Описание
ELSA-2019-4821: sudo security update (IMPORTANT)
[1.8.23-4.0.1]
- Treat an ID of -1 as invalid since that means 'no change' [Orabug: 30421281] {CVE-2019-14287}
- Add sudo_strtoid() tests for -1 and range errors. [Orabug: 30421281]
Обновленные пакеты
Oracle Linux 7
Oracle Linux aarch64
sudo
1.8.23-4.0.1.el7
sudo-devel
1.8.23-4.0.1.el7
Oracle Linux x86_64
sudo
1.8.23-4.0.1.el7
sudo-devel
1.8.23-4.0.1.el7
Связанные CVE
Связанные уязвимости
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer a ...
