Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Feb 2010 09:27:15 -0600
From: Jamie Strandboge <>
To: oss-security <>
Subject: Re: CVE assignment notification -- CVE-2010-0427 --
 sudo fails to reset group permissions if runas_default set

On Tue, 2010-02-23 at 17:17 +0100, Jan Lieskovsky wrote:

Thanks for your investigation.

>    b, v1.7.x based versions of sudo are not affected by this
>       flaw due the differences in the way sudoers file is parsed.

This is in conflict with Todd's statement in his writeup:
"Sudo versions affected:
1.6.9 through 1.7.2p3 inclusive.
The bug is fixed in sudo 1.7.2p4 and 1.6.9p21"

Upstream appears to have patched 1.7.2. Can you explain why it is not

Jamie Strandboge             |

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.