X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=NEWS;h=336d30e30e4594a460b049c6c06023302c2ae94b;hb=6e2c6ffdf794be862d5489bd37db5e96de616bd9;hp=fc58aa27b462470a51ac89c3bf21d2d27666c595;hpb=13b74243a6d8ca0e2859df994af03be9ede219f6;p=shadow

diff --git a/NEWS b/NEWS
index fc58aa27..336d30e3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,11 +1,212 @@
 $Id$
 
-shadow-4.1.3.1 -> shadow-4.1.3.2					UNRELEASED
+shadow-4.1.4.3 -> shadow-4.1.5					UNRELEASED
+
+*** security
+  * su -c could be abused by the executed command to invoke commands with
+    the caller privileges. See below.
+
+*** general
+  * report usage error to stderr, but report usage help to stdout (and return
+    zero) when explicitly requested (e.g. with --help).
+  * initial support for tcb (http://openwall.com/tcb/) for useradd,
+    userdel, usermod, chage, pwck, vipw.
+  * Added support for ACLs and Extended Attributes in useradd and usermod.
+    Support shall be enabled with the new --with-acl or --with-attr
+    configure options.
+  * Added diagnosis for lock failures.
+  * use libsemanage instead of the semanage tool.
+
+- chage
+  * Add --root option.
+- chfn
+  * Add --root option.
+- chgpasswd
+  * When the gshadow file exists but there are no gshadow entries, an entry
+    is created if the password is changed and group requires a
+    shadow entry.
+  * Add --root option.
+- chpasswd
+  * PAM enabled versions: restore the -e option to allow restoring
+    passwords without knowing those passwords. Restore together the -m
+    and -c options. (These options were removed in shadow-4.1.4 on PAM
+    enabled versions)
+  * When the shadow file exists but there are no shadow entries, an entry
+    is created if the password is changed and passwd requires a
+    shadow entry.
+  * Add --root option.
+- chsh
+  * Add --root option.
+- faillog
+  * The -l, -m, -r, -t options only act on the existing users, unless -a is
+    specified.
+  * Add --root option.
+- gpasswd
+  * Add --root option.
+- groupadd
+  * Add --root option.
+- groupdel
+  * Add --root option.
+- groupmems
+  * Fix parsing of gshadow entries.
+  * Add --root option.
+- groupmod
+  * Fixed groupmod when configured with --enable-account-tools-setuid.
+  * When the gshadow file exists but there are no gshadow entries, an entry
+    is created if the password is changed and group requires a
+    shadow entry.
+  * Add --root option.
+- grpck
+  * Add --root option.
+  * NIS entries were dropped by -s (sort).
+- grpconv
+  * Add --root option.
+- grpunconv
+  * Add --root option.
+- lastlog
+  * Add --root option.
+- login
+  * Fixed limits support (non PAM enabled versions only)
+  * Added support for infinite limits and group based limits (non PAM
+    enabled versions only)
+  * Fixed infinite loop when CONSOLE is configured with a colon-separated
+    list of TTYs.
+  * Fixed warning and support for CONSOLE_GROUPS for users member of more
+    than 16 groups.
+  * Do not log into utmp(x) or wtmp when PAM is enabled. This is done by
+    pam_lastlog.
+- newgrp, sg
+  * Fix parsing of gshadow entries.
+- newusers
+  * Add --root option.
+- passwd
+  * Add --root option.
+- pwpck
+  * NIS entries were dropped by -s (sort).
+  * Add --root option.
+- pwconv
+  * Add --root option.
+- pwunconv
+  * Add --root option.
+- useradd
+  * If the skeleton directory contained hardlinked files, copies of the
+    hardlink were removed from the skeleton directory.
+  * Add --root option.
+- userdel
+  * Check the existence of the user's mail spool before trying to remove
+    it. If it does not exist, a warning is issued, but no failure.
+  * Do not remove a group with the same name as the user (usergroup) if
+    this group isn't the user's primary group.
+  * Add --root option.
+  * Add --selinux-user option.
+- usermod
+  * Accept options in any order (username not necessarily at the end)
+  * When the shadow file exists but there are no shadow entries, an entry
+    is created if the password is changed and passwd requires a
+    shadow entry, or if aging features are used (-e or -f).
+  * Add --root option.
+- su
+  * Document the su exit values.
+  * When su receives a signal, wait for the child to terminate (after
+    sending a SIGTERM), and kill it only if it did not terminate by itself.
+    No delay will be enforced if the child cooperates.
+  * Default ENV_SUPATH is /sbin:/bin:/usr/sbin:/usr/bin
+  * Fixed infinite loop when CONSOLE is configured with a colon-separated
+    list of TTYs.
+  * Fixed warning and support for CONSOLE_GROUPS for users member of more
+    than 16 groups.
+  * Do not forward the controlling terminal to commands executed with -c.
+    This prevents tty hijacking which could lead to execution with the
+    caller's privileges.
+  * Close PAM sessions as root. This will be more friendly to PAM modules
+    like pam_mount or pam_systemd.
+  * Added support for PAM modules which change PAM_USER.
+
+*** translation
+  * Updated Brazilian Portuguese translation.
+  * Updated Catalan translation.
+  * Updated Czech translation.
+  * Updated Danish translation.
+  * Updated French translation.
+  * Updated French man pages translation.
+  * Updated German translation.
+  * Updated German man pages translation.
+  * Updated Japanese translation.
+  * Updated Kazakh translation.
+  * Updated Portuguese translation.
+  * Updated Russian translation.
+  * Updated Simplified Chinese translation.
+  * Updated Simplified Chinese man pages translation.
+  * Updated Swedish translation.
+  * Updated Vietnamese translation.
+
+shadow-4.1.4.2 -> shadow-4.1.4.3						2011-02-15
+
+*** security
+- CVE-2011-0721: An insufficient input sanitation in chfn can be exploited
+  to create users or groups in a NIS environment.
+
+shadow-4.1.4.1 -> shadow-4.1.4.2					2009-07-24
+
+- general
+  * Improved support for large groups (impacts most user/group management
+    tools).
+
+- addition of system users or groups
+  * Speed improvement. This should be noticeable in case of LDAP configured
+    systems. This should impact useradd, groupadd, and newusers
+  * Since system accounts are allocated from SYS_?ID_MIN to SYS_?ID_MAX in
+    reverse order, accounts are packed close to SYS_?ID_MAX if SYS_?ID_MIN
+    is already used but there are still dome gaps.
+
+- login
+  * Add support for shells being a shell script without a shebang.
+- su
+  * Preserve the DISPLAY and XAUTHORITY environment variables. This was
+    only the case in the non PAM enabled versions.
+  * Add support for shells being a shell script without a shebang.
+
+*** translation
+  * The Finnish translation of passwd(1) was outdated and is no more
+    distributed.
+
+shadow-4.1.4 -> shadow-4.1.4.1						2009-05-22
+
+- login
+  * Fix failures with empty usernames on non PAM versions.
+  * Fix CONSOLE (securetty) support on non PAM versions.
+- newgrp
+  * Return the exit status of the child.
+- userdel
+  * On Linux, do not check if an user is logged in with utmp, but check if
+    the user is running some processes.
+  * If not on Linux, continue to search for an utmp record, but make sure
+    the process recorded in the utmp entry is still running.
+  * Report failures to remove the user's mailbox
+  * When USERGROUPS_ENAB is enabled, remove the user's group when the
+    user was the only member.
+  * Do not fail when -r is used and the home directory does not exist.
+- usermod
+  * Check if the user is busy when the user's UID, name or home directory
+    is changed.
+
+shadow-4.1.3.1 -> shadow-4.1.4						2009-05-10
 
