Operating System:

[Debian]

Published:

03 February 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0387
                           sudo security update
                              3 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           sudo
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-18634  

Reference:         ESB-2020.0351

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2094

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : sudo
Version        : 1.8.10p3-1+deb8u7
CVE ID         : CVE-2019-18634


A stack-based buffer overflow vulnerability in sudo, a program designed
to provide limited super user privileges to specific users, triggerable
when configured with the pwfeedback option enabled. An unprivileged user
can take advantage of this flaw to obtain full root privileges.


For Debian 8 "Jessie", this problem has been fixed in version
1.8.10p3-1+deb8u7.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAl42AecACgkQYS7xYT4F
D1TL5g/+KZvR5pPsEwiWCPUBffc8sZjcU+EEYZ70HASVduHbTNBX+jmvcFvdTO7B
wGlAzwJ3aXijg+Gg4YJx9xvUSxGWOLGoYYYKE0yko3yVwC9oAHGiLbZwsOkhKnEm
TROqoeOmwN4osozz0siVeM6Nk1BPdkNLfn5B4D4KS2dc5HTQSUTd1X5jkKkkmqxF
xNb3++NMH6Mf3IsDitGsAy8jzs6U2OlBrzrPttPFYFvxfXEqwgr5N2grehKo1ERI
s8ffrjcPhkrA1tUUzh1lg2/BS6Pyn5bxUkFSB7JUOhxoTHkWoAjbDvSeOvFXdUCC
rZqd7sFFSzEzU00AB6DHe+IQuQyK+MRStIHujP/hQesW/fSsRpa1ry9CjZ0AiLEJ
jJjRqga+D2PAadcuNiGFCigXWbnPGsa55ZX1cMaNn5+25hRgdCdwr7E5g7vIdKA+
rRIdxjmM922HT1EFaxCcSXDCcozNpOYvJx+I1vQzkJOacpqLghH3yelHwtMVvjE5
WtlEgOfFKzCJFJG9WP1hMUZApfPGzY8aPfQFDBgIIVJS/fd85XHl5Kgb7+ZdMCaq
BAIBNqGNRBokgH2niSr0iLc6isrBKr0pSZ8RMyw0HESEyPlXkAkNiGOZsNzr9ykP
BTXCl7TDHBFUi+yiDJW4RAKWRCCLtgz7wve3fS1gj+Dm+y7nRZA=
=OTaP
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjdrQ2aOgq3Tt24GAQhYkxAAj8UFPNJyWeIaVXIO7zUbGrLnU+JeVgac
K7EaHhQ2i7uyVWrBLamOcp/aaityxK9bA7ba69L6JKIMkz/MF7OxGkKVtoE42SVs
fYr9ZTAiReW2jzHZLaz44UCLo8wqTo7IW/g7hj0pvZ6OgwUbD6glBJszz5ukdxBl
qE+8Brol41edKo0RfvVeuPQ3e207GYYuzNIhDhufYKpFrF6I6fXArAII8xTd3Lhf
jlUnk1tFvUknWzWccK9rEAQD5v88bpRGDS2Sh3AK3b7gEYlDNjy1n5Rrbs9YglNi
SneGM3XmdMvWpNgRamcuI2qE3AfTElJruijKn3o0w5Wmseo6CzBOW7JDXpfNuuXu
b+IAWRRFLN07Vv5kYMpmt0PjyWlT21FwlHKvdyJCTLnhfTTMvvvgVLR7gX7hL/+D
hjzgs3KmT74eVlZnpONEMMykXTCA6PvMHqMduJQ4bJ0Ke0h+lR8hIN5CBPBdLUOV
fI/Z/R3J2OZlG67m52+t6FG0YjsAwAl3CQuuTo2jageA/xVXgtdtVH4aOCceRLEW
tQQMZw8/9Slx9n3lL4NKaIwsw5q8o5JtyCiHxjJF1Iwe26e2q01bCTl4JtpH6kA7
TTXHSu/qOt2RGBGRMJDbXN/JbtOgzN2HNkOba67SjEDHK6IiFq/Gdj5doyTH8zQ8
qEGnk3nEYu0=
=MQ9j
-----END PGP SIGNATURE-----