-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3867-1 security@xxxxxxxxxx https://www.debian.org/security/ Salvatore Bonaccorso May 30, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sudo CVE ID : CVE-2017-1000367 Debian Bug : 863731 The Qualys Security team discovered that sudo, a program designed to provide limited super user privileges to specific users, does not properly parse "/proc/[pid]/stat" to read the device number of the tty from field 7 (tty_nr). A sudoers user can take advantage of this flaw on an SELinux-enabled system to obtain full root privileges. For the stable distribution (jessie), this problem has been fixed in version 1.8.10p3-1+deb8u4. We recommend that you upgrade your sudo packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlktkWlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q98BAAooAmA1MxgD9u3mQr8EadeJMpdRNXw2YBBNFmcDHUlGGOiHsTE64NNGFE 6nDoMmiUAKZVxf3i9SELFi6HWmxG3/PO5jCxfTiQAXEsZM5tRV04JORHj2H7VgnT tCrnMGDjg4XrO6BHv1vw7Wa1SwaY6MkTkfbpC1asfCxNcepMziDuCyEeWvMaarer ZBf2BXhf5e7Kjee2bLQXhP5XOJ3D9qeohJKdaz5X3xFw/RxKpRnvytychLx1jsLf hhhIopVrzg6Thno81mYB6gt8QaAusC92FYZp7EWCGIsO7Ecs1mar5a1brblbIDkm uuMLDpm/4Fqlx8mTnUbG3Tt7P/gsg8f0wLInDqbp3MD79pJ0oM+BQDkpU7wO6GDu e6ji4mzUuIXY9Eo4CysuFVPExJ9r446W/lV/MbBnTRMeoZFL2jkPaJ2IPiFQ6Igw 1haVjmjm1XGEy+JNOKo/AMix0gKsjeVw6HEiZL8PVSJKdfQDaMWTLdHXeIiWYWo+ Z+XR9DV9DSg1ufOBeqW7bJ+45N3WEfHRKrzleA3Fkkfn+KFIumwON1yaF0kO4PIA RsRfq4RsCRplQGct5CU0/krV8UwKuWznvREVo7Ptig1+Z+MfodpLeS+mHa3WJxHU +8MYQm8qH9suz0M628OLnmEP6N6hhrbA0zwJ8Ozkk1H52QYwdXs= =3xDb -----END PGP SIGNATURE-----