Upstream has issued an advisory today (May 30):
Freeze push requested for Cauldron.
RedHat, Debian, Ubuntu, and openSUSE have issued advisories for this:
Assigning to all packagers collectively, since there is no registered maintainer for this package.
*** Bug 21002 has been marked as a duplicate of this bug. ***
sudo 1.8.20p2 has been released, fixing a related issue:
The second reference notes that this does actually fix a different security issue. We may see a CVE for this soon.
CVE-2017-1000368 assigned for the issue fixed in 1.8.20p2:
sudo new security issue CVE-2017-1000367 =>
sudo new security issue CVE-2017-1000367 and CVE-2017-1000368
(In reply to David Walser from comment #5)
> CVE-2017-1000368 assigned for the issue fixed in 1.8.20p2:
Fedora has issued an advisory for this today (June 8):
RedHat advisory for the second CVE from June 22:
Updated package uploaded for Mageia 5.
Updated sudo packages fix security vulnerability:
A flaw was found in the way sudo parsed tty information from the process
status file in the proc filesystem. A local user with privileges to execute
commands via sudo could use this flaw to escalate their privileges to root.
Updated packages in core/updates_testing:
No poc that I could find. Just testing that sudo is working properly. On m5 x86_64
I use it in a script that runs "sudo /usr/sbin/fetchnews -n".
On i586, added myself to the wheel group (logged out/in), modified /etc/sudoers
to allow members of the wheel group to run all commands with a passord ...
$ sudo /sbin/arping 192.168.10.11
For sudo, enter password for dave >
ARPING 192.168.10.11 from 192.168.10.117 enp0s3
Unicast reply from 192.168.10.11 [1C:AF:F7:D2:22:15] 0.860ms
MGA5-64-OK advisory MGA5-32-OKKeywords:
An update for this issue has been pushed to the Mageia Updates repository.