[SECURITY] [DLA 1964-1] sudo security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : sudo
Version : 1.8.10p3-1+deb8u6
CVE ID : CVE-2019-14287
Debian Bug : 942322
In sudo, a program that provides limited super user privileges to
specific users, an attacker with access to a Runas ALL sudoer account
can bypass certain policy blacklists and session PAM modules, and can
cause incorrect logging, by invoking sudo with a crafted user ID. For
example, this allows bypass of (ALL,!root) configuration for a
"sudo -u#-1" command.
See https://www.sudo.ws/alerts/minus_1_uid.html for further
information.
For Debian 8 "Jessie", this problem has been fixed in version
1.8.10p3-1+deb8u6.
We recommend that you upgrade your sudo packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl2oyIcACgkQj/HLbo2J
BZ9ETwf8CfvaKN7fjL9nYMKFgWLqFY+/eh/HZ3NSszLb1cl9BdMObfSH53unOw7M
EtFIz1S+JhuXwlhium7L7pNj9UX8oJ/41j6kYpRDAlCt2+RTEt2vK7xK63Rn8dR/
6eE6ik/GxISG4YrzOY8m3e2rP3XXXn4K/7DIag+bUmnMpPbyOpXEJiVFCBusUzEC
Q6AKaxMNQYAi7p+zsW5N1BJ9FDC2jbQJLca7UnS1Xqb8fkb+zzk90P/CbBLoPXap
266fNU4BENBr5lPDQq979JqepW+CoRPoLiR29fzDL7Lt3ihgGvkJHMIwIF4+GKXW
fJlmq8BWuwYesU/qdznupqFCli5EUQ==
=2qw1
-----END PGP SIGNATURE-----
Reply to: