Skip to navigation

Security Advisory Low: sudo security and bug fix update

Advisory: RHSA-2011:0599-1
Type: Security Advisory
Severity: Low
Issued on: 2011-05-19
Last updated on: 2011-05-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2011-0010

Details

An updated sudo package that fixes one security issue and several bugs is
now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The sudo (superuser do) utility allows system administrators to give
certain users the ability to run commands as root.

A flaw was found in the sudo password checking logic. In configurations
where the sudoers settings allowed a user to run a command using sudo with
only the group ID changed, sudo failed to prompt for the user's password
before running the specified command with the elevated group privileges.
(CVE-2011-0010)

This update also fixes the following bugs:

* When the "/etc/sudoers" file contained entries with multiple hosts,
running the "sudo -l" command incorrectly reported that a certain user does
not have permissions to use sudo on the system. With this update, running
the "sudo -l" command now produces the correct output. (BZ#603823)

* Prior to this update, the manual page for sudoers.ldap was not installed,
even though it contains important information on how to set up an LDAP
(Lightweight Directory Access Protocol) sudoers source, and other documents
refer to it. With this update, the manual page is now properly included in
the package. Additionally, various POD files have been removed from the
package, as they are required for build purposes only. (BZ#634159)

* The previous version of sudo did not use the same location for the LDAP
configuration files as the nss_ldap package. This has been fixed and sudo
now looks for these files in the same location as the nss_ldap package.
(BZ#652726)

* When a file was edited using the "sudo -e file" or the "sudoedit file"
command, the editor being executed for this task was logged only as
"sudoedit". With this update, the full path to the executable being used as
an editor is now logged (instead of "sudoedit"). (BZ#665131)

* A comment regarding the "visiblepw" option of the "Defaults" directive
has been added to the default "/etc/sudoers" file to clarify its usage.
(BZ#688640)

* This erratum upgrades sudo to upstream version 1.7.4p5, which provides a
number of bug fixes and enhancements over the previous version. (BZ#615087)

All users of sudo are advised to upgrade to this updated package, which
resolves these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
sudo-1.7.4p5-5.el6.src.rpm
File outdated by:  RHSA-2013:1701
    MD5: a342e4f59aad56d18f0d8f9d606cedc0
SHA-256: b83c788fc701e58556d8224452c62851886ee86c98a12c55a94454b5bbad9c3d
 
IA-32:
sudo-1.7.4p5-5.el6.i686.rpm
File outdated by:  RHSA-2013:1701
    MD5: 5dfc9d5c1808d682dba78748bd894ee7
SHA-256: 98ec15d3d117b9c65462fe3140b9c2345714fe8ded46f5ea164923c01c1ce5c8
sudo-debuginfo-1.7.4p5-5.el6.i686.rpm
File outdated by:  RHSA-2013:1701
    MD5: c5f34758265ee22abc60d7f88ff3dc24
SHA-256: eb317fd62bf37e91808ee0fb2b24ae8238ed06d5be73d2fd35a914d4358cf033
 
x86_64:
sudo-1.7.4p5-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 433efe86ed946c1e3c0af6fe1351aa67
SHA-256: 9eb854257fb03c5d6bb4d8bec355d3cc30ab21ae2693c36b72aecb22e7a339cf
sudo-debuginfo-1.7.4p5-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 4b1d930438c3a1ff8be7aba95c0f3342
SHA-256: 1417ab3012a24de8aa9a5d9fd0a72df780ed924e1b41ed3a856e65e177430d0a
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
sudo-1.7.4p5-5.el6.src.rpm
File outdated by:  RHSA-2013:1701
    MD5: a342e4f59aad56d18f0d8f9d606cedc0
SHA-256: b83c788fc701e58556d8224452c62851886ee86c98a12c55a94454b5bbad9c3d
 
x86_64:
sudo-1.7.4p5-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 433efe86ed946c1e3c0af6fe1351aa67
SHA-256: 9eb854257fb03c5d6bb4d8bec355d3cc30ab21ae2693c36b72aecb22e7a339cf
sudo-debuginfo-1.7.4p5-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 4b1d930438c3a1ff8be7aba95c0f3342
SHA-256: 1417ab3012a24de8aa9a5d9fd0a72df780ed924e1b41ed3a856e65e177430d0a
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
sudo-1.7.4p5-5.el6.src.rpm
File outdated by:  RHSA-2013:1701
    MD5: a342e4f59aad56d18f0d8f9d606cedc0
SHA-256: b83c788fc701e58556d8224452c62851886ee86c98a12c55a94454b5bbad9c3d
 
