[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 596-1] New sudo packages fix privilege escalation

Hallo Frau Carstens,

sind wir da auf dem aktuellen Stand ? Sonst bitte bei nächster
Wartungsaufgabe mit machen.

---
Andreas Hellmer - andreas.hellmer@hhpv.de
Hamburger Pensionsverwaltung eG


MS> -----BEGIN PGP SIGNED MESSAGE-----
MS> Hash: SHA1

MS> - --------------------------------------------------------------------------
MS> Debian Security Advisory DSA 596-1                     security@debian.org
MS> http://www.debian.org/security/                             Martin Schulze
MS> November 24th, 2004                     http://www.debian.org/security/faq
MS> - --------------------------------------------------------------------------

MS> Package        : sudo
MS> Vulnerability  : missing input sanitising
MS> Problem-Type   : local
MS> Debian-specific: no
MS> CVE ID         : CAN-2004-1051
MS> Debian Bug     : 281665

MS> Liam Helmer noticed that sudo, a program that provides limited super
MS> user privileges to specific users, does not clean the environment
MS> sufficiently.  Bash functions and the CDPATH variable are still passed
MS> through to the program running as privileged user, leaving
MS> possibilities to overload system routines.  These vulnerabilities can
MS> only be exploited by users who have been granted limited super user
MS> privileges.

MS> For the stable distribution (woody) these problems have been fixed in
MS> version 1.6.6-1.2.

MS> For the unstable distribution (sid) these problems have been fixed in
MS> version 1.6.8p3.

MS> We recommend that you upgrade your sudo package.


MS> Upgrade Instructions
MS> - --------------------

MS> wget url
MS>         will fetch the file for you
MS> dpkg -i file.deb
MS>         will install the referenced file.

MS> If you are using the apt-get package manager, use the line for
MS> sources.list as given below:

MS> apt-get update
MS>         will update the internal database
MS> apt-get upgrade
MS>         will install corrected packages

MS> You may use an automated update by adding the resources from the
MS> footer to the proper configuration.


MS> Debian GNU/Linux 3.0 alias woody
MS> - --------------------------------

MS>   Source archives:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2.dsc
MS>       Size/MD5 checksum:      587 b4750887bf910de5d8bc4d4ef3f71b3b
MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2.diff.gz
MS>       Size/MD5 checksum:    12251 e138445e17adf6eec25035bb8c1ef0c9
MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6.orig.tar.gz
MS>       Size/MD5 checksum:   333074 4da4bf6cf31634cc7a17ec3b69fdc333

MS>   Alpha architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_alpha.deb
MS>       Size/MD5 checksum:   151386 841c5cfa5405fbef08d95fb7fcd50364

MS>   ARM architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_arm.deb
MS>       Size/MD5 checksum:   141442 46d1faa34df223b014c3131879ccadff

MS>   Intel IA-32 architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_i386.deb
MS>       Size/MD5 checksum:   135076 687519f374ef803d532e1a2c966322a6

MS>   Intel IA-64 architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_ia64.deb
MS>       Size/MD5 checksum:   172442 8e0f391e39197f7911069210dae06da7

MS>   HP Precision architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_hppa.deb
MS>       Size/MD5 checksum:   147512 b32938d0bf2d681b4556c64d7071187a

MS>   Motorola 680x0 architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_m68k.deb
MS>       Size/MD5 checksum:   132698 63860473eb387086c4474acc395ff96e

MS>   Big endian MIPS architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_mips.deb
MS>       Size/MD5 checksum:   144380 c1ffef369f073099d84704f24e2252f1

MS>   Little endian MIPS architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_mipsel.deb
MS>       Size/MD5 checksum:   144250 bdb34c5adaf5562908d6df4517bf0cd3

MS>   PowerPC architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_powerpc.deb
MS>       Size/MD5 checksum:   140566 ff92e82812ef08d35b51239099efaca3

MS>   IBM S/390 architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_s390.deb
MS>       Size/MD5 checksum:   140222 f327c3436a5a103b1d028dc2e045c226

MS>   Sun Sparc architecture:

MS>     http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.2_sparc.deb
MS>       Size/MD5 checksum:   143004 6c4300c125317a6faf9e154803552485


MS>   These files will probably be moved into the stable distribution on
MS>   its next update.

MS> - ---------------------------------------------------------------------------------
MS> For apt-get: deb http://security.debian.org/ stable/updates main
MS> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
MS> Mailing list: debian-security-announce@lists.debian.org
MS> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

MS> -----BEGIN PGP SIGNATURE-----
MS> Version: GnuPG v1.2.5 (GNU/Linux)

MS> iD8DBQFBpHn2W5ql+IAeqTIRAsbeAJ93UCDKx39/3F123rZPt4B+CpYN5wCcD01g
MS> heOiCeKmYQUJoqWasNWbWB0=
MS> =qta2
MS> -----END PGP SIGNATURE-----
Reply to: