Vulnerability Assessment & Network Security Forums



If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important.  If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery.


Home >> Browse Vulnerability Assessment Database >> Mandrake Local Security Checks >> MDKSA-2006:159: sudo


Vulnerability Assessment Details

MDKSA-2006:159: sudo

Vulnerability Assessment Summary
Check for the version of the sudo package

Detailed Explanation for this Vulnerability Assessment

The remote host is missing the patch for the advisory MDKSA-2006:159 (sudo).

Previous sudo updates were made available to sanitize certain
environment variables from affecting a sudo call, such as
PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in
addressing those specific environment variables, other variables that
were not blacklisted were being made available.
Debian addressed this issue by forcing sudo to use a whitlist approach
in DSA-946-2 by arbitrarily making env_reset the default (as opposed
to having to be enabled in /etc/sudoers). Mandriva has opted to follow
the same approach so now only certain variables are, by default, made
available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,
XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*
variables.
If other variables are required to be kept, this can be done by editing
/etc/sudoers and using the env_keep option, such as:
Defaults env_keep='FOO BAR'
As well, the Corporate 3 packages are now compiled with the SECURE_PATH
setting.
Updated packages are patched to address this issue.

Solution : http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:159
Network Security Threat Level: High

Networks Security ID:

Vulnerability Assessment Copyright: This script is Copyright (C) 2006 Tenable Network Security

Cables, Connectors

8GB (1x8G) Hynix Brand Memory for Dell R610/R710/R620/R720 HMT31GR7CFR4C-PBT8AE
$20.0
8GB (1x8G) Hynix Brand Memory for Dell R610/R710/R620/R720 HMT31GR7CFR4C-PBT8AE pictureHynix 2GB (2X1GB) 2Rx16 PC3-8500S HMT112S6BFR6C-G7 N0 AA DDR2 Laptop Memory
$3.0
Hynix 2GB (2X1GB) 2Rx16 PC3-8500S HMT112S6BFR6C-G7 N0 AA DDR2 Laptop Memory pictureSIMPLETECH 1GB PC2 5300/4200/3200 DDR2 240PIN DESKTOP MEMORY 90000-40576-001U
$3.0
SIMPLETECH 1GB PC2 5300/4200/3200 DDR2 240PIN DESKTOP MEMORY 90000-40576-001U pictureSAMSUNG 16GB PC4-2133P PC4-17000R DDR4 REG-ECC DIMM M393A2G40DB0-CPB
$125.0
SAMSUNG 16GB PC4-2133P PC4-17000R DDR4 REG-ECC DIMM M393A2G40DB0-CPB picture


Discussions

No Discussions have been posted on this vulnerability.