[SECURITY] [DLA 1011-1] sudo security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1011-1] sudo security update
From: Antoine Beaupré <anarcat@debian.org>
Date: Mon, 3 Jul 2017 11:30:21 -0400
Message-id: <[🔎] 20170703153021.luttrkccgcy4arrq@curie.anarc.at>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : sudo
Version        : 1.8.5p2-1+nmu3+deb7u4
CVE ID         : CVE-2017-1000368
Debian Bug     : 863897

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an
input validation (embedded newlines) in the get_process_ttyname()
function resulting in information disclosure and command execution.

The previous announcement (DLA-970-1) was about a similar security
issue (CVE-2017-1000367) which wasn't completely fixed.

For Debian 7 "Wheezy", these problems have been fixed in version
1.8.5p2-1+nmu3+deb7u4.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 1012-1] puppet security update
Next by Date: [SECURITY] [DLA 1013-1] graphite2 security update
Previous by thread: [SECURITY] [DLA 1012-1] puppet security update
Next by thread: [SECURITY] [DLA 1013-1] graphite2 security update
Index(es):
- Date
- Thread