From owner-svn-ports-all@FreeBSD.ORG Fri Mar 1 02:08:31 2013 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 99301B43; Fri, 1 Mar 2013 02:08:31 +0000 (UTC) (envelope-from wxs@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 73215F1D; Fri, 1 Mar 2013 02:08:31 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r2128VWt042364; Fri, 1 Mar 2013 02:08:31 GMT (envelope-from wxs@svn.freebsd.org) Received: (from wxs@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r2128VkW042362; Fri, 1 Mar 2013 02:08:31 GMT (envelope-from wxs@svn.freebsd.org) Message-Id: <201303010208.r2128VkW042362@svn.freebsd.org> From: Wesley Shields Date: Fri, 1 Mar 2013 02:08:31 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r313132 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Mar 2013 02:08:31 -0000 Author: wxs Date: Fri Mar 1 02:08:30 2013 New Revision: 313132 URL: http://svnweb.freebsd.org/changeset/ports/313132 Log: Document two sudo problems. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Mar 1 01:57:28 2013 (r313131) +++ head/security/vuxml/vuln.xml Fri Mar 1 02:08:30 2013 (r313132) @@ -51,6 +51,67 @@ Note: Please add new entries to the beg --> + + sudo -- Authentication bypass when clock is reset + + + sudo + 1.8.6.p7 + + + + +

Todd Miller reports:

+
+

The flaw may allow someone with physical access to a machine that + is not password-protected to run sudo commands without knowing the + logged in user's password. On systems where sudo is the principal + way of running commands as root, such as on Ubuntu and Mac OS X, + there is a greater chance that the logged in user has run sudo + before and thus that an attack would succeed.

+
+ + + + CVE-2013-1775 + http://www.sudo.ws/sudo/alerts/epoch_ticket.html + + + 2013-02-27 + 2013-03-01 + + + + + sudo -- Potential bypass of tty_tickets constraints + + + sudo + 1.8.6.p7 + + + + +

Todd Miller reports:

+
+

A (potentially malicious) program run by a user with sudo access + may be able to bypass the "tty_ticket" constraints. In order for + this to succeed there must exist on the machine a terminal device + that the user has previously authenticated themselves on via sudo + within the last time stamp timeout (5 minutes by default).

+
+ + + + CVE-2013-1776 + http://www.sudo.ws/sudo/alerts/tty_tickets.html + + + 2013-02-27 + 2013-03-01 + + + rubygem-dragonfly -- arbitrary code execution