Synopsis: Important: sudo security update Issue date: 2010-02-26 CVE Names: CVE-2010-0426 CVE-2010-0427 CVE-2010-0426 sudo: sudoedit option can possibly allow for arbitrary code execution CVE-2010-0427 sudo: Fails to reset group permissions if runas_default set A privilege escalation flaw was found in the way sudo handled the sudoedit pseudo-command. If a local user were authorized by the sudoers file to use this pseudo-command, they could possibly leverage this flaw to execute arbitrary code with the privileges of the root user. (CVE-2010-0426) The sudo utility did not properly initialize supplementary groups when the "runas_default" option (in the sudoers file) was used. If a local user were authorized by the sudoers file to perform their sudo commands under the account specified with "runas_default", they would receive the root user's supplementary groups instead of those of the intended target user, giving them unintended privileges. (CVE-2010-0427) SL 5.x SRPMS: sudo-1.6.9p17-6.el5_4.src.rpm i386: sudo-1.6.9p17-6.el5_4.i386.rpm x86_64: sudo-1.6.9p17-6.el5_4.x86_64.rpm -Connie Sieh -Troy Dawson