Fedora has issued an advisory today (March 6):
The issues are fixed upstream in 1.8.30.
Fixed upstream in 1.8.30CC:
No registered nor evident maintainer for 'sudo', so assigning globally.
The sudo version provided by mageia 7 is affected by some security issues.
This updates upgrade sudo to version 1.8.31p1 to fix those issues.
Fixed upstream in 1.8.30 =>
Updated sudo packages fix security vulnerabilities:
It was found that sudo always allowed commands to be run with unknown user or
group ids if the sudo configuration allowed it for example via the "ALL" alias.
This could allow sudo to impersonate non-existent account and depending on how
applications are configured, could lead to certain restriction bypass. This is
now explicitly disabled. A new setting called "allow_unknown_runas_id" was
introduced in order to enable this (CVE-2019-19232).
When an account is disabled via the shadow file, by replacing the password hash
with "!", it is not considered disabled by sudo. And depending on the
configuration, sudo can be run by using such disabled account (CVE-2019-19234).
The sudo package has been updated to version 1.8.31p1, fixing these issues and
Clean update and sudo still works. Did not test the vulnerability.
I don't use sudo myself, but I think that's enough, Morgan. Thanks.
OKing and validating. Advisory in Comment 3.
An update for this issue has been pushed to the Mageia Updates repository.