Stay Secure with the Latest Linux Advisories

security advisoryhigh severityprivilege escalation

Arch Linux: ASA-202102-8 High: Opendoas Privilege Escalation Threat

The package opendoas before version 6.8.1-2 is vulnerable to privilege escalation. . Arch Linux Security Advisory ASA-202102-8 ======================================== Severity: High Date : 2021-02-06 CVE-ID : CVE-2019-25016 Package : opendoas Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1504 Summary ====== The package opendoas before version 6.8.1-2 is vulnerable to privilege escalation. Resolution ========= Upgrade to 6.8.1-2. # pacman -Syu "opendoas> =6.8.1-2" The problem has been fixed upstream in version 6.8.1. Workaround ========= None. Description ========== A security issue has been found in OpenDoas before 6.8.1, where rules that allowed the user to execute any command would inherit the executing user's PATH instead of resetting it to a default PATH. Rules that limit the user to execute only a specific command are not affected by this and are only executed from the default PATH and with the PATH environment variable set to the safe default. Impact ===== A local user might be able to escalate privileges. References ========= https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1 https://github.com/Duncaen/OpenDoas/issues/45 https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d.patch https://gitlab.alpinelinux.org/alpine/aports/-/blob/9e259950190c924b4a17825aad2d7cee87fbd75b/main/doas/reset-path.patch https://security.archlinux.org/CVE-2019-25016 . The Arch Linux Security Advisory ASA-202101-5 addresses a critical vulnerability in the openssl package that could lead to significant security breaches.. Opendoas Privilege Escalation, Arch Linux Security Advisory, Security Patch. . LinuxSecurity.com Team

Feb 12, 2021 ArchLinux