[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Ouji9-0007Lx-Ly@titan.mandriva.com>
Date: Sun, 12 Sep 2010 12:23:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:175 ] sudo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:175
http://www.mandriva.com/security/
_______________________________________________________________________
Package : sudo
Date : September 12, 2010
Affected: 2009.1, 2010.0, 2010.1
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in sudo:
Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does
not properly handle use of the -u option in conjunction with the -g
option, which allows local users to gain privileges via a command
line containing a -u root sequence (CVE-2010-2956).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.1:
6e4430f6b046f94ff2c173643f523e0a 2009.1/i586/sudo-1.7.0-1.6mdv2009.1.i586.rpm
04e5f930cc56b1fdb103dde1db5ebabe 2009.1/SRPMS/sudo-1.7.0-1.6mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
2ce7c0c655973c03d8b8061db466ca71 2009.1/x86_64/sudo-1.7.0-1.6mdv2009.1.x86_64.rpm
04e5f930cc56b1fdb103dde1db5ebabe 2009.1/SRPMS/sudo-1.7.0-1.6mdv2009.1.src.rpm
Mandriva Linux 2010.0:
fadb28a5027cdae180c287cdc44ce9f7 2010.0/i586/sudo-1.7.2-0.p1.1.4mdv2010.0.i586.rpm
cca6c09641101ea4f1fae32ec74c849f 2010.0/SRPMS/sudo-1.7.2-0.p1.1.4mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
e9771004f22b2fc377cf51694ddd5f30 2010.0/x86_64/sudo-1.7.2-0.p1.1.4mdv2010.0.x86_64.rpm
cca6c09641101ea4f1fae32ec74c849f 2010.0/SRPMS/sudo-1.7.2-0.p1.1.4mdv2010.0.src.rpm
Mandriva Linux 2010.1:
017af99d278ee67258ed8200ceb51f41 2010.1/i586/sudo-1.7.2-0.p7.1.1mdv2010.1.i586.rpm
05c18dedeb4a8e913c0c1566c459a55c 2010.1/SRPMS/sudo-1.7.2-0.p7.1.1mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
c1f8826bd6df14e9daf932c106e46f40 2010.1/x86_64/sudo-1.7.2-0.p7.1.1mdv2010.1.x86_64.rpm
05c18dedeb4a8e913c0c1566c459a55c 2010.1/SRPMS/sudo-1.7.2-0.p7.1.1mdv2010.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFMjHz3mqjQ0CJFipgRAlbFAJ9adzlumJUZDm2g2p6KStO9g3t39gCg8hgX
1KTJpI1Tac+SZDJ0rp/9VPU=
=ayfL
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists