New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Debian Sudo Security Vulnerability
Hey LET.
Please upgrade your sudo packages immediately, if you're not already aware there is a sudo vulnerability for Debian based systems.
This mainly affects people with sudo users.
More information: http://www.debian.org/security/2013/dsa-2642
Comments
cve-1775 is pretty hilarious
I dunno if this is debian specific
edit:looks like its across the board
Hey Ishaq.
Thank you for alerting us of this exploit, I will patch my Debian server immediately.
Ollie
Thanks for the heads up. I don't really have Debian in use for anything at production level, so I hadn't kept up on their security updates.
root@debian:~# LANG=C apt-cache policy sudo | grep Installed
Installed: (none)
Installed: (none)
Some may not have it installed.
Thanks, now updating sudo ..
Reading package lists...
Building dependency tree...
Reading state information...
The following packages will be upgraded:
sudo
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 611 kB of archives.
After this operation, 16.4 kB disk space will be freed.
Get:1 http://security.debian.org/ squeeze/updates/main sudo amd64 1.7.4p4-2.squeeze.4 [611 kB]
Reading changelogs...
Fetched 611 kB in 0s (1733 kB/s)
(Reading database ... 71643 files and directories currently installed.)
Preparing to replace sudo 1.7.4p4-2.squeeze.3 (using .../sudo_1.7.4p4-2.squeeze.4_amd64.deb) ...
Unpacking replacement sudo ...
Processing triggers for man-db ...
Setting up sudo (1.7.4p4-2.squeeze.4) ...
.. install complete.
Thanks @Ishaq for the PSA.
I upgraded, but I don't think anyone should really be worried unless you give out shell or console access to some other users, but of course best practice is to upgrade.
Automatic security updates FTW
Thanks for the PSA!
@twain you should be worried - see the thread 'why do people say this' - if sudo is broken, you're basically running everything as root.
The details in the CVE on the 2nd patch are withheld, so this is quite likely to be a major problem and will affect all distros using affected sudo versions.
@tehdan nope, you still have to run it as sudo. It just won't ask you for a password even if timestamp are outdated. User are still needs to in sudoers list etc. So basically this really doesn't affects most of the people.
@nstorm thanks - looked at the bug and yes, the user does have to have sudo'd previously.
However the general statement that a sudo bug would only affect local users is a common misconception - if it were more serious it could trivially be stacked with a code-exception vulnerability in any other service to get root from a non-privileged service like apache.
Standard security best practices should mitigate most of the concerns regarding this sudo vulnerability. For example, running publicly facing daemons as "nobody" or at least their own user account (and not giving that account sudo privileges for whatever asinine reason people do that).
(Debian) Minstall users are one group who probably don't have sudo installed