OracleVM 3.2 : sudo (OVMSA-2016-0079)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- added patch for CVE-2014-0106: certain environment
variables not sanitized when env_reset is disabled
Resolves: rhbz#1072210

- backported fixes for CVE-2013-1775 CVE-2013-1776
(CVE-2013-2776) CVE-2013-2777 Resolves: rhbz#968221

- visudo: fixed incorrect warning and parse error
regarding undefined aliases which were in fact defined
Resolves: rhbz#849679 Resolves: rhbz#905624

- updated sudoers man-page to clarify the behavior of the
user negation operator and the behavior of wildcard
matching in command specifications Resolves: rhbz#846118
Resolves: rhbz#856902

- fixed regression in escaping of sudo -i arguments
Resolves: rhbz#853203

- bump release number

- Fixed caching of user and group names

- Backported RFC 4515 escaping of LDAP queries Resolves:
rhbz#855836 Resolves: rhbz#869287

- Add the -c option to sed commands in post/postun scripts
Resolves: rhbz#818585

- Implement a new sudoers Defaults option to restore old
command exec behavior Resolves: rhbz#840971

- Add ability to treat files authoritatively in
sudoers.ldap Resolves: rhbz#840097

- Changed policycoreutils dependency to a context specific
dependency (post & postun) Resolves: rhbz#846694

- don't use a temporary file when modifying nsswitch.conf

- fix permissions on nsswitch.conf, if needed Resolves:
rhbz#846631

- added a workaround for a race condition in handling
child processes Resolves: rhbz#829263

- use safe temporary files in post/postun scripts

- corrected postun script Resolves: rhbz#841070

- corrected release number

- call restorecon after modifying nsswitch.conf in the
postun scriplet

- added policycoreutils dependency Resolves: rhbz#818585

- fixed `sudo -i' command escaping (#806073)

- fixed multiple sudoHost LDAP attr. handlng (#740884)
Resolves: rhbz#740884 Resolves: rhbz#806073

See also :

https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000493.html

Solution :

Update the affected sudo package.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.4
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 91755 ()

Bugtraq ID: 58203
58207
62741
65997

CVE ID: CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now