Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0355
sudo security update
11 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: sudo
Publisher: Debian
Operating System: Debian GNU/Linux 6
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Root Compromise -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1776 CVE-2013-1775
Original Bulletin:
http://www.debian.org/security/2013/dsa-2642
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running sudo check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2642-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
March 09, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : sudo
Vulnerability : several issues
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-1775 CVE-2013-1776
Debian Bug : 701838 701839
Several vulnerabilities have been discovered in sudo, a program designed
to allow a sysadmin to give limited root privileges to users. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2013-1775
Marco Schoepl discovered an authentication bypass when the clock is
set to the UNIX epoch [00:00:00 UTC on 1 January 1970].
CVE-2013-1776
Ryan Castellucci and James Ogden discovered aspects of an issue that
would allow session id hijacking from another authorized tty.
For the stable distribution (squeeze), these problems have been fixed in
version 1.7.4p4-2.squeeze.4.
For the testing (wheezy) and unstable (sid) distributions, these problems
have been fixed in version 1.8.5p2-1+nmu1.
We recommend that you upgrade your sudo packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJROvQlAAoJEFb2GnlAHawEXIcH/0cASxNsRL3Y9on8brvEnpah
0B9qQ1NY9pzEQLzdQjQ/rJpzb/wK46Cx3aI6XpTxy9AbDNiQPgjxujbcQDtNNWQU
OYsQl0O77qhPs42v2TAGEnNoVtrsdiWNSIAwV4YOz3H/gc/Q8z3awpsvx8DjT+Q3
mO23mQ1ukHivwfPam5l4FegCGM4sZhZjetiRb9zjVKtpDvZpD1SEUfGU+sb/CZ8s
622vJ7zGBGF1tbeY2ff2JPG7t7QWXx4KDNLup9yA4CqZzUYZEX6k8j7ATS8VvZQk
XhSiWDldVYgeO/uZlO1jRSZLB0XCJLp9UEqNxBxwKyjPVl5kIORzC1hljpJKeHY=
=Czjn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUT02LO4yVqjM2NGpAQJo9g//RlYDksXPnHrw5DPcG9lmkfW+JILVY1UP
JyCAFVbRAFMUTgBhIdL9kyQtKY1g2HvwiqQZOek3OgOjeAZpaTQbDbTkH8whDiXO
kAMQF1PwGIITvaTWOaFsO4yY2fDpYppHLhNKzPYeXcQw/NsWmBgqzNKtsekDCqDb
B36j2yQRl0a0ZtA1WysRr0t5bSV9bRoFYlKwhhh2hAjHR2qpXBEA85Xby0efpW+L
e/yuFjuVuM5uosoNyWjjcXZhiCMxa7ao8WbqRuaiHUa3a44b6JMexn8xIdOO/ftr
X3gFHuSywPf9uC9CQ+WeZg3QDOZyAh6j5fp7m4nV+Gu0QVY0BNsqwMzq4nQvuEyS
IVEfSVM7po09iVi6z3JbbdU1uKbTVtsUWeLP20/wRgPnYcWvFwtLhAiErmDfg9aA
eNhrpiJraXz4+7CYxJmbwuBT5JU8A6MLrPFv/ZKNOkhSN2hOW0yk24guKkmhwsps
RvxYeS+pFVjQqRa5Yk8lAsP8pEjIP2holeLazBDZ5DN0TFPP966JSeH3GnR1+sMX
oLIOW0r1FESfmSd3yqLufun2u7YF3MpltAjfwumKn3EMkhSesjM+vFz/IJEyFEL8
rOlxu7ft87aLcDHlZkFJszGdT3sfFwajsAbELXcUy2jkR7vPY4aYsMsymhzVqAm6
hETJ6jLCHTs=
=T75n
-----END PGP SIGNATURE-----