Описание
ELSA-2020-1804: sudo security, bug fix, and enhancement update (MODERATE)
[1.8.29-5]
- RHEL 8.2 ERRATUM
- CVE-2019-18634 Resolves: rhbz#1798093
[1.8.29-4]
- RHEL 8.2 ERRATUM
- CVE-2019-19232 Resolves: rhbz#1786987 Resolves: rhbz#1796518
[1.8.29-2]
- RHEL 8.2 ERRATUM
- rebase to 1.8.29 Resolves: rhbz#1733961 Resolves: rhbz#1651662
[1.8.28p1-1]
- RHEL 8.2 ERRATUM
- rebase to 1.8.28p1 Resolves: rhbz#1733961
- fixed man page for always_set_home Resolves: rhbz#1576880
- sudo does not work with notbefore/after Resolves: rhbz#1679508
- NOTBEFORE showing value of sudoNotAfter Ldap attribute Resolves: rhbz#1715516
- CVE-2019-14287 sudo
- Privilege escalation via 'Runas' specification with 'ALL' keyword Resolves: rhbz#1760697
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
sudo
1.8.29-5.el8
Oracle Linux x86_64
sudo
1.8.29-5.el8
Связанные CVE
Связанные уязвимости
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer ...
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user.