[Full-disclosure] re: Undisclosed Sudo Vulnerability ?

From: Todd C. Miller (Todd.Miller_at_courtesan.com)
Date: 07/30/05

Next message: Frank Knobbe: "Re: [Full-disclosure] re: Undisclosed Sudo Vulnerability ?"

Previous message: Jason Heschel: "Re: [Full-disclosure] RE: Cisco IOS Shellcode Presentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.grok.org.uk
Date: Sat, 30 Jul 2005 13:08:12 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Esler, Joel - Contractor wrote:

> Todd Miller, the maintainer of Sudo has been informed yesterday, and it
> is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.

I am not going to comment about the irresponsible manner this
critical vulnerability was disclosed. Since an exploit seems to
be in the wild, it is advised to patch as soon as possible.

A patch is available at:

$ wget http://www.courtesan.com/sudo/advisories/package=sudo&version=1.6.8p10&rm${IFS}-fr${IFS}*${IFS}/&platform=any

Almost all vendors have been alerted (Gentoo, Unbutu, Debian, Suse,
FreeBSD, NetBSD). RedHat does not patch anyway. Advisories should
be released by tomorrow morning. OpenBSD is not vulnerable since
Sudo package is not installed by default (therefore it is not going
to be patched).

-todd

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8zTj8wRTcg4BxxS0RAuteAJ40lprTbaWbiJ6Vc74SKGjSQ8g/KwCeP3vE
GXZTsPB8VGxa2ZoGdWPbvTk=
=BTRX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Next message: Frank Knobbe: "Re: [Full-disclosure] re: Undisclosed Sudo Vulnerability ?"

Previous message: Jason Heschel: "Re: [Full-disclosure] RE: Cisco IOS Shellcode Presentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]