Package: sudo Version: 1.6.9p17-2 Severity: grave Tags: security, patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for sudo.
CVE-2010-1163[0]: | The command matching functionality in sudo 1.6.9p22 through 1.7.2p5 does not | properly handle when a file in the current working directory has the same name | as a pseudo-command in the sudoers file and the PATH contains an entry | for ".", which allows local users to execute arbitrary commands via a Trojan | horse executable, as demonstrated using sudoedit, a different vulnerability | than CVE-2010-0426. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1163 http://security-tracker.debian.org/tracker/CVE-2010-1163 The vulnerability only affects when ignore_dot value is on. Lenny is not affected since the default value is off and can be changed. The patch: https://bugzilla.redhat.com/attachment.cgi?id=405247&action=diff thanks, luciano
signature.asc
Description: This is a digitally signed message part.
