Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0015 A vulnerability exists which can lead to a crash or privilege elevation 1 February 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: sudo Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE 2012-0809 Member content until: Friday, March 2 2012 OVERVIEW A standard format string vulnerability exists in sudo versions 1.8.0 through to 1.8.3p1, which can be used to crash sudo or allow privilege elevation. IMPACT Vulnerability description provided by the vendor: "Successful exploitation of the bug will allow a user to run arbitrary commands as root. Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible."[1] MITIGATION Upgrade sudo to version 1.8.3p2. REFERENCES [1] Sudo format string vulnerability http://www.sudo.ws/sudo/alerts/sudo_debug.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTyjncu4yVqjM2NGpAQK+SA/+IihjP1VTPP4yh5+gxMSdgvPadfbQwJku yHJAcjGipZcKQvKHFBQI0Q8R6wYSA32oG607HmufQPIzYjU2kOCaCN12sMtHuAnG zAFdfIzQ5abF6sSQ8o9inNqjsLjxWMFDEMoSgg2wzLYWaDMCB594XhdtNOa+0x06 AgvfCglrrtKCz2RpIK7z1QevMIbyDUfxH5XRg9/5Hg4rHFelKN1mz9w5+JYG6R9U n4Zua69EL6BW5FzYyQineftVHXEYTDcFd+tF7o+UZEvZW7gw8ZhUVGV6fwcV43SF eiDAoO2QNSATdbSHNm7U+uA84vqWLw2MCdslwdOgvhwHL8UMCj6caQCRDMyEYccO BYbI65Wf9qeUif/V1bFHEwMdHSk9+yOH2EQ7MO6WKltrRydFAW6gX3q0anttEN28 cZNqBt2+kgzV2VG4giCsWDTI7MqosEIaxNgaq8ub7sP1ijTrseLb6ptm/cZENa1F LbZdTmFuwgqP3MfKU1SbWKnf1QmbxH1LaA7uaAjvtIdw3OglvOsYyAI6JZ2kYot9 CaI09IHiU7ifWtYDdya6iTCaE5bMlXEs3bR1MjGf9QKsdkPWdCxR9S+Y0juRm/ZA kOnkj2MJWlJlHKIgbzbo0h+I5r0jxFeXR3xlfbv3OKbzV9dbB7ZA57VKOjM2xQ1H V3BvNklDGe8= =Blol -----END PGP SIGNATURE-----