[Git][security-tracker-team/security-tracker][master] Track sudo fixes via the new upstream version in unstable

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
854f3801 by Salvatore Bonaccorso at 2020-02-02T08:30:03+01:00
Track sudo fixes via the new upstream version in unstable

Furthermore demote the two disupted CVEs to unimportant. They are quite
far-fetched and upstream introduded in upstream 1.8.30 new configuration
options to handle those interpretations. In the case of CVE-2019-19234
actually only for the shell.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -17198,19 +17198,16 @@ CVE-2019-19236
 CVE-2019-19235 (AsLdrSrv.exe in ASUS ATK Package before V1.0.0061 (for Windows 10 note ...)
 	NOT-FOR-US: ASUS
 CVE-2019-19234 (** DISPUTED ** In Sudo through 1.8.29, the fact that a user has been b ...)
-	- sudo <unfixed> (bug #947225)
-	[buster] - sudo <no-dsa> (Minor issue)
-	[stretch] - sudo <no-dsa> (Minor issue)
-	[jessie] - sudo <no-dsa> (Minor issue)
+	- sudo 1.8.31-1 (bug #947225; unimportant)
 	NOTE: https://www.sudo.ws/devel.html#1.8.30b2
+	NOTE: Sudo 1.8.30 adds an optional setting to check the shell of the target user
+	NOTE: additionally.
 CVE-2019-19233
 	RESERVED
 CVE-2019-19232 (** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Ru ...)
-	- sudo <unfixed> (bug #947225)
-	[buster] - sudo <no-dsa> (Minor issue)
-	[stretch] - sudo <no-dsa> (Minor issue)
-	[jessie] - sudo <no-dsa> (Minor issue)
+	- sudo 1.8.31-1 (bug #947225; unimportant)
 	NOTE: https://www.sudo.ws/devel.html#1.8.30b2
+	NOTE: Sudo 1.8.30 introduces an option to enable/disable the behavior.
 CVE-2019-19231 (An insecure file access vulnerability exists in CA Client Automation 1 ...)
 	NOT-FOR-US: CA Client Automation
 CVE-2019-19230 (An unsafe deserialization vulnerability exists in CA Release Automatio ...)
@@ -20887,7 +20884,7 @@ CVE-2019-18635 (An issue was discovered in Mooltipass Moolticute through v0.42.1
 	NOT-FOR-US: Mooltipass Moolticute
 CVE-2019-18634 (In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users ...)
 	{DSA-4614-1}
-	- sudo <unfixed> (bug #950371)
+	- sudo 1.8.31-1 (bug #950371)
 	[buster] - sudo <no-dsa> (EOF handling introduced in 1.8.26 prevents exploitation of bug)
 	NOTE: https://www.sudo.ws/alerts/pwfeedback.html
 	NOTE: https://www.openwall.com/lists/oss-security/2020/01/30/6



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/854f3801e6eb89c640e02313ba7e4989af5a5b30

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/854f3801e6eb89c640e02313ba7e4989af5a5b30
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200202/96f615ad/attachment.html>