Security vulnerability in sudo allows privilege escalation
Interesting vulnerability that allows a user listed in /etc/sudoers to bypass authentication by resetting the time stamp file with "sudo -k" or removing it with "sudo -K".
http://www.sudo.ws/sudo/alerts/epoch_ticket.html Probably not as big a deal for Slackware as it could be for *buntu but perhaps this could be a convenient time for Pat to upgrade sudo anyway. I've built 1.8.6p7 using the SlackBuild in current and sudo seems to function as it did before. |
Anyone with any sense will have set "timestamp_timeout = 0" as the sudo password caching thing is inherently insecure anyway.
It's even worse for Ubuntu of course because of their idiotic misuse of sudo i.e "ALL = (ALL) ALL" rather than more specific targeting of allowed commands. Besides, if unprivileged users can change your system time then IMO you have bigger problems. |
All times are GMT -5. The time now is 08:56 AM. |