Fedora has issued an advisory on July 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BLFXPDF67QZECU6EMPWYU4FGK6PNZ3M4/ It appears that they fixed it by upgrading to 1.8.17p1. The RedHat bug links some commits related to this: https://bugzilla.redhat.com/show_bug.cgi?id=1283635 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => makowski.mageia, marja11Assignee: bugsquad => pkg-bugs
Freeze push requested for Cauldron for 1.8.17p1. Also checked into Mageia 5 SVN. https://www.sudo.ws/stable.html
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated sudo packages fix security vulnerability: A vulnerability in functionality for adding support of SHA-2 digests along with the command was found. The sudoers plugin performs this digest verification while matching rules, and later independently calls execve() to execute the binary. This results in a race condition if the digest functionality is used as suggested (in fact, the rules are matched before the user is prompted for a password, so there is not negligible time frame to replace the binary from underneath sudo) (CVE-2015-8239). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8239 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BLFXPDF67QZECU6EMPWYU4FGK6PNZ3M4/ ======================== Updated packages in core/updates_testing: ======================== sudo-1.8.17p1-1.mga5 sudo-devel-1.8.17p1-1.mga5 from sudo-1.8.17p1-1.mga5.src.rpm
Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
Tested it on two servers at work, one Mageia 5 i586 and the other Mageia 5 x86_64. It still works fine.
Whiteboard: (none) => MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0261.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Another commit in this update: r1020459 | luigiwalser | 2016-06-06 12:41:06 -0400 (Mon, 06 Jun 2016) | 1 line remove INPUTRC from env_keep due to possible info leak (rhbz#1339935) fixed an issue that has just received a CVE request: http://www.openwall.com/lists/oss-security/2016/08/24/1
(In reply to David Walser from comment #6) > Another commit in this update: > r1020459 | luigiwalser | 2016-06-06 12:41:06 -0400 (Mon, 06 Jun 2016) | 1 > line > > remove INPUTRC from env_keep due to possible info leak (rhbz#1339935) > > fixed an issue that has just received a CVE request: > http://www.openwall.com/lists/oss-security/2016/08/24/1 This received CVE-2016-7091: http://openwall.com/lists/oss-security/2016/08/25/2
LWN reference for CVE-2016-7091: http://lwn.net/Vulnerabilities/705575/