Debian Bug report logs -
#805563
sudo: CVE-2015-8239: Race condition when checking digests in sudoers
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 19 Nov 2015 14:51:06 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version sudo/1.8.7-1
Fixed in version sudo/1.8.17p1-1
Done: Bdale Garbee <bdale@gag.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#805563; Package src:sudo.
(Thu, 19 Nov 2015 14:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bdale Garbee <bdale@gag.com>.
(Thu, 19 Nov 2015 14:51:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sudo
Version: 1.8.7-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for sudo, no upstream fix
available TTBOMK at the time of writing.
CVE-2015-8239[0]:
race condition checking digests/checksums in sudoers
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8239
[1] http://www.openwall.com/lists/oss-security/2015/11/10/2
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#805563; Package src:sudo.
(Tue, 22 Mar 2016 15:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Tue, 22 Mar 2016 15:45:03 GMT) (full text, mbox, link).
Message #10 received at 805563@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + fixed-upstream
Hi,
On Thu, Nov 19, 2015 at 03:47:53PM +0100, Salvatore Bonaccorso wrote:
> Source: sudo
> Version: 1.8.7-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for sudo, no upstream fix
> available TTBOMK at the time of writing.
>
> CVE-2015-8239[0]:
> race condition checking digests/checksums in sudoers
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
This issue seems to have been addressed in upstream version 1.8.16:
https://www.sudo.ws/stable.html#1.8.16
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 805563-submit@bugs.debian.org.
(Tue, 22 Mar 2016 15:45:03 GMT) (full text, mbox, link).
Reply sent
to Bdale Garbee <bdale@gag.com>:
You have taken responsibility.
(Tue, 05 Jul 2016 17:06:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 05 Jul 2016 17:06:05 GMT) (full text, mbox, link).
Message #17 received at 805563-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.8.17p1-1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 805563@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 Jul 2016 16:01:55 +0200
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.17p1-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 805563 809984
Changes:
sudo (1.8.17p1-1) unstable; urgency=low
.
* new upstream version, closes: #805563
* build-depend on the new mandoc package so we can rebuild man pages
properly if needed, closes: #809984
Checksums-Sha1:
8c4681bffe22dd1182f30b9b82fda9d0bf298ede 1976 sudo_1.8.17p1-1.dsc
e9bb729513cd15e99def42019c35917bc9a73536 2786618 sudo_1.8.17p1.orig.tar.gz
ee73c758653509766a0dbada8752582867a6bef2 22740 sudo_1.8.17p1-1.debian.tar.xz
e0125bf16487d7a960b279e43094394c2cebbe55 644986 sudo-dbgsym_1.8.17p1-1_amd64.deb
5c7fbac1c2275711d5618bef78d5b246a30f1f5a 665552 sudo-ldap-dbgsym_1.8.17p1-1_amd64.deb
3ebdb272ebf6666828efc4ed23340c9f08fba432 1048300 sudo-ldap_1.8.17p1-1_amd64.deb
a67e3df979179e5166a431afb29611d87b4003c8 1019342 sudo_1.8.17p1-1_amd64.deb
Checksums-Sha256:
5b19ae4268266c9fc56fce357ef0d75b5a2eb3d42857981a720f3f9bd5ee6490 1976 sudo_1.8.17p1-1.dsc
c690d707fb561b3ecdf6a6de5563bc0b769388eff201c851edbace408bb155cc 2786618 sudo_1.8.17p1.orig.tar.gz
c13621a6fe1c6da1995e2d5578d71f2fc6b4475405d2eaee191913e6eb11a68f 22740 sudo_1.8.17p1-1.debian.tar.xz
609f9aa6e2581c37020f55bf0b96cfe4ab10f16a83c5c4b3bac3591c544596f8 644986 sudo-dbgsym_1.8.17p1-1_amd64.deb
7dcb3e9bfc7cfa75382473710c9ab39f75177ae9ac57a9835b8160500583d4a9 665552 sudo-ldap-dbgsym_1.8.17p1-1_amd64.deb
6bff58dc0c2664eda14be1cb5399ae2544ae649ca6cf7a2aa9c93f838b08ad80 1048300 sudo-ldap_1.8.17p1-1_amd64.deb
388a5ecb0e3f9479a024c65f70f162384d991f49f19ef7bc1133525fe60449d9 1019342 sudo_1.8.17p1-1_amd64.deb
Files:
4097b2da3f696884a5e2f1017b58701a 1976 admin optional sudo_1.8.17p1-1.dsc
50a840a688ceb6fa3ab24fc0adf4fa23 2786618 admin optional sudo_1.8.17p1.orig.tar.gz
92eb85fa3c38f92308314ff33e39c346 22740 admin optional sudo_1.8.17p1-1.debian.tar.xz
76cb5b397eead566625ff7d22aa3823a 644986 debug extra sudo-dbgsym_1.8.17p1-1_amd64.deb
ec9115888e07499d2565bf2e431b397d 665552 debug extra sudo-ldap-dbgsym_1.8.17p1-1_amd64.deb
83122639edfa2928fa860f9114bacac6 1048300 admin optional sudo-ldap_1.8.17p1-1_amd64.deb
715ae37cff7f595845a4b778397afeb1 1019342 admin optional sudo_1.8.17p1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBV3vGRDqTYZbAldlBAQqj0RAAzMw9kDd12200iMFiw6DysYjzEsYYHgOO
7vQrcW54R7edMOry+bzeUAjlUwsApMNDbWzB80XFRil36tAZTT76pM37fCkL2mV0
Xrcj7GtjThzyzIfMvTZ5sLu2nPf+nYOy3ikmzqbdu0WdR5+DsAwyN3c8ZFd1a5hY
M2HxI79ukYYF7nfSrRmBKKVZmedCl1beCUQgMc2YPnYO0Y7t9YU5XO08crM7QtFk
1qbeGd/WdxSD5NqiiYcyEZndj/zPe89m1k3b9KeQCwVMuEP9ItxXGqDCLZf70FI9
SvLWUGIiHUZCBNZl+yTKPOA99xGmnkPVMB57yfU8j0CcjENGpSqp6g0y3TiiDh/J
2Hm1ZhuQP3PytZ4SueBCUzODjuKEGji1ciB4tM8aD09EDheCVQSbO8GYYtugE++W
8kHsXaEHwA14dJemja0lkAWj0KCDQM+KFFbaFZQsVRwe47v5GgKBzwGKhreoP+TW
rxaeuwVg3Di3X5s1s+erNoPv7tKNCiBvTR5lXvNEJJl7RimBa2Wingq7/aBWzxjN
HIiLeO55XbXwp6Zc4SkEY0p7nPEekU78W1oSKDzs4cCKnd8MFAdWYWxINxAK7etS
teaMk8PH5S7IqZGXremWN1LZkMFsPaoEsct3CbHM9pLDjiPXZG7A72IjOLQ45KTz
dzvGjoRgo2k=
=glr6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 03 Aug 2016 07:37:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon