CVE-2017-2616 — shadow - security update

Description

A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.

How to fix CVE-2017-2616

To remediate CVE-2017-2616, upgrade the affected package to a fixed version below.

Debian/coreutils—upgrade to 8.20-1 or later
—upgrade to 1:4.4-4 or later
—upgrade to 1:4.1.5.1-1+deb7u1 or later
—upgrade to 2.29.2-1 or later

Is CVE-2017-2616 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 8.20-1
from 0, < 1:4.4-4
from 0, < 1:4.1.5.1-1+deb7u1
from 0, < 2.29.2-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-2616