| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 May 2012 18:05:00 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2012:079 ] sudo -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:079 http://www.mandriva.com/security/ _______________________________________________________________________ Package : sudo Date : May 21, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in sudo: A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers (CVE-2012-2337 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337 http://www.sudo.ws/sudo/alerts/netmask.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 10f9635c97df775aa2e84eea10cc2520 2010.1/i586/sudo-1.7.4p6-0.2mdv2010.2.i586.rpm 172ec1e9eb59daf6c619083544395615 2010.1/SRPMS/sudo-1.7.4p6-0.2mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 7c223e5185387d690b1fd5c9aedbb072 2010.1/x86_64/sudo-1.7.4p6-0.2mdv2010.2.x86_64.rpm 172ec1e9eb59daf6c619083544395615 2010.1/SRPMS/sudo-1.7.4p6-0.2mdv2010.2.src.rpm Mandriva Linux 2011: 4eaa11586daaf481506b9383462e11b1 2011/i586/sudo-1.7.6p2-1.1-mdv2011.0.i586.rpm 54e9566af0fc7a350b91a14351e83a9c 2011/SRPMS/sudo-1.7.6p2-1.1.src.rpm Mandriva Linux 2011/X86_64: c1a370556138f31669c713c7544ee042 2011/x86_64/sudo-1.7.6p2-1.1-mdv2011.0.x86_64.rpm 54e9566af0fc7a350b91a14351e83a9c 2011/SRPMS/sudo-1.7.6p2-1.1.src.rpm Mandriva Enterprise Server 5: b713c66d70635d93ccf68864c8849fe8 mes5/i586/sudo-1.7.4p6-0.2mdvmes5.2.i586.rpm 1de7c7de8f1764ecad9d727bae373fa7 mes5/SRPMS/sudo-1.7.4p6-0.2mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 6cabbb3df9d3ab16adb1f29b42ec24c5 mes5/x86_64/sudo-1.7.4p6-0.2mdvmes5.2.x86_64.rpm 1de7c7de8f1764ecad9d727bae373fa7 mes5/SRPMS/sudo-1.7.4p6-0.2mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD4DBQFPujn1mqjQ0CJFipgRAk+EAJ4jVLd17ksb/Ueg34F6Lfhd99OJpQCXTU5D Bt4a74E/fTXDzhyIPE8rjw== =wXih -----END PGP SIGNATURE-----
Powered by blists - more mailing lists