Re: making Debian secure by default
On Sun, Mar 31, 2024 at 07:00:50PM +0000, Andy Smith wrote:
> Hello,
>
> On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> > I just saw this advisory
> > Escape sequence injection in util-linux wall (CVE-2024-28085)
> > https://seclists.org/fulldisclosure/2024/Mar/35
> > where they're talking about grabbing other users sudo password.
>
> I note that "write" and "wall" in Debian had setgid removed after this.
>
> https://salsa.debian.org/debian/util-linux/-/commit/c4be137b4b09a855713c1f4d052dfee773c4ad3b
> https://metadata.ftp-master.debian.org/changelogs//main/u/util-linux/util-linux_2.39.3-11_changelog
>
The fix has also been made to stable and oldstable:
https://lists.debian.org/debian-security-announce/2024/msg00058.html
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: