Re: [SECURITY] [DSA 946-1] New sudo packages fix privilege escalation
Marc Haber wrote:
>> Package : sudo
>> Vulnerability : missing input sanitising
>> Problem type : local
>> Debian-specific: no
>> CVE IDs : CVE-2005-4158 CVE-2006-0151
>> Debian Bug : 342948
>>
>> For unstable
>> "Defaults = env_reset" need to be addeed to /etc/sudoers manually.
>
> Why is this only necessary on unstable systems? The security update
> doesn't seem to add this on stable systems automatically, so it might
> be necessary to manually add this on stable and testing as well.
For stable and oldstable we've basically switched from a black list
of dangerous env vars to a white list of known-to-be-safe ones.
For unstable this wasn't done, as the upcoming 1.7 release will
incorporate a similar strategy. For the mean time setting the above
will do the same.
Please see #342948 for details.
Cheers,
Moritz
Reply to: