Re: [SECURITY] [DSA 946-1] New sudo packages fix privilege escalation

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 946-1] New sudo packages fix privilege escalation
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 20 Jan 2006 21:48:56 +0100
Message-id: <[🔎] slrndt2j5o.56b.jmm@inutil.org>
References: <m1EztR6-000p7XC@finlandia.Infodrom.North.DE> <[🔎] 20060120111649.GC22092@torres.l21.ma.zugschlus.de>

Marc Haber wrote:
>> Package        : sudo
>> Vulnerability  : missing input sanitising
>> Problem type   : local
>> Debian-specific: no
>> CVE IDs        : CVE-2005-4158 CVE-2006-0151
>> Debian Bug     : 342948
>> 
>> For unstable
>> "Defaults = env_reset" need to be addeed to /etc/sudoers manually.
>
> Why is this only necessary on unstable systems? The security update
> doesn't seem to add this on stable systems automatically, so it might
> be necessary to manually add this on stable and testing as well.

For stable and oldstable we've basically switched from a black list
of dangerous env vars to a white list of known-to-be-safe ones.
For unstable this wasn't done, as the upcoming 1.7 release will
incorporate a similar strategy. For the mean time setting the above
will do the same.

Please see #342948 for details.

Cheers,
        Moritz

Reply to:

References:
- Re: [SECURITY] [DSA 946-1] New sudo packages fix privilege escalation
  - From: Marc Haber <mh+debian-packages@zugschlus.de>

Prev by Date: Re: locus
Next by Date: Re: Votre demande N° [12176-1112233143]
Previous by thread: Re: [SECURITY] [DSA 946-1] New sudo packages fix privilege escalation
Next by thread: Re: locus
Index(es):
- Date
- Thread