[Git][security-tracker-team/security-tracker][master] Update tracking of CVE-2019-18634/sudo
Salvatore Bonaccorso
carnil at debian.org
Wed Feb 5 13:33:18 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7c35dad8 by Salvatore Bonaccorso at 2020-02-05T14:32:33+01:00
Update tracking of CVE-2019-18634/sudo
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -21166,16 +21166,18 @@ CVE-2019-18635 (An issue was discovered in Mooltipass Moolticute through v0.42.1
CVE-2019-18634 (In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users ...)
{DSA-4614-1 DLA-2094-1}
- sudo 1.8.31-1 (bug #950371)
- [buster] - sudo <no-dsa> (EOF handling introduced in 1.8.26 prevents exploitation of bug)
+ [buster] - sudo <no-dsa> (Minor issue; will be fixed in a point release)
NOTE: https://www.sudo.ws/alerts/pwfeedback.html
NOTE: https://www.openwall.com/lists/oss-security/2020/01/30/6
NOTE: https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078 (master)
NOTE: https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a (SUDO_1_8_31)
NOTE: The issue itself is fixed only in 1.8.31 but a change in the EOF handling
- NOTE: introduced in 1.8.26 prevents in itself the exploitation of the bug, cf.
+ NOTE: introduced in 1.8.26 mitigated exploitation of the bug in some cases:
NOTE: https://www.openwall.com/lists/oss-security/2020/01/31/1
NOTE: Change for "Print a warning for password read issues" in 1.8.26:
NOTE: https://github.com/sudo-project/sudo/commit/ab2cba0f5d8b286e8e52c06076efd32434f538ae (SUDO_1_8_26)
+ NOTE: The overflow is tough as well reachable when using a pty:
+ NOTE: https://www.openwall.com/lists/oss-security/2020/02/05/2
CVE-2019-18633 (European Commission eIDAS-Node Integration Package before 2.3.1 has Mi ...)
NOT-FOR-US: European Commission eIDAS-Node Integration Package
CVE-2019-18632 (European Commission eIDAS-Node Integration Package before 2.3.1 allows ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c35dad8f59499e0a60903cf194a28d6c46f8196
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c35dad8f59499e0a60903cf194a28d6c46f8196
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200205/57c353b1/attachment.html>
More information about the debian-security-tracker-commits
mailing list