[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to help the security team (was Re: Bad press related to (missing) Debian security)

I picked one of the bugs (see bottom of email). Is
this sort of information is useful to the security
team and if so, how?





vulnerability: sudo race condition.
Severity: High
Type: local

References: 
CAN-2005-1993
BID:13993
URL:http://www.securityfocus.com/bid/13993
http://www.sudo.ws/sudo/alerts/path_race.html

Affected version: 1.3.1 up to and including 1.6.8p8.

Debian versions: 
woody: sudo_1.6.6-1.3
sarge: sudo_1.6.8p7-1.1
testing: sudo_1.6.8p7-1.1
unstable: sudo_1.6.8p7-1.1

No mention of the bug in the changelog:
http://smallr.com/so

Status: Debian is affected

Actions that need to be taken: 

Package Maintainer Action:
Create new sudo package version 1.6.8p9 or greater.
Request a patch from the maintainers.
http://www.sudo.ws/sudo/authors.html

User Action:
Upgrade: The bug is fixed in sudo 1.6.8p9. There is no
package available so a local build or install will be
required.

Current Workaround:
The administrator can order the sudoers file such that
all entries granting Sudo ALL privileges precede all
other entries.



Harry
Join team plico. 
http://www.hjackson.org/cgi-bin/folding/index.pl

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
Reply to: