Univention Bugzilla – Bug 52704
sudo: Multiple issues (4.4)
Last modified: 2021-02-01 09:24:25 CET
New Debian sudo 1.8.19p1-2.1+deb9u3 fixes: This update addresses the following issue: * Heap buffer overflow in argument parsing (CVE-2021-3156)
--- mirror/ftp/4.4/unmaintained/4.4-4/source/sudo_1.8.19p1-2.1+deb9u2.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/sudo_1.8.19p1-2.1+deb9u3.dsc @@ -1,3 +1,13 @@ +1.8.19p1-2.1+deb9u3 [Sat, 23 Jan 2021 10:10:33 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Heap-based buffer overflow (CVE-2021-3156) + - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit + - Add sudoedit flag checks in plugin that are consistent with front-end + - Fix potential buffer overflow when unescaping backslashes in user_args + - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL + - Don't assume that argv is allocated as a single flat buffer + 1.8.19p1-2.1+deb9u2 [Fri, 31 Jan 2020 22:10:55 +0100] Salvatore Bonaccorso <carnil@debian.org>: * Non-maintainer upload by the Security Team. <http://10.200.17.11/4.4-7/#3251476448744904964>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] 195df1c292 Bug #52704: sudo 1.8.19p1-2.1+deb9u3 doc/errata/staging/sudo.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x875>
Will this be backported to 4.3 too?
The regular UCS 4.3 maintenance ended at the end of May 2020, see https://wiki.univention.de/index.php/Maintenance_Cycle_for_UCS The update will be made available for customers who bought extended security maintenance.
Thanks for the reply and link. What about customers that can not easily update to 4.4 latest? We have at least one that is currently stuck on 4.4-3 and will only be able to have downtimes end of next month.
Please avoid discussions at already closed bugs. I suggest to open a thread on help.univention.com or get in contact with our sales department. Older 4.4-x versions get no further updates once the security maintenance ends. If required, the fixed sudo package can be downloaded from our mirror and installed manually. http://updates.software-univention.de/4.4/maintained/component/4.4-7-errata/amd64/