openSUSE-SU-2019:2333-1

Опубликовано: 17 окт. 2019

Источник: suse-cvrf

Описание

Security update for sudo

This update for sudo fixes the following issue:

CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers (bsc#1153674).

This update was imported from the SUSE:SLE-15:Update update project.

Список пакетов

openSUSE Leap 15.0

sudo-1.8.22-lp150.8.1

sudo-devel-1.8.22-lp150.8.1

sudo-test-1.8.22-lp150.8.1

Ссылки

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BSBNENZR57LOHEQOPC2JHBLICDY4PCZ5/#BSBNENZR57LOHEQOPC2JHBLICDY4PCZ5
E-Mail link for openSUSE-SU-2019:2333-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1153674
SUSE Bug 1153674
https://www.suse.com/security/cve/CVE-2019-14287/
SUSE CVE CVE-2019-14287 page

Описание

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

Затронутые продукты

openSUSE Leap 15.0:sudo-1.8.22-lp150.8.1

openSUSE Leap 15.0:sudo-devel-1.8.22-lp150.8.1

openSUSE Leap 15.0:sudo-test-1.8.22-lp150.8.1

Ссылки

https://www.suse.com/security/cve/CVE-2019-14287.html
CVE-2019-14287
https://bugzilla.suse.com/1153674
SUSE Bug 1153674
https://bugzilla.suse.com/1156093
SUSE Bug 1156093

openSUSE-SU-2019:2333-1

Описание

Список пакетов

openSUSE Leap 15.0

Ссылки

Уязвимость: CVE-2019-14287

Описание

Затронутые продукты

Ссылки