sudo-1.8.6p3-12.AXS4

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines.

Security issues fixed with this release:

• CVE-2013-1775
sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically-proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.

• CVE-2013-2776
udo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on systems without /proc or the sysctl function with the tty_tickets option enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to a standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.

• CVE-2013-2777
sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling terminal device and connecting to a standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions.

Fixed bugs:

• sudo now supports netgroup filtering for sources from the SSSD. Previously, SSSD rules applied to all users, even those not part of the specified netgroup. They now only apply to users belonging to the specified netgroup.

• Previously, if both the soft (current) and hard (maximum) values of RLIMIT_NPROC were not limited, sudo would reset them to the parent's value of these limits. This has been fixed and RLIMIT_NPROC can now really be set to "unlimited".

• Restored the previous behaviour of sudo and the name of the user running the sudo command is now logged again, instead of "root".

• Fixed an error in a loop condition that sometimes triggered a buffer overflow.

Enhancements:

• sudo now sends debug messages about netgroup matching to the debug log.

• sudo now accepts the ipa_hostname value from the /etc/sssd/sssd.conf configuration file when matching netgroups.