MGASA-2012-0110-2
| Date: | June 10th, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated sudo packages fix security vulnerabilities:
A flaw exists in the IP network matching code in sudo versions 1.6.9p3
through 1.8.4p4 that may result in the local host being matched
even though it is not actually part of the network described by the
IP address and associated netmask listed in the sudoers file or in
LDAP. As a result, users authorized to run commands on certain IP
networks may be able to run commands on hosts that belong to other
networks not explicitly listed in sudoers (CVE-2012-2337).
UPDATE:
This advisory is updated to correct text errors that incorrectly
listed the updated packages as affected ones.
Updated Packages:
Mageia 1:
sudo-1.8.0-6.mga1
sudo-devel-1.8.0-6.mga1
Mageia 2:
sudo-1.8.3p2-2.mga2
sudo-devel-1.8.3p2-2.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
http://www.sudo.ws/sudo/alerts/netmask.html
http://www.ubuntu.com/usn/usn-1442-1/
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:079
https://bugs.mageia.org/show_bug.cgi?id=5960
