-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:159 http://www.mandriva.com/security/ _______________________________________________________________________ Package : sudo Date : August 31, 2006 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Previous sudo updates were made available to sanitize certain environment variables from affecting a sudo call, such as PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in addressing those specific environment variables, other variables that were not blacklisted were being made available. Debian addressed this issue by forcing sudo to use a whitlist approach in DSA-946-2 by arbitrarily making env_reset the default (as opposed to having to be enabled in /etc/sudoers). Mandriva has opted to follow the same approach so now only certain variables are, by default, made available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_* variables. If other variables are required to be kept, this can be done by editing /etc/sudoers and using the env_keep option, such as: Defaults env_keep="FOO BAR" As well, the Corporate 3 packages are now compiled with the SECURE_PATH setting. Updated packages are patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0151 http://www.debian.org/security/2006/dsa-946 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 859526089cecbc00c11b0c76509f97b1 2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.i586.rpm 7dce7457a74d625018aee6690bcc35d7 2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 8ab6e95323473f6f1f72c255aa4453ae x86_64/2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.x86_64.rpm 7dce7457a74d625018aee6690bcc35d7 x86_64/2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm Corporate 3.0: df8964b76a758340a3a283147dce03d5 corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.i586.rpm 3d4fe9dd6e7f729266af98a318be1b48 corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm Corporate 3.0/X86_64: f8b93aad21eb48289a537e586d3c58ae x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.x86_64.rpm 3d4fe9dd6e7f729266af98a318be1b48 x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm Multi Network Firewall 2.0: 57e770ca1e0d0bf487be6b1c4691926c mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.5.M20mdk.i586.rpm d5a3d6889677117b6d19f953794c4ef4 mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.5.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE91BPmqjQ0CJFipgRApIhAJ45el9y07+qaXr3/b0FyVwnpuonvQCgh4Vr IxvcoSqmpZNHvZFSEGWu2/E= =Oehv -----END PGP SIGNATURE-----
