On Fri, 2015-12-25 at 02:53 +0000, Ben Hutchings wrote: > Control: reopen -1 > > On Thu, 24 Dec 2015 05:19:31 +0000 Bdale Garbee <bd...@gag.com> wrote: > > Source: sudo > > Source-Version: 1.8.15-1 > > > > We believe that the bug you reported is fixed in the latest version of > > sudo, which is due to be installed in the Debian FTP archive. > [...] > > As Raphael already explained, the upstream change doesn't fix this.
It *does* add a new configuration option, sudoedit_checkdir, which if enabled will defeat this attack. However, the upstream default is that it's disabled. Perhaps this should be changed in the Debian package? Ben. -- Ben Hutchings All extremists should be taken out and shot.
signature.asc
Description: This is a digitally signed message part
