Source: sudo Version: 1.8.29-1 Severity: important Tags: security upstream Hi,
The following vulnerabilities were published for sudo, and adressed for both in 1.8.30b2[2]. CVE-2019-19232[0]: | In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer | account can impersonate a nonexistent user by invoking sudo with a | numeric uid that is not associated with any user. CVE-2019-19234[1]: | In Sudo through 1.8.29, the fact that a user has been blocked (e.g., | by using the ! character in the shadow file instead of a password | hash) is not considered, allowing an attacker (who has access to a | Runas ALL sudoer account) to impersonate any blocked user. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232 [1] https://security-tracker.debian.org/tracker/CVE-2019-19234 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234 [2] https://www.sudo.ws/devel.html#1.8.30b2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
