Sudo has issued an advisory today (October 14): https://www.sudo.ws/alerts/minus_1_uid.html The issue is fixed upstream in 1.8.28: https://www.sudo.ws/stable.html#1.8.28 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
'sudo' has no registered maintainer, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Potential bypass of Runas user restrictions. (CVE-2019-14287) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287 https://www.sudo.ws/alerts/minus_1_uid.html https://www.sudo.ws/stable.html#1.8.28 ======================== Updated packages in core/updates_testing: ======================== sudo-1.8.28-1.mga7 sudo-devel-1.8.28-1.mga7 from SRPMS: sudo-1.8.28-1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 7CC: (none) => nicolas.salgueroWhiteboard: MGA7TOO => (none)CVE: (none) => CVE-2019-14287Status: NEW => ASSIGNED
Just testing it works on mga7 64bit: OK [morgan@svarten ~]$ LC_ALL=C sudo --version Sudo version 1.8.28 Sudoers policy plugin version 1.8.28 Sudoers file grammar version 46 Sudoers I/O plugin version 1.8.28 [morgan@svarten ~]$ sudo whoami [sudo] lösenord för morgan: root
CC: (none) => fri
CC: (none) => tmb, sysadmin-bugsKeywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA7-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0298.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED