| Summary: | sudo new security issue CVE-2012-2337 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, tmb, warrendiogenese |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | mga1-64-OK, mga1-32-OK, mga2-64-OK, mga2-32-OK | ||
| Source RPM: | sudo-1.8.0-5.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-05-17 21:17:16 CEST
Mandriva has issued an advisory for this today (May 21): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:079 Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated sudo packages fix security vulnerabilities: A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers (CVE-2012-2337). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337 http://www.sudo.ws/sudo/alerts/netmask.html http://www.ubuntu.com/usn/usn-1442-1/ http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:079 ======================== Updated packages in core/updates_testing: ======================== sudo-1.8.0-6.mga1 sudo-devel-1.8.0-6.mga1 sudo-1.8.3p2-2.mga2 sudo-devel-1.8.3p2-2.mga2 from SRPMS: sudo-1.8.0-6.mga1.src.rpm sudo-1.8.3p2-2.mga2.src.rpm Assignee:
bugsquad =>
qa-bugs It's working fine here, on i586 mga 1. I haven't tried to recreate the bug, as it's not clear to me how to configure sudo to recreate it, so just testing that my normal usage of sudo is working. As both Mageia 1 and Mageia 2 updates are being included in one bug report (they're supposed to be split), validating the update will have to wait until Mageia 2 testing is also complete on both platforms. CC:
(none) =>
davidwhodgins
claire robinson
2012-06-07 17:03:20 CEST
Whiteboard:
(none) =>
mga1-64-OK, mga1-i586-OK Works correctly here on mga 2 x86_64. Made a vain attempt at trying to reproduce the bug, but my network is far too simple. CC:
(none) =>
fcs Validating the update. Could someone from the sysadmin team push the srpm sudo-1.8.0-6.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates, and the srpm sudo-1.8.3p2-2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates, Advisory: Updated sudo packages fix security vulnerabilities: A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers (CVE-2012-2337). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337 http://www.sudo.ws/sudo/alerts/netmask.html http://www.ubuntu.com/usn/usn-1442-1/ http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:079 https://bugs.mageia.org/show_bug.cgi?id=5960 CC:
(none) =>
sysadmin-bugs
Dave Hodgins
2012-06-10 02:51:47 CEST
Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0110 Status:
NEW =>
RESOLVED |