MGASA-2013-0078
| Date: | March 1st, 2013 |
| Affected releases: | 2 |
| Media: | Core |
Description:
Updated sudo packages fix security vulnerabilities:
Marco Schoepl discovered that Sudo incorrectly handled time stamp files
when the system clock is set to epoch. A local attacker could use this
issue to run Sudo commands without a password prompt (CVE-2013-1775).
Sudo before 1.8.6p7 allows a malicious user to run commands via sudo
without authenticating, so long as there exists a terminal the user has
access to where a sudo command was successfully run by that same user
within the password timeout period (usually five minutes) (CVE-2013-1776).
Updated Packages:
i586:
sudo-1.8.3p2-2.1.mga2.i586.rpm
sudo-devel-1.8.3p2-2.1.mga2.i586.rpm
sudo-debug-1.8.3p2-2.1.mga2.i586.rpm
x86_64:
sudo-1.8.3p2-2.1.mga2.x86_64.rpm
sudo-devel-1.8.3p2-2.1.mga2.x86_64.rpm
sudo-debug-1.8.3p2-2.1.mga2.x86_64.rpm
SRPMS:
sudo-1.8.3p2-2.1.mga2.src.rpm
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
http://www.sudo.ws/sudo/alerts/epoch_ticket.html
http://www.sudo.ws/sudo/alerts/tty_tickets.html
http://www.ubuntu.com/usn/usn-1754-1/
https://bugs.mageia.org/show_bug.cgi?id=9207
