Attachment #208306 for bug #241244

View | Details | Raw Unified | Return to bug 241244
Collapse All | Expand All




  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="1f8f5fed-ee95-11e9-8518-9c5c8e75236a">
    <topic>sudo -- Potential bypass of Runas user restrictions</topic>
    <affects>
      <package>
	<name>sudo</name>
	<range><lt>1.8.28</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Todd C. Miller reports:</p>
	<blockquote cite="https://www.sudo.ws/alerts/minus_1_uid.html">
	  <p>When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.</p>
	  <p>This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.</p>
	  <p>Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://www.sudo.ws/alerts/minus_1_uid.html</url>
      <cvename>CVE-2019-14287</cvename>
    </references>
    <dates>
      <discovery>2019-10-15</discovery>
      <entry>2019-10-15</entry>
    </dates>
  </vuln>

  <vuln vid="fd2e0ca8-e3ae-11e9-8af7-08002720423d">
    <topic>mongodb -- Bump Windows package dependencies</topic>
    <affects>

Return to bug 241244

Lines 58-63 Link Here

(-)vuln.xml (+28 lines)
58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)	58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
59	-->	59	-->
60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		61	<vuln vid="1f8f5fed-ee95-11e9-8518-9c5c8e75236a">
		62	<topic>sudo -- Potential bypass of Runas user restrictions</topic>
		63	<affects>
		64	<package>
		65	<name>sudo</name>
		66	<range><lt>1.8.28</lt></range>
		67	</package>
		68	</affects>
		69	<description>
		70	<body xmlns="http://www.w3.org/1999/xhtml">
		71	<p>Todd C. Miller reports:</p>
		72	<blockquote cite="https://www.sudo.ws/alerts/minus_1_uid.html">
		73	<p>When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.</p>
		74	<p>This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.</p>
		75	<p>Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.</p>
		76	</blockquote>
		77	</body>
		78	</description>
		79	<references>
		80	<url>https://www.sudo.ws/alerts/minus_1_uid.html</url>
		81	<cvename>CVE-2019-14287</cvename>
		82	</references>
		83	<dates>
		84	<discovery>2019-10-15</discovery>
		85	<entry>2019-10-15</entry>
		86	</dates>
		87	</vuln>
		88
61	<vuln vid="fd2e0ca8-e3ae-11e9-8af7-08002720423d">	89	<vuln vid="fd2e0ca8-e3ae-11e9-8af7-08002720423d">
62	<topic>mongodb -- Bump Windows package dependencies</topic>	90	<topic>mongodb -- Bump Windows package dependencies</topic>
63	<affects>	91	<affects>