Alerts This Week
Warning Icon 1 681
Alerts This Week
Warning Icon 1 681

Fedora 32: 2021-234d14bfcc Critical: Sudo Race Condition and Link Attack

fedora
Calendar Grey January 20, 2021
Dist Fedora Esm H88
Important patch for Fedora 32 addresses vulnerabilities in sudo, mitigating issues such as race conditions and potential link attack risks.
Rebase to 1.9.5p1 - updated sudo url Resolves: rhbz#1902758 - enabled python plugin as a subpackage Resolves: rhbz#1909299 - fixed double free in sss_to_sudoers Resolves: rhbz#1885...

Summary

Sudo (superuser do) allows a system administrator to give certain

users (or groups of users) the ability to run some (or all) commands

as root while logging all commands and arguments. Sudo operates on a

per-command basis. It is not a replacement for the shell. Features

include: the ability to restrict what commands a user may run on a

per-host basis, copious logging of each command (providing a clear

audit trail of who did what), a configurable timeout of the sudo

command, and the ability to use the same configuration file (sudoers)

on many different machines.

Rebase to 1.9.5p1 - updated sudo url Resolves: rhbz#1902758 - enabled python

plugin as a subpackage Resolves: rhbz#1909299 - fixed double free in

sss_to_sudoers Resolves: rhbz#1885874 - fixed CVE-2021-23239 sudo: possible

directory existence test due to race condition in sudoedit Resolves:

rhbz#1915055 - fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit Resolves: rhbz#1915054

* Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1

- rebase to 1.9.5p1

- updated sudo url

Resolves: rhbz#1902758

- enabled python plugin as a subpackage

Resolves: rhbz#1909299

- fixed double free in sss_to_sudoers

Resolves: rhbz#1885874

- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit

Resolves: rhbz#1915055

- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit

Resolves: rhbz#1915054

[ 1 ] Bug #1915052 - CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit

https://bugzilla.redhat.com/show_bug.cgi?id=1915052

[ 2 ] Bug #1915053 - CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit

https://bugzilla.redhat.com/show_bug.cgi?id=1915053

su -c 'dnf upgrade --advisory FEDORA-2021-234d14bfcc' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory security issue critical Fedora privilege escalation sudo race condition link attack

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 32
Version: 1.9.5p1
Release: 1.fc32
URL: Summary : Allows restricted root access for specified users

Topics%20covered

Topics Covered

security advisory security issue critical Fedora privilege escalation sudo race condition link attack

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here