Fedora has issued an advisory today (March 6): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/ The issues are fixed upstream in 1.8.30.
Status comment: (none) => Fixed upstream in 1.8.30CC: (none) => nicolas.salguero
No registered nor evident maintainer for 'sudo', so assigning globally.
Assignee: bugsquad => pkg-bugs
CC: (none) => fri
Advisory: The sudo version provided by mageia 7 is affected by some security issues. This updates upgrade sudo to version 1.8.31p1 to fix those issues. Reference: https://www.sudo.ws/legacy.html rpms: sudo-1.8.31p1-1.1.mga7 sudo-devel-1.8.31p1-1.1.mga7 from: sudo-1.8.31p1-1.1.mga7
Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 1.8.30 => (none)CC: (none) => mageia
Advisory: ======================== Updated sudo packages fix security vulnerabilities: It was found that sudo always allowed commands to be run with unknown user or group ids if the sudo configuration allowed it for example via the "ALL" alias. This could allow sudo to impersonate non-existent account and depending on how applications are configured, could lead to certain restriction bypass. This is now explicitly disabled. A new setting called "allow_unknown_runas_id" was introduced in order to enable this (CVE-2019-19232). When an account is disabled via the shadow file, by replacing the password hash with "!", it is not considered disabled by sudo. And depending on the configuration, sudo can be run by using such disabled account (CVE-2019-19234). The sudo package has been updated to version 1.8.31p1, fixing these issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234 https://www.sudo.ws/legacy.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/
Clean update and sudo still works. Did not test the vulnerability.
I don't use sudo myself, but I think that's enough, Morgan. Thanks. OKing and validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0246.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED