Operating System:

[Debian]

Published:

03 February 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0390
                           sudo security update
                              3 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           sudo
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 10
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-18634  

Reference:         ESB-2020.0387
                   ESB-2020.0351

Original Bulletin: 
   https://www.debian.org/security/2020/dsa-4614

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4614-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 01, 2020                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : sudo
CVE ID         : CVE-2019-18634
Debian Bug     : 950371

Joe Vennix discovered a stack-based buffer overflow vulnerability in
sudo, a program designed to provide limited super user privileges to
specific users, triggerable when configured with the "pwfeedback" option
enabled. An unprivileged user can take advantage of this flaw to obtain
full root privileges.

Details can be found in the upstream advisory at
https://www.sudo.ws/alerts/pwfeedback.html .

For the oldstable distribution (stretch), this problem has been fixed
in version 1.8.19p1-2.1+deb9u2.

For the stable distribution (buster), exploitation of the bug is
prevented due to a change in EOF handling introduced in 1.8.26.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/sudo

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl41cVhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QaKg//TnJPVomILAWCWCSHNUuzuH9c0tBli4KtTw+5QeFwcAeareJbleatZqJh
CHi9WI8Dl7nnE0V1mKOgE1pXhrV1WJQrMHidocDo7Aejiyn4EU31HxHsAYv+RvqN
E4nNRckP1PEoL9JpGHUMOI3O8mvB+2Nnds0ihy8P+WcZxlxVw+CQuK2omFBhdlwr
pgdfBq3khgz5mBx5pzdxIrs9fgJA5Txr+LaOHm06ZL9cP1FTcBK31t1RllKy4bjK
bg+igCLVTTqU/8Sydc65UM+rHgx4ljG7bCFWJ3GuRJeeXm1vavfjmCXh8x2ezd3K
EsB+FxHDdGpKqwi4bFqWUjijOqaElqAAu/q+xZYzzXZSfIynB5YNfL8tVuq4fsL3
MQdUU/0fZZD5RJW5B2uxppVoHZ15IhG2kRqZK4unCzCcwmXdgKTM+eA6wEp0ib7o
Ol3mAWIdUcYzDuKFZU1Ry+62Przm9NX0XXh86Hrigk1oEWcq0iusgGiPPgp4j0mF
JjTXAU2fdR5abzLCxkMDKiv+2UnU93/V+4JBLrTijWal2zl9DwD0i+OQVK9ZNxW1
mgj+n7D5iyDNF9ptkP3/0hiL1ITHpWhcbEBAYaNFLD1kv3brNGMNsZzpIXVC6NU9
2KK/2DNyetqnZkmNOt0JQ+G0JFyfouauXi1qr0qCc8PK/f5mLBQ=
=d97L
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjd3fWaOgq3Tt24GAQivDA//Xk8cyY6bcqjPukp+nID6cfuDvhe8eEhE
S7iVlYFaxobjpDGps3OOLVLfk72jTu2tlDCZzhzfYsY8S2H8eXRO6mBErp2pGGML
haovWqrluKhF4HVRbWW2oJ+TR46Jq8jmsNT5k3S6AgJYIOjXHrZEHB7PRMmAWFGJ
wj/TRnS44UaJbKB/utUxbwAdgko1HvIENb7SRQMICpPQmz0Vj43fnnyYwU0IEwQt
aAUK96s/4zGXXkDekfJUIJR5rbcGcmP34tXgPx6kpHzhCdIcCRmUMBX4l4ENfPfW
PfFEyPa90Uy0vnPqeESLIOYj25b0MZ7VRHtwxyqfpsvCACcVBhGJ1Gzzmxjvg2yU
X2zHmRgtpj5L9rSEjD7GaNFoKLMzLNYrGb+AVVQyMJpVQpuezMnfTeXRgqEHNQm7
Zrkbt57lQpJRw6MAlYmMvAhzisfF8XBOnlDWaNNeP+p3rBvFEWugMJZgZkSTbF4N
oCxZYEQkMPVdOOR+0kPBw6TR6xv58Y1IivUU1BaIyjN0fK48usRg0GappzGUFmcj
SFfcnpZdvUaMffOOyGYsB+Gwss1fsnyFzePwdKui5ITiKt780bUPQxO7TgROGsPa
UXWi85e8xgP3HE2HxvxirTd603xf89L8xWmXcNk/TLsI1RSPxTpoFaqqr6e62gAR
KhuC8ApUGQo=
=iqBl
-----END PGP SIGNATURE-----