Описание
ELSA-2019-4822: sudo security update (IMPORTANT)
[1.8.25-4.0.1.el8.1]
- Treat an ID of -1 as invalid since that means 'no change' [Orabug: 30421281] {CVE-2019-14287}
- Add sudo_strtoid() tests for -1 and range errors. [Orabug: 30421281]
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
sudo
1.8.25p1-4.0.1.el8_0.1
Oracle Linux x86_64
sudo
1.8.25p1-4.0.1.el8_0.1
Связанные CVE
Связанные уязвимости
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer a ...
