ELA-1476-1 sudo security update

local privilege escalation

2025-06-30
Packagesudo
Version1.8.27-1+deb10u7 (jessie), 1.8.19p1-2.1+deb9u7 (stretch), 1.8.10p3-1+deb8u10 (buster)
Related CVEs CVE-2025-32462


Rich Mirch discovered that sudo, a program designed to provide limited super user privileges to specific users, does not correctly handle the host (-h or –host) option. Due to a bug the host option was not restricted to listing privileges only and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file the flaw might allow a local privilege escalation attack.



For Debian 10 buster, these problems have been fixed in version 1.8.10p3-1+deb8u10.

For Debian 8 jessie, these problems have been fixed in version 1.8.27-1+deb10u7.

For Debian 9 stretch, these problems have been fixed in version 1.8.19p1-2.1+deb9u7.

We recommend that you upgrade your sudo packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.