sudo -- netmask vulnerability

Todd Miller reports:

Sudo supports granting access to commands on a per-host basis.
The host specification may be in the form of a host name, a
netgroup, an IP address, or an IP network (an IP address with an
associated netmask).
When IPv6 support was added to sudo, a bug was introduced that
caused the IPv6 network matching code to be called when an IPv4
network address does not match. Depending on the value of the
uninitialized portion of the IPv6 address, it is possible for the
IPv4 network number to match when it should not. This bug only
affects IP network matching and does not affect simple IP address
matching.
The reported configuration that exhibited the bug was an
LDAP-based sudo installation where the sudoRole object contained
multiple sudoHost entries, each containing a different IPv4
network. File-based sudoers should be affected as well as the
same matching code is used.