[Git][security-tracker-team/security-tracker][master] Update tracking of CVE-2019-18634/sudo

Wed, 05 Feb 2020 05:33:28 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7c35dad8 by Salvatore Bonaccorso at 2020-02-05T14:32:33+01:00
Update tracking of CVE-2019-18634/sudo

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -21166,16 +21166,18 @@ CVE-2019-18635 (An issue was discovered in Mooltipass 
Moolticute through v0.42.1
 CVE-2019-18634 (In Sudo before 1.8.26, if pwfeedback is enabled in 
/etc/sudoers, users ...)
        {DSA-4614-1 DLA-2094-1}
        - sudo 1.8.31-1 (bug #950371)
-       [buster] - sudo <no-dsa> (EOF handling introduced in 1.8.26 prevents 
exploitation of bug)
+       [buster] - sudo <no-dsa> (Minor issue; will be fixed in a point release)
        NOTE: https://www.sudo.ws/alerts/pwfeedback.html
        NOTE: https://www.openwall.com/lists/oss-security/2020/01/30/6
        NOTE: 
https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078
 (master)
        NOTE: 
https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a
 (SUDO_1_8_31)
        NOTE: The issue itself is fixed only in 1.8.31 but a change in the EOF 
handling
-       NOTE: introduced in 1.8.26 prevents in itself the exploitation of the 
bug, cf.
+       NOTE: introduced in 1.8.26 mitigated exploitation of the bug in some 
cases:
        NOTE: https://www.openwall.com/lists/oss-security/2020/01/31/1
        NOTE: Change for "Print a warning for password read issues" in 1.8.26:
        NOTE: 
https://github.com/sudo-project/sudo/commit/ab2cba0f5d8b286e8e52c06076efd32434f538ae
 (SUDO_1_8_26)
+       NOTE: The overflow is tough as well reachable when using a pty:
+       NOTE: https://www.openwall.com/lists/oss-security/2020/02/05/2
 CVE-2019-18633 (European Commission eIDAS-Node Integration Package before 
2.3.1 has Mi ...)
        NOT-FOR-US: European Commission eIDAS-Node Integration Package
 CVE-2019-18632 (European Commission eIDAS-Node Integration Package before 
2.3.1 allows ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c35dad8f59499e0a60903cf194a28d6c46f8196

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c35dad8f59499e0a60903cf194a28d6c46f8196
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to