Date: Mon, 17 Nov 2025 00:59:04 GMT From: Koichiro Iwao <meta@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: b043c72cd362 - main - security/vuxml: Document sudo-rs < 0.2.10 vulnerabilites Message-ID: <202511170059.5AH0x4vv038445@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by meta: URL: https://cgit.FreeBSD.org/ports/commit/?id=b043c72cd36217446610d9f24745120c5cc8f2d7 commit b043c72cd36217446610d9f24745120c5cc8f2d7 Author: Koichiro Iwao <meta@FreeBSD.org> AuthorDate: 2025-11-16 13:13:09 +0000 Commit: Koichiro Iwao <meta@FreeBSD.org> CommitDate: 2025-11-17 00:57:07 +0000 security/vuxml: Document sudo-rs < 0.2.10 vulnerabilites PR: 290945 --- security/vuxml/vuln/2025.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index bc7d08dd1172..6fa3610be43d 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,70 @@ + <vuln vid="bf6c9252-c2ec-11f0-8372-98b78501ef2a"> + <topic>sudo-rs -- Authenticating user not recorded properly in timestamp</topic> + <affects> + <package> + <name>sudo-rs</name> + <range><ge>0.2.5</ge><lt>0.2.10</lt></range> + </package> + <package> + <name>sudo-rs-coexist</name> + <range><ge>0.2.5</ge><lt>0.2.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Trifecta Tech Foundation reports:</p> + <blockquote cite="https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-q428-6v73-fc4q">; + <p>With Defaults targetpw (or Defaults rootpw) enabled, the password of the + target account (or root account) instead of the invoking user is used for authentication. + sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the + authenticated-as user's UID in the authentication timestamp. Any later sudo invocation + on the same terminal while the timestamp was still valid would use that timestamp, + potentially bypassing new authentication even if the policy would have required it.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-64517</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-64517</url>; + </references> + <dates> + <discovery>2025-11-12</discovery> + <entry>2025-11-16</entry> + </dates> + </vuln> + + <vuln vid="c1ceaaea-c2e7-11f0-8372-98b78501ef2a"> + <topic>sudo-rs -- Partial password reveal when password timeout occurs</topic> + <affects> + <package> + <name>sudo-rs</name> + <range><ge>0.2.7</ge><lt>0.2.10</lt></range> + </package> + <package> + <name>sudo-rs-coexist</name> + <range><ge>0.2.7</ge><lt>0.2.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Trifecta Tech Foundation reports:</p> + <blockquote cite="https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw">; + <p>When typing partial passwords but not pressing return for a long time, + a password timeout can occur. When this happens, the keys pressed are + replayed onto the console.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-64170</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-64170</url>; + </references> + <dates> + <discovery>2025-11-12</discovery> + <entry>2025-11-16</entry> + </dates> + </vuln> + <vuln vid="364e5fa4-c178-11f0-b614-b42e991fc52e"> <topic>PostgreSQL -- Multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202511170059.5AH0x4vv038445>