Bugzilla – Bug 1218388
VUL-0: CVE-2023-7090: sudo: Improper handling of ipa_hostname leads to privilege mismanagement
Last modified: 2024-05-17 08:05:09 UTC
A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting them. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7090
https://bugzilla.redhat.com/show_bug.cgi?id=2255723 https://www.sudo.ws/releases/legacy/#1.8.28
Refers to: GIT repo https://github.com/sudo-project/sudo commit e99082e05b9f0dd0e0f47fa1d2e1b9d922ea8c4c Author: Todd C. Miller <Todd.Miller@sudo.ws> Date: Thu Aug 15 14:20:12 2019 -0600 Fix special handling of ipa_hostname that was lost in sudo 1.8.24. We now include the long and short hostname in sudo parser container.
affects SUSE:SLE-12-SP5:Update sudo SUSE:SLE-15:Update sudo others are newer or older than the affected version 1.8.24->1.8.27.
This commit is already present in our codestreams as patch sudo-1.8.27-ipa_hostname.patch > https://build.suse.de/package/view_file/SUSE:SLE-12-SP5:Update/sudo/sudo-1.8.27-ipa_hostname.patch?expand=1 > https://build.suse.de/package/view_file/SUSE:SLE-15:Update/sudo/sudo-1.8.27-ipa_hostname.patch?expand=1 I suggest to close this bug as duplicate of bug 1181371 Or should I reference this bug and CVE number in changelog anyway?
Assigning back to security team (see previous comment)
All done, closing. *** This bug has been marked as a duplicate of bug 1181371 ***