SUSE has issued an advisory on March 29: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014226.html The issues are fixed upstream in 1.9.13.
Status comment: (none) => Fixed upstream in 1.9.13
Theres no registered maintainer for this package. Assigning to all packagers collectively.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Sudo before 1.9.13 does not escape control characters in log messages. (CVE-2023-28486) Sudo before 1.9.13 does not escape control characters in sudoreplay output. (CVE-2023-28487) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28486 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28487 https://lists.suse.com/pipermail/sle-security-updates/2023-March/014226.html ======================== Updated packages in core/updates_testing: ======================== sudo-1.9.5p2-2.3.mga8 sudo-devel-1.9.5p2-2.3.mga8 from SRPM: sudo-1.9.5p2-2.3.mga8.src.rpm
CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 1.9.13 => (none)Status: NEW => ASSIGNED
Tested in a VirtualBox mga8-64 Plasma guest. I used the instructions on our wiki to set up sudo operation, then tried it out on a few harmless commands to make sure the configuration was good. Used qarepo to update, then tried a few more harmless commands, with no issues to report. Giving this an OK, and validating. Advisory in comment 2.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0133.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED