Updated sudo packages fix security vulnerabilities
Publication date: 17 Jan 2021Modification date: 17 Jan 2021
Type: security
Affected Mageia releases : 7
CVE: CVE-2021-23239 , CVE-2021-23240
Description
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. (CVE-2021-23239). selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable. (CVE-2021-23240).
References
SRPMS
7/core
- sudo-1.9.5-1.mga7