News

=========================================================== Ubuntu Security Notice USN-213-1 October 28, 2005 sudo vulnerability CVE-2005-2959 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: sudo The problem can be corrected by upgrading the affected package to version 1.6.7p5-1ubuntu4.3 (for Ubuntu 4.10), 1.6.8p5-1ubuntu2.2 (for Ubuntu 5.04), or 1.6.8p9-2ubuntu2.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a privilege escalation vulnerability in sudo. On executing shell scripts with sudo, the "P4" and "SHELLOPTS" environment variables were not cleaned properly. If sudo is set up to grant limited sudo privileges to normal users this could be exploited to run arbitrary commands as the target user.