lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1GIwoG-0005Bv-SP@mercury.mandriva.com>
Date: Thu, 31 Aug 2006 18:23:00 -0600
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDKSA-2006:159 ] - Updated sudo packages whitelist environments


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:159
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : sudo
 Date    : August 31, 2006
 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Previous sudo updates were made available to sanitize certain
 environment variables from affecting a sudo call, such as
 PYTHONINSPECT, PERL5OPT, etc.  While those updates were effective in
 addressing those specific environment variables, other variables that
 were not blacklisted were being made available.
 
 Debian addressed this issue by forcing sudo to use a whitlist approach
 in DSA-946-2 by arbitrarily making env_reset the default (as opposed
 to having to be enabled in /etc/sudoers).  Mandriva has opted to follow
 the same approach so now only certain variables are, by default, made
 available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,
 XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*
 variables.
 
 If other variables are required to be kept, this can be done by editing
 /etc/sudoers and using the env_keep option, such as:
 
     Defaults env_keep="FOO BAR"
 
 As well, the Corporate 3 packages are now compiled with the SECURE_PATH
 setting.
 
 Updated packages are patched to address this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4158
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0151
 http://www.debian.org/security/2006/dsa-946
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 859526089cecbc00c11b0c76509f97b1  2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.i586.rpm
 7dce7457a74d625018aee6690bcc35d7  2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 8ab6e95323473f6f1f72c255aa4453ae  x86_64/2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.x86_64.rpm
 7dce7457a74d625018aee6690bcc35d7  x86_64/2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

 Corporate 3.0:
 df8964b76a758340a3a283147dce03d5  corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.i586.rpm
 3d4fe9dd6e7f729266af98a318be1b48  corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 f8b93aad21eb48289a537e586d3c58ae  x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.x86_64.rpm
 3d4fe9dd6e7f729266af98a318be1b48  x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 57e770ca1e0d0bf487be6b1c4691926c  mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.5.M20mdk.i586.rpm
 d5a3d6889677117b6d19f953794c4ef4  mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.5.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE91BPmqjQ0CJFipgRApIhAJ45el9y07+qaXr3/b0FyVwnpuonvQCgh4Vr
IxvcoSqmpZNHvZFSEGWu2/E=
=Oehv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