Vulnerability Scanning Solutions, LLC.
Home
Our Process
Residential
Corporate
What We Scan For
Sample Report
Client List
Terms
Contact Us
What We Scan For
Family: Mandrake Local Security Checks --> Category: infos

MDKSA-2006:159: sudo Vulnerability Scan


Vulnerability Scan Summary
Check for the version of the sudo package

Detailed Explanation for this Vulnerability Test

The remote host is missing the patch for the advisory MDKSA-2006:159 (sudo).

Previous sudo updates were made available to sanitize certain
environment variables from affecting a sudo call, such as
PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in
addressing those specific environment variables, other variables that
were not blacklisted were being made available.
Debian addressed this issue by forcing sudo to use a whitlist approach
in DSA-946-2 by arbitrarily making env_reset the default (as opposed
to having to be enabled in /etc/sudoers). Mandriva has opted to follow
the same approach so now only certain variables are, by default, made
available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,
XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*
variables.
If other variables are required to be kept, this can be done by editing
/etc/sudoers and using the env_keep option, such as:
Defaults env_keep='FOO BAR'
As well, the Corporate 3 packages are now compiled with the SECURE_PATH
setting.
Updated packages are patched to address this issue.

Solution : http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:159
Threat Level: High

Click HERE for more information and discussions on this network vulnerability scan.

VSS, LLC.

P.O. Box 827051

Pembroke Pines, FL 33082-7051

Vulnerability Scanning Solutions, LLC.