AXSA:2020-308:05

Release date: 
Wednesday, September 9, 2020 - 03:37
Subject: 
sudo-1.8.29-5.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

The following packages have been upgraded to a later upstream version: sudo (1.8.29).

Security Fix(es):

* sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user (CVE-2019-19232)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-19232
** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. sudo-1.8.29-5.el8.src.rpm
    MD5: 969559bfb29da9130bcaf4ad3bcd4661
    SHA-256: 88e299eb07b82a0067c01407ae0470f21acae4259232c98b4db79bc9bca9e482
    Size: 3.24 MB

Asianux Server 8 for x86_64
  1. sudo-1.8.29-5.el8.x86_64.rpm
    MD5: 28dc97125279352eaeee7a4672179b8e
    SHA-256: 917a85d6c65dbc0c147419736e8de5e44c9facba2efe63755d5ca0fb1f6d1f8f
    Size: 925.85 kB
Copyright© 2007-2015 Asianux. All rights reserved.