1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4543-1] sudo security update

    From Salvatore Bonaccorso@1:229/2 to All on Mon Oct 14 21:10:01 2019
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4543-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 14, 2019 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : sudo
    CVE ID : CVE-2019-14287
    Debian Bug : 942322

    Joe Vennix discovered that sudo, a program designed to provide limited
    super user privileges to specific users, when configured to allow a user
    to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID
    - -1 or 4294967295. This could allow a user with sufficient sudo
    privileges to run commands as root even if the Runas specification
    explicitly disallows root access.

    Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html .

    For the oldstable distribution (stretch), this problem has been fixed
    in version 1.8.19p1-2.1+deb9u1.

    For the stable distribution (buster), this problem has been fixed in
    version 1.8.27-1+deb10u1.

    We recommend that you upgrade your sudo packages.

    For the detailed security status of sudo please refer to its security
    tracker page at:
    https://security-tracker.debian.org/tracker/sudo

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2kxixfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QX0BAAnFE7RmSJXfz4uSIdt9s+9sM9AF/QS9iq5/yZnNIGjW5POgE4vqK3GipN 8WSXVxv41xxp1J6z4SJvbybCIm33du5RcIdijDuFhhbRlY7uvF6XwqioyRo3eiPN JVuVeHIDPod1bU9HVMMtNiH2QMI/WObM2hQ9UjObr2Jz9XLKDNZXyzdE4bOVV5sX uFNs4IemuXMORYRZpsGb2CBFcI9D0qHqtiRJCLEbkj3yjLyIGzAlb+qlueilA82i bWFabQeNzg9iGMYomd1gIV0bKF/UxARqMvm/EHi1bla2HAh44XenmKkZoFHByCV8 YVZlYPjK1l2eIavGSclRhnaqv3EczsOhF3V0v/l2+CbsGScIW8QcP8hzESfB24FN /B3RGXVJsZ5ssu5icXvOBz/3TK15nzw563gRBQYYUCRZ4kwZdO72weTFLU1ziEXf dzaraawTpErOAOFh9aT18OWGxZpMABHlmAoXDC2wk2bkwdh2cf6UVY7bhU5NDFG3 2yQpbe62xHJrD1UxL9NVVIYvt4DfuNUhaOrBglNwxXoxsZ5FCUXDet0/QKlO8rle z9El4yJoG03kW9OJqnPVsRh/QBtitoCEDpT1aON8U3DWEOSjBT8p7QG8qt7448aO 96QEZKrLs0DDwH9krOPZdod65HvlrLD49Y5Kawy/YGzrMVUeRX8=
    =jALx
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)