Login
Newsletter
Werbung

Sicherheit: Verbesserung der Sicherheit in sudo
Aktuelle Meldungen Distributionen
Name: Verbesserung der Sicherheit in sudo
ID: MDKSA-2006:159
Distribution: Mandriva
Plattformen: Mandriva Corporate 3.0, Mandriva Multi Network Firewall 2.0, Mandriva 2006.0
Datum: Fr, 1. September 2006, 02:46
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0151
http://www.debian.org/security/2006/dsa-946
Applikationen: sudo

Originalnachricht

This is a multi-part message in MIME format...

------------=_1157071594-23892-397


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:159
http://www.mandriva.com/security/
_______________________________________________________________________

Package : sudo
Date : August 31, 2006
Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Previous sudo updates were made available to sanitize certain
environment variables from affecting a sudo call, such as
PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in
addressing those specific environment variables, other variables that
were not blacklisted were being made available.

Debian addressed this issue by forcing sudo to use a whitlist approach
in DSA-946-2 by arbitrarily making env_reset the default (as opposed
to having to be enabled in /etc/sudoers). Mandriva has opted to follow
the same approach so now only certain variables are, by default, made
available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,
XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*
variables.

If other variables are required to be kept, this can be done by editing
/etc/sudoers and using the env_keep option, such as:

Defaults env_keep="FOO BAR"

As well, the Corporate 3 packages are now compiled with the SECURE_PATH
setting.

Updated packages are patched to address this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0151
http://www.debian.org/security/2006/dsa-946
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
859526089cecbc00c11b0c76509f97b1
2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.i586.rpm
7dce7457a74d625018aee6690bcc35d7
2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
8ab6e95323473f6f1f72c255aa4453ae
x86_64/2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.x86_64.rpm
7dce7457a74d625018aee6690bcc35d7
x86_64/2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

Corporate 3.0:
df8964b76a758340a3a283147dce03d5
corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.i586.rpm
3d4fe9dd6e7f729266af98a318be1b48
corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

Corporate 3.0/X86_64:
f8b93aad21eb48289a537e586d3c58ae
x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.x86_64.rpm
3d4fe9dd6e7f729266af98a318be1b48
x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

Multi Network Firewall 2.0:
57e770ca1e0d0bf487be6b1c4691926c
mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.5.M20mdk.i586.rpm
d5a3d6889677117b6d19f953794c4ef4
mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.5.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE91BPmqjQ0CJFipgRApIhAJ45el9y07+qaXr3/b0FyVwnpuonvQCgh4Vr
IxvcoSqmpZNHvZFSEGWu2/E=
=Oehv
-----END PGP SIGNATURE-----


------------=_1157071594-23892-397
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1157071594-23892-397--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung