[Bug 1563825] Re: FFe: Update to sudo 1.8.16
Martin Pitt
martin.pitt at ubuntu.com
Wed Mar 30 12:21:53 UTC 2016
Only trivial new features, mostly bug fixes. Approved.
** Changed in: sudo (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1563825
Title:
FFe: Update to sudo 1.8.16
Status in sudo package in Ubuntu:
Triaged
Bug description:
I am requesting a FeatureFreeze exception to update sudo in Xenial to
the newly released 1.8.16 version.
Not only does the new 1.8.16 version fix a large number of bugs, but
it also fixes security issues:
- CVE-2015-5602: privilege escalation via symlink attack
- CVE-2015-8239: race condition checking digests/checksums in sudoers
- duplicate environment variable handling
The fixes for these issues are intrusive and difficult to backport.
Once 1.8.16 is in Xenial, I intend to backport it to Precise and
Trusty as a security update to fix the long standing issue with sudo
and timestamp files based on the local clock which resulting in a big
refactoring of how timestamp files work in 1.8.10. (See bug 1219337)
See the following for details of the changes between 1.8.12 and 1.8.16:
https://www.sudo.ws/stable.html
I will of course monitor bugs and will fix any issues that arise.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1563825/+subscriptions
More information about the foundations-bugs
mailing list