OVMSA-2021-0012 - sudo security update

Release Date:2021-04-27


- Fix a bug on CVE-2021-3156.patch backported from ol7 [Orabug: 32717065]

- backport the fix CVE-2021-3156.patch from ol7.

- Fixes [OraBug: 28747380]
sudo does not honor env_keep-='KRB5CCNAME' after 'sudo -k' (isaac.chen@oracle.com)

- fixed CVE-2019-18634
Resolves: rhbz#1799018

- fixed CVE-2019-14287
Resolves: rhbz#1760684

- Fixes CVE-2017-1000368
Resolves: rhbz#1459409

- Fixes CVE-2017-1000367
Resolves: rhbz#1455400

- Update noexec syscall blacklist
- Fixes CVE-2016-7032 and CVE-2016-7076
Resolves: rhbz#1391938

- RHEL-6.9 erratum
- Fix race condition when creating /var/log/sudo-io direcotry
Resolves: rhbz#1365156

- RHEL-6.9 erratum
- Fix 'sudo -l command' in the LDAP and SSS backends when the command
is not allowed.
Resolves: rhbz#1374410
- Fix sudo log file wrong group ownership
Resolves: rhbz#1330001
- Fix sudo parsing sudoers with user's locale
Resolves: rhbz#1318374

- RHEL-6.8 erratum
- fixed a bug causing that non-root users can list privileges of
other users
Resolves: rhbz#1312481

- RHEL-6.8 erratum
- fixed handling of closefrom_override defaults option
Resolves: rhbz#1309976

- RHEL-6.8 erratum
- fixed potential getcwd failure, resulting in Null pointer exception
Resolves: rhbz#1284886

- RHEL-6.8 erratum
- fixed sssd's detection of user with zero rules
Resolves: rhbz#1220480

- RHEL-6.8 erratum
- search also by user id when fetching rules from LDAP
Resolves: rhbz#1135531

- RHEL-6.8 erratum
- fixed ldap's and sssd's sudoOption value and remove quotes
- fixed ldap's and sssd's sudoOption whitespaces parse problem
Resolves: rhbz#1144422
Resolves: rhbz#1279447

- RHEL-6.8 erratum
- removed defaults option requiretty from /etc/sudoers
- backported pam_service and pam_login_service defaults options
- implemented a new defaults option for changing netgroup processing
- fixed visudo's quiet cli option
Resolves: rhbz#1248695
Resolves: rhbz#1247231
Resolves: rhbz#1241896
Resolves: rhbz#1197885
Resolves: rhbz#1233205

- added patch to re-introduce old group processing behaviour
Resolves: rhbz#1075836

- RHEL-6.7 erratum
- modified the authlogicfix patch to fix #1144448
- fixed a bug in the ldapusermatchfix patch
Resolves: rhbz#1144448
Resolves: rhbz#1142122

- RHEL-6.7 erratum
- fixed the mantypos-ldap.patch
Resolves: rhbz#1138267

- RHEL-6.7 erratum
- added patch for CVE-2014-9680
- added BuildRequires for tzdata
Resolves: rhbz#1200253

- RHEL-6.7 erratum
- added zlib-devel build required to enable zlib compression support
- fixed two typos in the sudoers.ldap man page
- fixed a hang when duplicate nss entries are specified in nsswitch.conf
- SSSD: implemented sorting of the result entries according to the
sudoOrder attribute
- LDAP: fixed logic handling the computation of the 'user matched' flag
- fixed restoring of the SIGPIPE signal in the tgetpass function
- fixed listpw, verifypw + authenticate option logic in LDAP/SSSD
Resolves: rhbz#1106433
Resolves: rhbz#1138267
Resolves: rhbz#1147498
Resolves: rhbz#1138581
Resolves: rhbz#1142122
Resolves: rhbz#1094548
Resolves: rhbz#1144448

- RHEL-6.6 erratum
- SSSD: dropped the ipahostnameshort patch, as it is not
needed. rhbz#1033703 is a configuration issue.
Related: rhbz#1033703

- RHEL-6.6 erratum
- SSSD: fixed netgroup filter patch
- SSSD: dropped serparate patch for #1006463, the fix is now part
of the netgroup filter patch
Resolves: rhbz#1006463
Resolves: rhbz#1083064

- RHEL-6.6 erratum
- don't retry authentication when ctrl-c pressed
- fix double-quote processing in Defaults options
- fix sesh login shell argv[0]
- handle the '(none)' hostname correctly
- SSSD: fix ipa_hostname handling
- SSSD: fix sudoUser netgroup specification filtering
- SSSD: list correct user when -U -l specified
- SSSD: show rule names on long listing (-ll)
Resolves: rhbz#1065415
Resolves: rhbz#1078338
Resolves: rhbz#1052940
Resolves: rhbz#1083064
Resolves: rhbz#1033703
Resolves: rhbz#1006447
Resolves: rhbz#1006463
Resolves: rhbz#1070952

- added patches for CVE-2013-1775 CVE-2013-2777 CVE-2013-2776
Resolves: rhbz#1015355

- sssd: fixed a bug in ipa_hostname processing
Resolves: rhbz#853542

- sssd: fixed buffer size for the ipa_hostname value
Resolves: rhbz#853542

- sssd: match against ipa_hostname from sssd.conf too when
checking sudoHost
Resolves: rhbz#853542

- updated man-page
- fixed handling of RLIMIT_NPROC resource limit
- fixed alias cycle detection code
- added debug messages for tracing of netgroup matching
- fixed aborting on realloc when displaying allowed commands
- show the SUDO_USER in logs, if running commands as root
- sssd: filter netgroups in the sudoUser attribute
Resolves: rhbz#856901
Resolves: rhbz#947276
Resolves: rhbz#886648
Resolves: rhbz#994563
Resolves: rhbz#848111
Resolves: rhbz#994626
Resolves: rhbz#973228
Resolves: rhbz#880150

- fixed potential stack overflow in visudo

Related CVEs


Updated Packages

Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle VM 3 (x86_64) sudo-1.8.6p3-29.0.3.el6_10.3.src.rpm3382982878d7370d0f0594ca5871efb2-

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team