ELA-178-1 sudo security update

potential bypass of Runas user restrictions

Related CVEs CVE-2019-14287

In sudo, a program that provides limited super user privileges to specific users, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of (ALL,!root) configuration for a “sudo -u#-1” command.

See https://www.sudo.ws/alerts/minus_1_uid.html for further information.

For Debian 7 Wheezy, these problems have been fixed in version 1.8.5p2-1+nmu3+deb7u5.

We recommend that you upgrade your sudo packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.