| Package | sudo |
|---|---|
| Version | 1.8.27-1+deb10u7 (jessie), 1.8.19p1-2.1+deb9u7 (stretch), 1.8.10p3-1+deb8u10 (buster) |
| Related CVEs | CVE-2025-32462 |
Rich Mirch discovered that sudo, a program designed to provide limited super user privileges to specific users, does not correctly handle the host (-h or –host) option. Due to a bug the host option was not restricted to listing privileges only and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file the flaw might allow a local privilege escalation attack.
For Debian 10 buster, these problems have been fixed in version 1.8.27-1+deb10u7.
For Debian 8 jessie, these problems have been fixed in version 1.8.10p3-1+deb8u10.
For Debian 9 stretch, these problems have been fixed in version 1.8.19p1-2.1+deb9u7.
We recommend that you upgrade your sudo packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.