Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0390 sudo security update 3 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: sudo Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 10 Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-18634 Reference: ESB-2020.0387 ESB-2020.0351 Original Bulletin: https://www.debian.org/security/2020/dsa-4614 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4614-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : sudo CVE ID : CVE-2019-18634 Debian Bug : 950371 Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the "pwfeedback" option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges. Details can be found in the upstream advisory at https://www.sudo.ws/alerts/pwfeedback.html . For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u2. For the stable distribution (buster), exploitation of the bug is prevented due to a change in EOF handling introduced in 1.8.26. We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl41cVhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QaKg//TnJPVomILAWCWCSHNUuzuH9c0tBli4KtTw+5QeFwcAeareJbleatZqJh CHi9WI8Dl7nnE0V1mKOgE1pXhrV1WJQrMHidocDo7Aejiyn4EU31HxHsAYv+RvqN E4nNRckP1PEoL9JpGHUMOI3O8mvB+2Nnds0ihy8P+WcZxlxVw+CQuK2omFBhdlwr pgdfBq3khgz5mBx5pzdxIrs9fgJA5Txr+LaOHm06ZL9cP1FTcBK31t1RllKy4bjK bg+igCLVTTqU/8Sydc65UM+rHgx4ljG7bCFWJ3GuRJeeXm1vavfjmCXh8x2ezd3K EsB+FxHDdGpKqwi4bFqWUjijOqaElqAAu/q+xZYzzXZSfIynB5YNfL8tVuq4fsL3 MQdUU/0fZZD5RJW5B2uxppVoHZ15IhG2kRqZK4unCzCcwmXdgKTM+eA6wEp0ib7o Ol3mAWIdUcYzDuKFZU1Ry+62Przm9NX0XXh86Hrigk1oEWcq0iusgGiPPgp4j0mF JjTXAU2fdR5abzLCxkMDKiv+2UnU93/V+4JBLrTijWal2zl9DwD0i+OQVK9ZNxW1 mgj+n7D5iyDNF9ptkP3/0hiL1ITHpWhcbEBAYaNFLD1kv3brNGMNsZzpIXVC6NU9 2KK/2DNyetqnZkmNOt0JQ+G0JFyfouauXi1qr0qCc8PK/f5mLBQ= =d97L - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjd3fWaOgq3Tt24GAQivDA//Xk8cyY6bcqjPukp+nID6cfuDvhe8eEhE S7iVlYFaxobjpDGps3OOLVLfk72jTu2tlDCZzhzfYsY8S2H8eXRO6mBErp2pGGML haovWqrluKhF4HVRbWW2oJ+TR46Jq8jmsNT5k3S6AgJYIOjXHrZEHB7PRMmAWFGJ wj/TRnS44UaJbKB/utUxbwAdgko1HvIENb7SRQMICpPQmz0Vj43fnnyYwU0IEwQt aAUK96s/4zGXXkDekfJUIJR5rbcGcmP34tXgPx6kpHzhCdIcCRmUMBX4l4ENfPfW PfFEyPa90Uy0vnPqeESLIOYj25b0MZ7VRHtwxyqfpsvCACcVBhGJ1Gzzmxjvg2yU X2zHmRgtpj5L9rSEjD7GaNFoKLMzLNYrGb+AVVQyMJpVQpuezMnfTeXRgqEHNQm7 Zrkbt57lQpJRw6MAlYmMvAhzisfF8XBOnlDWaNNeP+p3rBvFEWugMJZgZkSTbF4N oCxZYEQkMPVdOOR+0kPBw6TR6xv58Y1IivUU1BaIyjN0fK48usRg0GappzGUFmcj SFfcnpZdvUaMffOOyGYsB+Gwss1fsnyFzePwdKui5ITiKt780bUPQxO7TgROGsPa UXWi85e8xgP3HE2HxvxirTd603xf89L8xWmXcNk/TLsI1RSPxTpoFaqqr6e62gAR KhuC8ApUGQo= =iqBl -----END PGP SIGNATURE-----