Zwei Probleme in sudo
ID: | USN-2146-1 |
Distribution: | Ubuntu |
Plattformen: | Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.10 |
Datum: | Do, 13. März 2014, 17:03 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0106 |
Applikationen: | sudo |
Originalnachricht |
|
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============5962490003465559894== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ujVr6JVMrPbnJdTFcpUH5NBOJb6pw6Ja7" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ujVr6JVMrPbnJdTFcpUH5NBOJb6pw6Ja7 Content-Type: text/plain; charset=UTF- Content-Transfer-Encoding: quoted-printable ========================================================================== Ubuntu Security Notice USN-2146-1 March 13, 2014 sudo vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Sudo. Software Description: - sudo: Provide limited super user privileges to specific users Details: Sebastien Macke discovered that Sudo incorrectly handled blacklisted environment variables when the env_reset option was disabled. A local attacker could use this issue to possibly run unintended commands by using blacklisted environment variables. In a default Ubuntu installation, the env_reset option is enabled by default. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2014-0106) It was discovered that the Sudo init script set a date in the past on existing timestamp files instead of using epoch to invalidate them completely. A local attacker could possibly modify the system time to attempt to reuse timestamp files. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10. (LP: #1223297) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: sudo 1.8.6p3-0ubuntu3.1 sudo-ldap 1.8.6p3-0ubuntu3.1 Ubuntu 12.10: sudo 1.8.5p2-1ubuntu1.2 sudo-ldap 1.8.5p2-1ubuntu1.2 Ubuntu 12.04 LTS: sudo 1.8.3p1-1ubuntu3.6 sudo-ldap 1.8.3p1-1ubuntu3.6 Ubuntu 10.04 LTS: sudo 1.7.2p1-1ubuntu5.7 sudo-ldap 1.7.2p1-1ubuntu5.7 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2146-1 CVE-2014-0106, https://launchpad.net/bugs/1223297 Package Information: https://launchpad.net/ubuntu/+source/sudo/1.8.6p3-0ubuntu3.1 https://launchpad.net/ubuntu/+source/sudo/1.8.5p2-1ubuntu1.2 https://launchpad.net/ubuntu/+source/sudo/1.8.3p1-1ubuntu3.6 https://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.7 --ujVr6JVMrPbnJdTFcpUH5NBOJb6pw6Ja7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTIcDyAAoJEGVp2FWnRL6Twi8QALO6DMUGpEFl1ePkY85xItmE TT+8L/nKQ0/UenbYR7U0A9uANZnDJRd3HFyYXzDMeEkUDQlEvKn5xNLRdeYCPqv5 un42GZiuJ6J3YPuKT8lbInJTL0pjKH8Sfbud2OsnqpDXT+91c7wdrn5CkhDlESKJ cg/mzyVElYUC4nYniCoZYYoEkb1nhhqbiV9r5/3760u0y1c52PzTWzcfiyCjjp82 VUtVuwfQt+Uy3t3OEuTxDhu4edBIFkmtU1Pnejxk9T3oEAVwP9nLtWqYQTbqYvah /o8/bavxzsKeGKRwc0lWTEk9OjzRb/1MWGzcmxprUwZyDXXlM9TMW9+IDbp4Omr3 wqvKH5hsuBpC3aKEwbgQNxfi9MPEopqm4jPHP/ltVcI8mQBI/tQ+C6UmsVXF7fIz kT3nsz1P8MPuddkbKABjaz2RK76pw7YE8INAV/UA0j9O85ObWchXQRPVgpIx3bBB wQcUkIBHJim4mnAE9VtSrhuQpxPSLAvgrSjkV5NRriNv1C6TPuLveCiCxi5IjCAy 6DC/+4rUQBYC7cKIW44n/YSAASjk+QB6dRAU497l/mzB2p+HiDlTpoq4rgGYuOA8 vUVNKyZrVYNTTwFgRCvcJQUrMVw0yUs+oU100aUaL+7r9eJSFXN/H/kto9RthwRI +jULQ8Drq6nVHSWDEBZa =KIrP -----END PGP SIGNATURE----- --ujVr6JVMrPbnJdTFcpUH5NBOJb6pw6Ja7-- --===============5962490003465559894== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce --===============5962490003465559894==-- |