IA-32:
sudo-1.7.4p5-5.el6.i686.rpm
File outdated by:  RHSA-2013:1701
    MD5: 5dfc9d5c1808d682dba78748bd894ee7
SHA-256: 98ec15d3d117b9c65462fe3140b9c2345714fe8ded46f5ea164923c01c1ce5c8
sudo-debuginfo-1.7.4p5-5.el6.i686.rpm
File outdated by:  RHSA-2013:1701
    MD5: c5f34758265ee22abc60d7f88ff3dc24
SHA-256: eb317fd62bf37e91808ee0fb2b24ae8238ed06d5be73d2fd35a914d4358cf033
 
PPC:
sudo-1.7.4p5-5.el6.ppc64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 9e689e8f13e6d85937556350458fc49d
SHA-256: d80cfb31ef6e3da45afe27d66dac8f1e70ae2b0007d73988ee79a9baff1b1dc4
sudo-debuginfo-1.7.4p5-5.el6.ppc64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 693d8909467e16cde4211c0dcac7c12d
SHA-256: bf77607c0e527d2c7a30090fa4abf814b447a912c2723262611f115fce139013
 
s390x:
sudo-1.7.4p5-5.el6.s390x.rpm
File outdated by:  RHSA-2013:1701
    MD5: ebf580d702dae203389e325b2daf7fae
SHA-256: b64cb0637b8214c0e3b2001079f72746ce61e8a863dd2e68813e0ce165c365f4
sudo-debuginfo-1.7.4p5-5.el6.s390x.rpm
File outdated by:  RHSA-2013:1701
    MD5: 885ef10fe987d473e37641fc3795cff2
SHA-256: 44d908f344d8c07cacb1737b09461a47c062895a97156b3665898c14053c8d4a
 
x86_64:
sudo-1.7.4p5-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 433efe86ed946c1e3c0af6fe1351aa67
SHA-256: 9eb854257fb03c5d6bb4d8bec355d3cc30ab21ae2693c36b72aecb22e7a339cf
sudo-debuginfo-1.7.4p5-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 4b1d930438c3a1ff8be7aba95c0f3342
SHA-256: 1417ab3012a24de8aa9a5d9fd0a72df780ed924e1b41ed3a856e65e177430d0a
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
sudo-1.7.4p5-5.el6.src.rpm
File outdated by:  RHSA-2013:1701
    MD5: a342e4f59aad56d18f0d8f9d606cedc0
SHA-256: b83c788fc701e58556d8224452c62851886ee86c98a12c55a94454b5bbad9c3d
 
IA-32:
sudo-1.7.4p5-5.el6.i686.rpm
File outdated by:  RHSA-2013:1701
    MD5: 5dfc9d5c1808d682dba78748bd894ee7
SHA-256: 98ec15d3d117b9c65462fe3140b9c2345714fe8ded46f5ea164923c01c1ce5c8
sudo-debuginfo-1.7.4p5-5.el6.i686.rpm
File outdated by:  RHSA-2013:1701
    MD5: c5f34758265ee22abc60d7f88ff3dc24
SHA-256: eb317fd62bf37e91808ee0fb2b24ae8238ed06d5be73d2fd35a914d4358cf033
 
x86_64:
sudo-1.7.4p5-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 433efe86ed946c1e3c0af6fe1351aa67
SHA-256: 9eb854257fb03c5d6bb4d8bec355d3cc30ab21ae2693c36b72aecb22e7a339cf
sudo-debuginfo-1.7.4p5-5.el6.x86_64.rpm
File outdated by:  RHSA-2013:1701
    MD5: 4b1d930438c3a1ff8be7aba95c0f3342
SHA-256: 1417ab3012a24de8aa9a5d9fd0a72df780ed924e1b41ed3a856e65e177430d0a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

603823 - sudo - fix printing of entries with multiple host entries on a single line.
615087 - Rebase sudo to version 1.7.3
634159 - .pod files are packaged under /usr/share/doc/sudo*, and man page for sudoers.ldap is missing
652726 - sudo and nss_ldap use different ldap.conf
668879 - CVE-2011-0010 sudo: does not ask for password on GID changes
688640 - Add comment about the visiblepw option into sudoers


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/