[SECURITY] [DLA 1964-1] sudo security update

2019-10-1720:14:20

lists.debian.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.308 Low

EPSS

Percentile

96.9%

JSON

Package : sudo
Version : 1.8.10p3-1+deb8u6
CVE ID : CVE-2019-14287
Debian Bug : 942322

In sudo, a program that provides limited super user privileges to
specific users, an attacker with access to a Runas ALL sudoer account
can bypass certain policy blacklists and session PAM modules, and can
cause incorrect logging, by invoking sudo with a crafted user ID. For
example, this allows bypass of (ALL,!root) configuration for a
"sudo -u#-1" command.

See https://www.sudo.ws/alerts/minus_1_uid.html for further
information.

For Debian 8 "Jessie", this problem has been fixed in version
1.8.10p3-1+deb8u6.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10armelsudo-ldap< 1.8.27-1+deb10u1sudo-ldap_1.8.27-1+deb10u1_armel.deb
Debian10amd64sudo-dbgsym< 1.8.27-1+deb10u1sudo-dbgsym_1.8.27-1+deb10u1_amd64.deb
Debian8armhfsudo< 1.8.10p3-1+deb8u6sudo_1.8.10p3-1+deb8u6_armhf.deb
Debian9s390xsudo-dbgsym< 1.8.19p1-2.1+deb9u1sudo-dbgsym_1.8.19p1-2.1+deb9u1_s390x.deb
Debian9amd64sudo-ldap-dbgsym< 1.8.19p1-2.1+deb9u1sudo-ldap-dbgsym_1.8.19p1-2.1+deb9u1_amd64.deb
Debian9arm64sudo< 1.8.19p1-2.1+deb9u1sudo_1.8.19p1-2.1+deb9u1_arm64.deb
Debian9s390xsudo< 1.8.19p1-2.1+deb9u1sudo_1.8.19p1-2.1+deb9u1_s390x.deb
Debian9mipselsudo-dbgsym< 1.8.19p1-2.1+deb9u1sudo-dbgsym_1.8.19p1-2.1+deb9u1_mipsel.deb
Debian9ppc64elsudo-ldap< 1.8.19p1-2.1+deb9u1sudo-ldap_1.8.19p1-2.1+deb9u1_ppc64el.deb
Debian10armhfsudo-ldap< 1.8.27-1+deb10u1sudo-ldap_1.8.27-1+deb10u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	armel	sudo-ldap	< 1.8.27-1+deb10u1	sudo-ldap_1.8.27-1+deb10u1_armel.deb
Debian	10	amd64	sudo-dbgsym	< 1.8.27-1+deb10u1	sudo-dbgsym_1.8.27-1+deb10u1_amd64.deb
Debian	8	armhf	sudo	< 1.8.10p3-1+deb8u6	sudo_1.8.10p3-1+deb8u6_armhf.deb
Debian	9	s390x	sudo-dbgsym	< 1.8.19p1-2.1+deb9u1	sudo-dbgsym_1.8.19p1-2.1+deb9u1_s390x.deb
Debian	9	amd64	sudo-ldap-dbgsym	< 1.8.19p1-2.1+deb9u1	sudo-ldap-dbgsym_1.8.19p1-2.1+deb9u1_amd64.deb
Debian	9	arm64	sudo	< 1.8.19p1-2.1+deb9u1	sudo_1.8.19p1-2.1+deb9u1_arm64.deb
Debian	9	s390x	sudo	< 1.8.19p1-2.1+deb9u1	sudo_1.8.19p1-2.1+deb9u1_s390x.deb
Debian	9	mipsel	sudo-dbgsym	< 1.8.19p1-2.1+deb9u1	sudo-dbgsym_1.8.19p1-2.1+deb9u1_mipsel.deb
Debian	9	ppc64el	sudo-ldap	< 1.8.19p1-2.1+deb9u1	sudo-ldap_1.8.19p1-2.1+deb9u1_ppc64el.deb
Debian	10	armhf	sudo-ldap	< 1.8.27-1+deb10u1	sudo-ldap_1.8.27-1+deb10u1_armhf.deb