[Bug 1563825] [NEW] FFe: Update to sudo 1.8.16

Marc Deslauriers marc.deslauriers at canonical.com
Wed Mar 30 11:53:04 UTC 2016 

*** This bug is a security vulnerability ***

Public security bug reported:

I am requesting a FeatureFreeze exception to update sudo in Xenial to
the newly released 1.8.16 version.

Not only does the new 1.8.16 version fix a large number of bugs, but it
also fixes security issues:

- CVE-2015-5602: privilege escalation via symlink attack
- CVE-2015-8239: race condition checking digests/checksums in sudoers
- duplicate environment variable handling

The fixes for these issues are intrusive and difficult to backport.

Once 1.8.16 is in Xenial, I intend to backport it to Precise and Trusty
as a security update to fix the long standing issue with sudo and
timestamp files based on the local clock which resulting in a big
refactoring of how timestamp files work in 1.8.10. (See bug 1219337)

See the following for details of the changes between 1.8.12 and 1.8.16:
https://www.sudo.ws/stable.html

I will of course monitor bugs and will fix any issues that arise.

** Affects: sudo (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1563825

Title:
  FFe: Update to sudo 1.8.16

Status in sudo package in Ubuntu:
  New

Bug description:
  I am requesting a FeatureFreeze exception to update sudo in Xenial to
  the newly released 1.8.16 version.

  Not only does the new 1.8.16 version fix a large number of bugs, but
  it also fixes security issues:

  - CVE-2015-5602: privilege escalation via symlink attack
  - CVE-2015-8239: race condition checking digests/checksums in sudoers
  - duplicate environment variable handling

  The fixes for these issues are intrusive and difficult to backport.

  Once 1.8.16 is in Xenial, I intend to backport it to Precise and
  Trusty as a security update to fix the long standing issue with sudo
  and timestamp files based on the local clock which resulting in a big
  refactoring of how timestamp files work in 1.8.10. (See bug 1219337)

  See the following for details of the changes between 1.8.12 and 1.8.16:
  https://www.sudo.ws/stable.html

  I will of course monitor bugs and will fix any issues that arise.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1563825/+subscriptions

More information about the foundations-bugs mailing list