*** This bug is a security vulnerability *** Public security bug reported:
I am requesting a FeatureFreeze exception to update sudo in Xenial to the newly released 1.8.16 version. Not only does the new 1.8.16 version fix a large number of bugs, but it also fixes security issues: - CVE-2015-5602: privilege escalation via symlink attack - CVE-2015-8239: race condition checking digests/checksums in sudoers - duplicate environment variable handling The fixes for these issues are intrusive and difficult to backport. Once 1.8.16 is in Xenial, I intend to backport it to Precise and Trusty as a security update to fix the long standing issue with sudo and timestamp files based on the local clock which resulting in a big refactoring of how timestamp files work in 1.8.10. (See bug 1219337) See the following for details of the changes between 1.8.12 and 1.8.16: https://www.sudo.ws/stable.html I will of course monitor bugs and will fix any issues that arise. ** Affects: sudo (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1563825 Title: FFe: Update to sudo 1.8.16 Status in sudo package in Ubuntu: New Bug description: I am requesting a FeatureFreeze exception to update sudo in Xenial to the newly released 1.8.16 version. Not only does the new 1.8.16 version fix a large number of bugs, but it also fixes security issues: - CVE-2015-5602: privilege escalation via symlink attack - CVE-2015-8239: race condition checking digests/checksums in sudoers - duplicate environment variable handling The fixes for these issues are intrusive and difficult to backport. Once 1.8.16 is in Xenial, I intend to backport it to Precise and Trusty as a security update to fix the long standing issue with sudo and timestamp files based on the local clock which resulting in a big refactoring of how timestamp files work in 1.8.10. (See bug 1219337) See the following for details of the changes between 1.8.12 and 1.8.16: https://www.sudo.ws/stable.html I will of course monitor bugs and will fix any issues that arise. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1563825/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
