SCIENTIFIC-LINUX-ERRATA Archives

March 2014

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA Moderate: sudo on SL5.x i386/x86_64
From:
Pat Riehecky <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Mon, 10 Mar 2014 17:34:45 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (27 lines) 
Synopsis:          Moderate: sudo security update
Advisory ID:       SLSA-2014:0266-1
Issue Date:        2014-03-10
CVE Numbers:       CVE-2014-0106
--

A flaw was found in the way sudo handled its blacklist of environment
variables. When the "env_reset" option was disabled, a user permitted to
run certain commands via sudo could use this flaw to run such a command
with one of the blacklisted environment variables set, allowing them to
run an arbitrary command with the target user's privileges.
(CVE-2014-0106)

Note: This issue does not affect the default configuration of the sudo
package as shipped with Scientific Linux 5.
--

SL5
  x86_64
    sudo-1.7.2p1-29.el5_10.x86_64.rpm
    sudo-debuginfo-1.7.2p1-29.el5_10.x86_64.rpm
  i386
    sudo-1.7.2p1-29.el5_10.i386.rpm
    sudo-debuginfo-1.7.2p1-29.el5_10.i386.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2