+  * Add --root option.
+- pwpck
+  * NIS entries were dropped by -s (sort).
+  * Add --root option.
+- pwconv
+  * Add --root option.
+- pwunconv
+  * Add --root option.
+- useradd
+  * If the skeleton directory contained hardlinked files, copies of the
+    hardlink were removed from the skeleton directory.
+  * Add --root option.
+- userdel
+  * Check the existence of the user's mail spool before trying to remove
+    it. If it does not exist, a warning is issued, but no failure.
+  * Do not remove a group with the same name as the user (usergroup) if
+    this group isn't the user's primary group.
+  * Add --root option.
+- usermod
+  * Accept options in any order (username not necessarily at the end)
+  * When the shadow file exists but there are no shadow entries, an entry
+    is created if the password is changed and passwd requires a
+    shadow entry, or if aging features are used (-e or -f).
+  * Add --root option.
+- su
+  * Document the su exit values.
+  * When su receives a signal, wait for the child to terminate (after
+    sending a SIGTERM), and kill it only if it did not terminate by itself.
+    No delay will be enforced if the child cooperates.
+  * Default ENV_SUPATH is /sbin:/bin:/usr/sbin:/usr/bin
+  * Fixed infinite loop when CONSOLE is configured with a colon-separated
+    list of TTYs.
+  * Fixed warning and support for CONSOLE_GROUPS for users member of more
+    than 16 groups.
+  * Do not forward the controlling terminal to commands executed with -c.
+    This prevents tty hijacking which could lead to execution with the
+    caller's privileges.
+  * Close PAM sessions as root. This will be more friendly to PAM modules
+    like pam_mount or pam_systemd.
+  * Added support for PAM modules which change PAM_USER.
+
+*** translation
+  * Updated Brazilian Portuguese translation.
+  * Updated Catalan translation.
+  * Updated Czech translation.
+  * Updated Danish translation.
+  * Updated French translation.
+  * Updated French man pages translation.
+  * Updated German translation.
+  * Updated German man pages translation.
+  * Updated Japanese translation.
+  * Updated Kazakh translation.
+  * Updated Portuguese translation.
+  * Updated Russian translation.
+  * Updated Simplified Chinese translation.
+  * Updated Simplified Chinese man pages translation.
+  * Updated Swedish translation.
+  * Updated Vietnamese translation.
+
+shadow-4.1.4.2 -> shadow-4.1.4.3						2011-02-15
+
+*** security
+- CVE-2011-0721: An insufficient input sanitation in chfn can be exploited
+  to create users or groups in a NIS environment.
+
+shadow-4.1.4.1 -> shadow-4.1.4.2					2009-07-24
+
+- general
+  * Improved support for large groups (impacts most user/group management
+    tools).
+
+- addition of system users or groups
+  * Speed improvement. This should be noticeable in case of LDAP configured
+    systems. This should impact useradd, groupadd, and newusers
+  * Since system accounts are allocated from SYS_?ID_MIN to SYS_?ID_MAX in
+    reverse order, accounts are packed close to SYS_?ID_MAX if SYS_?ID_MIN
+    is already used but there are still dome gaps.
+
+- login
+  * Add support for shells being a shell script without a shebang.
+- su
+  * Preserve the DISPLAY and XAUTHORITY environment variables. This was
+    only the case in the non PAM enabled versions.
+  * Add support for shells being a shell script without a shebang.
+
+*** translation
+  * The Finnish translation of passwd(1) was outdated and is no more
+    distributed.
+
+shadow-4.1.4 -> shadow-4.1.4.1						2009-05-22
+
+- login
+  * Fix failures with empty usernames on non PAM versions.
+  * Fix CONSOLE (securetty) support on non PAM versions.
+- newgrp
+  * Return the exit status of the child.
+- userdel
+  * On Linux, do not check if an user is logged in with utmp, but check if
+    the user is running some processes.
+  * If not on Linux, continue to search for an utmp record, but make sure
+    the process recorded in the utmp entry is still running.
+  * Report failures to remove the user's mailbox
+  * When USERGROUPS_ENAB is enabled, remove the user's group when the
+    user was the only member.
+  * Do not fail when -r is used and the home directory does not exist.
+- usermod
+  * Check if the user is busy when the user's UID, name or home directory
+    is changed.
+
+shadow-4.1.3.1 -> shadow-4.1.4						2009-05-10
+
+- packaging
+  * Enable --enable-account-tools-setuid by default for PAM builds.
+  * Add configure option --enable-utmpx, disabled by default to mimic
+    the previous behavior on Linux (where utmp and utmpx are identical).
+  * Fix build failure on non-PAM systems when --without-pam is not
+    specified.
+
+- chpasswd
+  * Change the passwords using PAM. This permits to define the password
+    policy in a central place. The -c/--crypt-method, -e/--encrypted,
+    -m/--md5 and -s/--sha-rounds options are no more supported on PAM
+    enabled systems.
+- grpck
+  * Warn if a group has an entry in group and gshadow, and the password
+    field in group is not 'x'.
+- login
+  * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
+    lead to DOS attacks.
+  * (PAM) Even if the user was already authenticated (-f flag), ask the
+    user to update his authentication token if needed.
+- lastlog
+  * Fix regression causing empty reports.
+- newusers
+  * Change the passwords using PAM. This permits to define the password
+    policy in a central place. The -c/--crypt-method and -s/--sha-rounds
+    options are no more supported on PAM enabled systems.
+- pwck
+  * Warn if an user has an entry in passwd and shadow, and the password
+    field in passwd is not 'x'.
+
+*** translation
+ - Updated Czech translation
+ - Updated French translation
+ - Updated German translation
+ - Updated Japanese translation
+ - Updated Korean translation
+ - Updated Portuguese translation
+ - Updated Russian translation
+
 shadow-4.1.3 -> shadow-4.1.3.1						2009-04-15
 
 *** security:
 - Due to bad parsing of octal permissions, the permissions on tty (login)
-  but also home directories, mailboxes, or UMASK were set wrongly (and
-  weirdly). Only shadow-4.1.3 was affected.
+  but also UMASK were set wrongly (and weirdly). Only shadow-4.1.3 was
+  affected.
 
 *** general
+- login
+  * Fix regression when no user is specified on the command line.
+- userdel
+  * Fixed SE Linux support
 - vipw
   * SE Linux: Set the default context to the context of the file being
     edited. This ensures that the backup file inherit from the file's
     context.
-- login
-  * Fix regression when no user is specified on the command line.
+
+*** translation
+ - Updated Norwegian BokmÃ¥l translation
 
 shadow-4.1.2.2 -> shadow-4.1.3						2009-04-12