Opened 3 years ago

Closed 2 years ago

#50356 closed update (fixed)

sudo: Update to 1.8.15, CVE-2015-5602

Reported by: neverpanic (Clemens Lang) Owned by: youvegotmoxie@…
Priority: Normal Milestone:
Component: ports Version: 2.3.4
Keywords: Cc:
Port: sudo

Description

Hi,

sudo has version 1.8.15 available. It attempts to fix CVE-2015-5602, but the problem is actually still present after that [1,2,3]. Please update sudo to 1.8.15 and consider backporting the change that fixes the CVE and has been committed for sudo 1.8.16 [4].

Here's a patch that does the gruntwork, I haven't looked into backporting the patch, though.

  • Portfile

     
    55
    66name                sudo
    77epoch               1
    8 version             1.8.14p3
    9 revision            1
     8version             1.8.15
    109categories          sysutils security
    1110license             ISC
    1211maintainers         gmail.com:youvegotmoxie
     
    2423master_sites        ${homepage}dist/ \
    2524                    ${homepage}dist/OLD/
    2625
    27 checksums           rmd160  209554c44467da8ebeeecc2134edbf42fce2244e \
    28                     sha256  a8a697cbb113859058944850d098464618254804cf97961dee926429f00a1237
     26checksums           rmd160  676ee3249c2ddacd64de54d6555b820912b56f6f \
     27                    sha256  4316381708324da8b6cb151f655c1a11855207c7c02244d8ffdea5104d7cc308
    2928
    3029patchfiles          patch-sudoers.in.diff
    3130

I'm leaving this at normal priority, since the CVE doesn't affect our default installation.

[1] https://www.debian.org/security/2016/dsa-3440
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149
[3] https://bugzilla.sudo.ws/show_bug.cgi?id=707
[4] https://www.sudo.ws/repos/sudo/rev/c2e36a80a279

Change History (4)

comment:1 Changed 3 years ago by youvegotmoxie@…

Thank you, please do push this patch through as I am on holiday.

comment:2 Changed 3 years ago by youvegotmoxie@…

I will work on the backport from .16 to .15 when I get back.

comment:3 Changed 3 years ago by neverpanic (Clemens Lang)

Committed this patch in 145046, I'll leave the ticket open for the backport (or your decision not to).

comment:4 Changed 2 years ago by neverpanic (Clemens Lang)

Resolution: fixed
Status: newclosed

This has long been solved.

Note: See TracTickets for help on using tickets.