Re: [SECURITY] [DSA 2642-1] sudo security update
FAMOUS JAMES!
On 9 March 2013 08:35, Michael Gilbert <mgilbert@debian.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2642-1 security@debian.org
> http://www.debian.org/security/ Michael Gilbert
> March 09, 2013 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : sudo
> Vulnerability : several issues
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2013-1775 CVE-2013-1776
> Debian Bug : 701838 701839
>
> Several vulnerabilities have been discovered in sudo, a program designed
> to allow a sysadmin to give limited root privileges to users. The Common
> Vulnerabilities and Exposures project identifies the following problems:
>
> CVE-2013-1775
>
> Marco Schoepl discovered an authentication bypass when the clock is
> set to the UNIX epoch [00:00:00 UTC on 1 January 1970].
>
> CVE-2013-1776
>
> Ryan Castellucci and James Ogden discovered aspects of an issue that
> would allow session id hijacking from another authorized tty.
>
> For the stable distribution (squeeze), these problems have been fixed in
> version 1.7.4p4-2.squeeze.4.
>
> For the testing (wheezy) and unstable (sid) distributions, these problems
> have been fixed in version 1.8.5p2-1+nmu1.
>
> We recommend that you upgrade your sudo packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQEcBAEBAgAGBQJROvQlAAoJEFb2GnlAHawEXIcH/0cASxNsRL3Y9on8brvEnpah
> 0B9qQ1NY9pzEQLzdQjQ/rJpzb/wK46Cx3aI6XpTxy9AbDNiQPgjxujbcQDtNNWQU
> OYsQl0O77qhPs42v2TAGEnNoVtrsdiWNSIAwV4YOz3H/gc/Q8z3awpsvx8DjT+Q3
> mO23mQ1ukHivwfPam5l4FegCGM4sZhZjetiRb9zjVKtpDvZpD1SEUfGU+sb/CZ8s
> 622vJ7zGBGF1tbeY2ff2JPG7t7QWXx4KDNLup9yA4CqZzUYZEX6k8j7ATS8VvZQk
> XhSiWDldVYgeO/uZlO1jRSZLB0XCJLp9UEqNxBxwKyjPVl5kIORzC1hljpJKeHY=
> =Czjn
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20130309083530.C2AAC598A9@kinkhorst.com
>
--
Martin Gleadow
Systems Manager
Technophobia Ltd, Velocity House, 3 Solly Street, Sheffield S1 4DE
t: +44 (0)114 2212123
e: martin.gleadow@technophobia.com
w: http://www.technophobia.com
http://twitter.com/WeTechnophobia
Part of Capita plc: www.capita.co.uk
Registered in England and Wales Company No. 3063669
VAT registration No. 618 1841 40
ISO 9001:2008 Accredited Company No. 21227
ISO 14001:2004 Accredited Company No. E997
ISO 27001:2005 (BS7799) Accredited Company No. IS 508906
Investor in People Certified No. 101507
The contents of this email are confidential to the addressee
and are intended solely for the recipients use. If you are not
the addressee, you have received this email in error.
Any disclosure, copying, distribution or action taken in
reliance on it is prohibited and may be unlawful.
Any opinions expressed in this email are those of the author
personally and not Technophobia Limited who do not accept
responsibility for the contents of the message.
All email communications, in and out of Technophobia,
are recorded for monitoring purposes.
Reply to: