[SECURITY] [DLA 970-1] sudo security update

2017-05-3023:41:12

lists.debian.org

6.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

58.0%

JSON

Package : sudo
Version : 1.8.5p2-1+nmu3+deb7u3
CVE ID : CVE-2017-1000367
Debian Bug : 863731

The Qualys Security team discovered that sudo, a program designed to
provide limited super user privileges to specific users, does not
properly parse "/proc/[pid]/stat" to read the device number of the tty
from field 7 (tty_nr). A sudoers user can take advantage of this flaw on
an SELinux-enabled system to obtain full root privileges.

For Debian 7 "Wheezy", this problem has been fixed in version
1.8.5p2-1+nmu3+deb7u3.

For Debian 8 "Jessie", this problem has been fixed in version
1.8.10p3-1+deb8u4.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

–
Ben Hutchings - Debian developer, member of kernel, installer and LTS teamsAttachment:
signature.asc
Description: This is a digitally signed message part

OSVersionArchitecturePackageVersionFilename
Debian10armelsudo-dbgsym< 1.8.19p1-2sudo-dbgsym_1.8.19p1-2_armel.deb
Debian10ppc64elsudo-ldap< 1.8.19p1-2sudo-ldap_1.8.19p1-2_ppc64el.deb
Debian8powerpcsudo< 1.8.10p3-1+deb8u4sudo_1.8.10p3-1+deb8u4_powerpc.deb
Debian9i386sudo< 1.8.19p1-2sudo_1.8.19p1-2_i386.deb
Debian9mipssudo-ldap-dbgsym< 1.8.19p1-2sudo-ldap-dbgsym_1.8.19p1-2_mips.deb
Debian8armhfsudo< 1.8.10p3-1+deb8u4sudo_1.8.10p3-1+deb8u4_armhf.deb
Debian7i386sudo-ldap< 1.8.5p2-1+nmu3+deb7u3sudo-ldap_1.8.5p2-1+nmu3+deb7u3_i386.deb
Debian8ppc64elsudo-ldap< 1.8.10p3-1+deb8u4sudo-ldap_1.8.10p3-1+deb8u4_ppc64el.deb
Debian10amd64sudo< 1.8.19p1-2sudo_1.8.19p1-2_amd64.deb
Debian9mips64elsudo-ldap< 1.8.19p1-2sudo-ldap_1.8.19p1-2_mips64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	armel	sudo-dbgsym	< 1.8.19p1-2	sudo-dbgsym_1.8.19p1-2_armel.deb
Debian	10	ppc64el	sudo-ldap	< 1.8.19p1-2	sudo-ldap_1.8.19p1-2_ppc64el.deb
Debian	8	powerpc	sudo	< 1.8.10p3-1+deb8u4	sudo_1.8.10p3-1+deb8u4_powerpc.deb
Debian	9	i386	sudo	< 1.8.19p1-2	sudo_1.8.19p1-2_i386.deb
Debian	9	mips	sudo-ldap-dbgsym	< 1.8.19p1-2	sudo-ldap-dbgsym_1.8.19p1-2_mips.deb
Debian	8	armhf	sudo	< 1.8.10p3-1+deb8u4	sudo_1.8.10p3-1+deb8u4_armhf.deb
Debian	7	i386	sudo-ldap	< 1.8.5p2-1+nmu3+deb7u3	sudo-ldap_1.8.5p2-1+nmu3+deb7u3_i386.deb
Debian	8	ppc64el	sudo-ldap	< 1.8.10p3-1+deb8u4	sudo-ldap_1.8.10p3-1+deb8u4_ppc64el.deb
Debian	10	amd64	sudo	< 1.8.19p1-2	sudo_1.8.19p1-2_amd64.deb
Debian	9	mips64el	sudo-ldap	< 1.8.19p1-2	sudo-ldap_1.8.19p1-2_mips64el.deb