-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:175 http://www.mandriva.com/security/ _______________________________________________________________________ Package : sudo Date : September 12, 2010 Affected: 2009.1, 2010.0, 2010.1 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in sudo: Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a -u root sequence (CVE-2010-2956). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.1: 6e4430f6b046f94ff2c173643f523e0a 2009.1/i586/sudo-1.7.0-1.6mdv2009.1.i586.rpm 04e5f930cc56b1fdb103dde1db5ebabe 2009.1/SRPMS/sudo-1.7.0-1.6mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 2ce7c0c655973c03d8b8061db466ca71 2009.1/x86_64/sudo-1.7.0-1.6mdv2009.1.x86_64.rpm 04e5f930cc56b1fdb103dde1db5ebabe 2009.1/SRPMS/sudo-1.7.0-1.6mdv2009.1.src.rpm Mandriva Linux 2010.0: fadb28a5027cdae180c287cdc44ce9f7 2010.0/i586/sudo-1.7.2-0.p1.1.4mdv2010.0.i586.rpm cca6c09641101ea4f1fae32ec74c849f 2010.0/SRPMS/sudo-1.7.2-0.p1.1.4mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: e9771004f22b2fc377cf51694ddd5f30 2010.0/x86_64/sudo-1.7.2-0.p1.1.4mdv2010.0.x86_64.rpm cca6c09641101ea4f1fae32ec74c849f 2010.0/SRPMS/sudo-1.7.2-0.p1.1.4mdv2010.0.src.rpm Mandriva Linux 2010.1: 017af99d278ee67258ed8200ceb51f41 2010.1/i586/sudo-1.7.2-0.p7.1.1mdv2010.1.i586.rpm 05c18dedeb4a8e913c0c1566c459a55c 2010.1/SRPMS/sudo-1.7.2-0.p7.1.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: c1f8826bd6df14e9daf932c106e46f40 2010.1/x86_64/sudo-1.7.2-0.p7.1.1mdv2010.1.x86_64.rpm 05c18dedeb4a8e913c0c1566c459a55c 2010.1/SRPMS/sudo-1.7.2-0.p7.1.1mdv2010.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMjHz3mqjQ0CJFipgRAlbFAJ9adzlumJUZDm2g2p6KStO9g3t39gCg8hgX 1KTJpI1Tac+SZDJ0rp/9VPU= =ayfL -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/