This bug was fixed in the package sudo - 1.8.16-0ubuntu1
---------------
sudo (1.8.16-0ubuntu1) xenial; urgency=medium
* Update to new upstream version 1.8.16. (LP: #1563825)
- Dropped patches no longer needed:
+ CVE-2015-5602-6.patch
+ CVE-2015-5602-7.patch
* Merge from Debian unstable. Remaining changes:
- Use tmpfs location to store timestamp files
+ debian/rules: change --with-rundir to /var/run/sudo
+ debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
shipping init script and service file, as they are no longer
necessary.
+ debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
init script with dpkg-maintscript-helper.
+ debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
transition code, remove old /var/lib/sudo/ts timestamp directory.
- debian/rules:
+ compile with --without-lecture --with-tty-tickets --enable-admin-flag
+ install man/man8/sudo_root.8 in both flavours
+ install apport hooks
- debian/sudoers:
+ also grant admin group sudo access
- debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
+ add usr/share/apport/package-hooks
- debian/sudo.pam:
+ Use pam_env to read /etc/environment and /etc/default/locale
environment files. Reading ~/.pam_environment is not permitted due to
security reasons.
- debian/control:
+ dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command
- Remaining patches:
+ keep_home_by_default.patch: Keep HOME in the default environment
+ debian/patches/also_check_sudo_group.diff: also check the sudo group
in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
admin group check for backwards compatibility.
- Dropped patches no longer needed:
+ debian/patches/pam_check_untranslated_prompt.patch: upstream.
sudo (1.8.15-1.1) unstable; urgency=medium
* Non-maintainer upload
* Disable editing of files via user-controllable symlinks
(Closes: #804149) (CVE-2015-5602)
- Fix directory writability checks for sudoedit
- Enable sudoedit directory writability checks by default
sudo (1.8.15-1) unstable; urgency=low
* new upstream version, closes: #804149
* use --with-exampledir to deliver example files more cleanly
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 30 Mar 2016
08:03:52 -0400
** Changed in: sudo (Ubuntu)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5602
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1563825
Title:
FFe: Update to sudo 1.8.16
Status in sudo package in Ubuntu:
Fix Released
Bug description:
I am requesting a FeatureFreeze exception to update sudo in Xenial to
the newly released 1.8.16 version.
Not only does the new 1.8.16 version fix a large number of bugs, but
it also fixes security issues:
- CVE-2015-5602: privilege escalation via symlink attack
- CVE-2015-8239: race condition checking digests/checksums in sudoers
- duplicate environment variable handling
The fixes for these issues are intrusive and difficult to backport.
Once 1.8.16 is in Xenial, I intend to backport it to Precise and
Trusty as a security update to fix the long standing issue with sudo
and timestamp files based on the local clock which resulting in a big
refactoring of how timestamp files work in 1.8.10. (See bug 1219337)
See the following for details of the changes between 1.8.12 and 1.8.16:
https://www.sudo.ws/stable.html
I will of course monitor bugs and will fix any issues that arise.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1563825/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