 - packaging
   * Enable --enable-account-tools-setuid by default for PAM builds.
-  * Added configure option --enable-utmpx, disabled by default to mimic
+  * Add configure option --enable-utmpx, disabled by default to mimic
     the previous behavior on Linux (where utmp and utmpx are identical).
+  * Fix build failure on non-PAM systems when --without-pam is not
+    specified.
+
+- chpasswd
+  * Change the passwords using PAM. This permits to define the password
+    policy in a central place. The -c/--crypt-method, -e/--encrypted,
+    -m/--md5 and -s/--sha-rounds options are no more supported on PAM
+    enabled systems.
+- grpck
+  * Warn if a group has an entry in group and gshadow, and the password
+    field in group is not 'x'.
 - login
   * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
     lead to DOS attacks.
@@ -13,10 +214,22 @@ shadow-4.1.3.1 -> shadow-4.1.3.2					UNRELEASED
     user to update his authentication token if needed.
 - lastlog
   * Fix regression causing empty reports.
+- newusers
+  * Change the passwords using PAM. This permits to define the password
+    policy in a central place. The -c/--crypt-method and -s/--sha-rounds
+    options are no more supported on PAM enabled systems.
+- pwck
+  * Warn if an user has an entry in passwd and shadow, and the password
+    field in passwd is not 'x'.
 
 *** translation
+ - Updated Czech translation
+ - Updated French translation
+ - Updated German translation
+ - Updated Japanese translation
  - Updated Korean translation
  - Updated Portuguese translation
+ - Updated Russian translation
 
 shadow-4.1.3 -> shadow-4.1.3.1						2009-04-15
 
@@ -243,7 +456,7 @@ shadow-4.1.0 -> shadow-4.1.1						02-04-2008
     faillog faster.
 - gpasswd
   * Fix failures when the gshadow file is not present.
-  * When a password is moved to the gshadow file, use "x" instead of "x"
+  * When a password is moved to the gshadow file, use "x" instead of "!"
     to indicate that the password is shadowed (consistency with grpconv).
   * Make sure the group and gshadow files are unlocked on exit.
 - groupadd