Your message dated Mon, 04 Jan 2016 23:50:26 +0000
with message-id <[email protected]>
and subject line Bug#804149: fixed in sudo 1.8.15-1.1
has caused the Debian Bug report #804149,
regarding CVE-2015-5602: Unauthorized privilege escalation in sudoedit
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
804149: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sudo
Version: 1.7.4p4-2.squeeze.4
Severity: critical
Tags: upstream security
Justification: root security hole
Hi,
Apparently a security has been disclosed (CVE-2015-5602) allowing users
to open files with sudoedit that is not supposed to using a symlinks,
see: https://www.exploit-db.com/exploits/37710/
Upstream has released a new fixed version by no following the symlinks
by default.
But according to this comment[0], this is not fixing the issue
completely.
Cheers,
Laurent Bigonville
[0]
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/comments/1
--- End Message ---
--- Begin Message ---
Source: sudo
Source-Version: 1.8.15-1.1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <[email protected]> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 Jan 2016 23:36:50 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.8.15-1.1
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <[email protected]>
Changed-By: Ben Hutchings <[email protected]>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 804149
Changes:
sudo (1.8.15-1.1) unstable; urgency=medium
.
* Non-maintainer upload
* Disable editing of files via user-controllable symlinks
(Closes: #804149) (CVE-2015-5602)
- Fix directory writability checks for sudoedit
- Enable sudoedit directory writability checks by default
Checksums-Sha1:
28fda1fa7131168db879e78d264e84dd67cfb7dd 1962 sudo_1.8.15-1.1.dsc
ab0150acf5e43f26a8f2f3979d2db16de1a917c5 24336 sudo_1.8.15-1.1.debian.tar.xz
Checksums-Sha256:
c94af51d8ac81c27f231fc2deef471bf671ee16a352834ea3a86e9c93e303670 1962
sudo_1.8.15-1.1.dsc
b2543f8fd92e03d6f7e2ba6ba8875cf3987bf5cf285b25c31c8ec535b08cb10b 24336
sudo_1.8.15-1.1.debian.tar.xz
Files:
455fe06f16b8843d25bfef9cfce9cd93 1962 admin optional sudo_1.8.15-1.1.dsc
c633ae88cdc8ed3b5ba53e78a89feb39 24336 admin optional
sudo_1.8.15-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVosCvOe/yOyVhhEJAQpiVg/9FrhB7qi/lk3u2q3RUKtXVtmvjbadQkw4
xMh22vV6MuFHxGqGi1bOf/DwhjSCmp0tKbof6hu6It8ttxBGug4vFfXiJzLM3pW1
UN1lQCTcAbOpYLw12/MB4q0X7m4v4bRQr+3bB7wNqyYRVnSrrs3ovweCVvGJStgf
HvMNfXgt788r4hDTEyqzoJfNC+8piUQ7vWH8667T/fx+Zjn1op126CiT68l20hmM
YSS32YYnQU1EDJ32gqLuoU3k0XGwQbKW96nVl5yhD2UcRXPZ9OtZcZABxKcGzLZG
SgABpJFVj7xDY87spCtbGgH6tV/EibJ+CKF58e27SoO4aqZm5O56XZ6sJPtttSew
Ru60nftGGy5513wyEUWa5zYZyJDXSeI/Ly/jIZPHa4OA2H6kdCQhiTKTTct4m6vV
QOa9TxlKuPLUYTGiOlfga3v6mOpX1JUsHnKA02cr7UCuw+6VEbN0SJMl3mMT2LK+
IljSUhEsIPG9Od4uj1C2VCX4DVL7dpHjB+/jJKIPdPdpC/4irh1PxN7J3wQjDLua
SB0bOLAVJLqNH1B1XrtleAZAXccv0+jCFWrBmvkgdMDa7PfxdQ5XjUs7thFuJWTZ
mpw9Jrzhr57mnQks3y4f906BXtEtQfJtKbRqIs9NvNM4SjO9PCtnEMQq4oWPHZok
1FXIMrV3Yl8=
=rFOg
-----END PGP SIGNATURE-----
--- End Message ---
