Re: How to help the security team (was Re: Bad press related to (missing) Debian security)
I picked one of the bugs (see bottom of email). Is
this sort of information is useful to the security
team and if so, how?
vulnerability: sudo race condition.
Severity: High
Type: local
References:
CAN-2005-1993
BID:13993
URL:http://www.securityfocus.com/bid/13993
http://www.sudo.ws/sudo/alerts/path_race.html
Affected version: 1.3.1 up to and including 1.6.8p8.
Debian versions:
woody: sudo_1.6.6-1.3
sarge: sudo_1.6.8p7-1.1
testing: sudo_1.6.8p7-1.1
unstable: sudo_1.6.8p7-1.1
No mention of the bug in the changelog:
http://smallr.com/so
Status: Debian is affected
Actions that need to be taken:
Package Maintainer Action:
Create new sudo package version 1.6.8p9 or greater.
Request a patch from the maintainers.
http://www.sudo.ws/sudo/authors.html
User Action:
Upgrade: The bug is fixed in sudo 1.6.8p9. There is no
package available so a local build or install will be
required.
Current Workaround:
The administrator can order the sudoers file such that
all entries granting Sudo ALL privileges precede all
other entries.
Harry
Join team plico.
http://www.hjackson.org/cgi-bin/folding/index.pl
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Reply to: