Security update for sudo

SUSE Security Update: Security update for sudo
Announcement ID: SUSE-SU-2016:2904-1
Rating: moderate
References: #1007501 #1007766 #899252 #917806 #979531
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 12-SP1
  • SUSE Linux Enterprise Server 12-SP1
  • SUSE Linux Enterprise Desktop 12-SP1

  • An update that solves three vulnerabilities and has two fixes is now available.

    Description:


    This update for sudo fixes the following security issues:

    - Fix two security vulnerabilities that allowed users to bypass sudo's
    NOEXEC functionality:
    * noexec bypass via system() and popen() [CVE-2016-7032, bsc#1007766]
    * noexec bypass via wordexp() [CVE-2016-7076, bsc#1007501]
    - Fix unsafe handling of TZ environment variable. [CVE-2014-9680,
    bsc#917806]

    Additionally, these non-security fixes are included in the update:

    - Fix "ignoring time stamp from the future" message after each boot with
    !tty_tickets. [bsc#899252]
    - Enable support for SASL-based authentication. [bsc#979531]

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 12-SP1:
      zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1692=1
    • SUSE Linux Enterprise Server 12-SP1:
      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1692=1
    • SUSE Linux Enterprise Desktop 12-SP1:
      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1692=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64):
      • sudo-debuginfo-1.8.10p3-2.6.1
      • sudo-debugsource-1.8.10p3-2.6.1
      • sudo-devel-1.8.10p3-2.6.1
    • SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):
      • sudo-1.8.10p3-2.6.1
      • sudo-debuginfo-1.8.10p3-2.6.1
      • sudo-debugsource-1.8.10p3-2.6.1
    • SUSE Linux Enterprise Desktop 12-SP1 (x86_64):
      • sudo-1.8.10p3-2.6.1
      • sudo-debuginfo-1.8.10p3-2.6.1
      • sudo-debugsource-1.8.10p3-2.6.1

    References: