Debian alert DLA-1964-1 (sudo)

From:
             
 
Sylvain Beucler <beuc@beuc.net> 
To:
             
 
debian-lts-announce@lists.debian.org 
Subject:
             
 
[SECURITY] [DLA 1964-1] sudo security update 
Date:
             
 
Thu, 17 Oct 2019 22:14:20 +0200
Message-ID:
             
 
<20191017201420.jsi5kabultpfvxrm@mail.beuc.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : sudo
Version        : 1.8.10p3-1+deb8u6
CVE ID         : CVE-2019-14287
Debian Bug     : 942322


In sudo, a program that provides limited super user privileges to
specific users, an attacker with access to a Runas ALL sudoer account
can bypass certain policy blacklists and session PAM modules, and can
cause incorrect logging, by invoking sudo with a crafted user ID. For
example, this allows bypass of (ALL,!root) configuration for a
"sudo -u#-1" command.

See https://www.sudo.ws/alerts/minus_1_uid.html for further
information.

For Debian 8 "Jessie", this problem has been fixed in version
1.8.10p3-1+deb8u6.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl2oyIcACgkQj/HLbo2J
BZ9ETwf8CfvaKN7fjL9nYMKFgWLqFY+/eh/HZ3NSszLb1cl9BdMObfSH53unOw7M
EtFIz1S+JhuXwlhium7L7pNj9UX8oJ/41j6kYpRDAlCt2+RTEt2vK7xK63Rn8dR/
6eE6ik/GxISG4YrzOY8m3e2rP3XXXn4K/7DIag+bUmnMpPbyOpXEJiVFCBusUzEC
Q6AKaxMNQYAi7p+zsW5N1BJ9FDC2jbQJLca7UnS1Xqb8fkb+zzk90P/CbBLoPXap
266fNU4BENBr5lPDQq979JqepW+CoRPoLiR29fzDL7Lt3ihgGvkJHMIwIF4+GKXW
fJlmq8BWuwYesU/qdznupqFCli5EUQ==
=2qw1
-----END PGP SIGNATURE-----