Debian Security Advisory
DLA-3181-1 sudo -- LTS security update
- Date Reported:
- 07 Nov 2022
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-23239.
- More information:
It was discovered that there was a information disclosure utility in sudo, a tool used to provide limited superuser privileges to specific users. A local unprivileged user may have been able to perform arbitrary directory-existence tests by exploiting a race condition in sudoedit.
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.
For Debian 10
Buster, this problem has been fixed in version 1.8.27-1+deb10u4.
We recommend that you upgrade your sudo packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS