Source: sudo Version: 1.9.17p2-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi As explained in https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt a fail-open suituation in sudo was possible to be exploited for a LPE, when the setuid capability was denied fo sudo via a loaded new AppArmor profile, preventing sudo from pdropping its root privileges before executing /usr/sbin/sendmail. As this uncvered this bug in sudo as well, filling this bug for tracking the issue. Upstream fix: https://github.com/sudo-project/sudo/commit/3e474c2 Regards, Salvatore
