[CLA-2001:381] Conectiva Linux Security Announcement - sudo

From: secure@CONECTIVA.COM.BR
Date: Mon Feb 26 2001 - 17:23:08 CET

  • Next message: Greg KH: "Immunix OS Security update for sudo"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --------------------------------------------------------------------------
    CONECTIVA LINUX SECURITY ANNOUNCEMENT
    - --------------------------------------------------------------------------

    PACKAGE : sudo
    SUMMARY : Local buffer overflow
    DATE : 2001-02-26 13:22:00
    ID : CLA-2001:381
    RELEVANT
    RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1, 6.0

    - -------------------------------------------------------------------------

    DESCRIPTION
     "sudo" is a program used to delegate superuser privileges to ordinary
     users and only for specific commands.
     There is a buffer overflow vulnerability in sudo which could be used
     by an attacker to obtain higher privileges.

    SOLUTION
     All sudo users should upgrade the package.

     The problem was reported in sudo's bugzilla by chris@camcom.co.uk and
     the author, Todd C. Miller, released an updated version.

    DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
    ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/4.0/i386/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/4.0/i386/sudo-doc-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/4.0es/i386/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/4.0es/i386/sudo-doc-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/4.1/i386/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/4.1/i386/sudo-doc-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/4.2/i386/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/4.2/i386/sudo-doc-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-doc-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-doc-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-doc-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-doc-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/sudo-1.6.3p6-1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-1.6.3p6-1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-doc-1.6.3p6-1cl.i386.rpm

    ADDITIONAL INSTRUCTIONS
     Users of Conectiva Linux version 6.0 or higher may use apt to perform
     upgrades of RPM packages:
     - add the following line to /etc/apt/sources.list if it is not there yet
       (you may also use linuxconf to do this):

     rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

    (replace 6.0 with the correct version number if you are not running CL6.0)

     - run: apt-get update
     - after that, execute: apt-get upgrade

     Detailed instructions reagarding the use of apt and upgrade examples
     can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

    - -------------------------------------------------------------------------
    All packages are signed with Conectiva's GPG key. The key and instructions
    on how to import it can be found at
    http://distro.conectiva.com.br/seguranca/chave/?idioma=en
    Instructions on how to check the signatures of the RPM packages can be
    found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
    - -------------------------------------------------------------------------
    All our advisories and generic update instructions can be viewed at
    http://distro.conectiva.com.br/atualizacoes/?idioma=en

    - -------------------------------------------------------------------------
    subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
    unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE6moLr42jd0JmAcZARAhuiAKCrdHgkz1fwbdCzWAkEKHdArPq2rACfbjh9
    2RgFXdUfUWLlZ3inkkl3ZO4=
    =GEu7
    -----END PGP SIGNATURE-----



    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 22:41:30 CEST