| Package | sudo |
|---|---|
| Version | 1.8.5p2-1+nmu3+deb7u5 |
| Related CVEs | CVE-2019-14287 |
In sudo, a program that provides limited super user privileges to specific users, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of (ALL,!root) configuration for a “sudo -u#-1” command.
See https://www.sudo.ws/alerts/minus_1_uid.html for further information.
For Debian 7 Wheezy, these problems have been fixed in version 1.8.5p2-1+nmu3+deb7u5.
We recommend that you upgrade your sudo packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.