man-db before 2.8.5 on Gentoo allows local users (with access to the man user account) to gain root privileges because /usr/bin/mandb is executed by root but not owned by root. (Also, the owner can strip the setuid and setgid bits.)

Description Michael Orlitzky  2018-07-29 20:42:23 UTC

Our sys-apps/man-db package installs the /usr/bin/mandb program setuid and setgid with owner/group "man". We also install a daily cron job from ${FILESDIR}/man-db.cron that runs as root and executes,

  exec nice mandb --quiet

This can be exploited by the "man" user to gain root privileges. For example, the "man" user can simply strip off the setuid/setgid bits:

  # su man -s /bin/sh -c 'chmod 755 /usr/bin/mandb'

Now when "mandb" is run in the cron job, it will run with root privileges. But the owner of /usr/bin/mandb has not changed, so the "man" user can write to it because he owns it:

  # su man -s /bin/sh -c 'cat < bad-script.sh > /usr/bin/mandb'

Whenever the cron job runs again, the "man" user gains root.

Comment 1 Thomas Deutschmann (RETIRED)  2018-07-29 22:25:48 UTC

Mh, this sounds like bug 602588...

Comment 2 Michael Orlitzky  2018-07-29 23:06:50 UTC

(In reply to Thomas Deutschmann from comment #1)
\> Mh, this sounds like bug 602588...

I saw that, but the gist of this one is more "the executable shouldn't be owned by 'man' to begin with." The fact that the cron job makes it easy to exploit is only adding insult to injury. If root (or another privileged user) was ever going to run /usr/bin/mandb for any reason, then the "man" user could swap out its contents beforehand.

Comment 4 Colin Watson 2018-09-17 13:00:04 UTC

I don't think those commits are especially related, except perhaps insofar as they describe existing practice.

This sort of thing is indeed a problem with having setuid-to-non-root executables that might be run as root: such a setup inherently means that root has to trust the user that owns the executable.  I can see a few non-exclusive options:

 1) Make mandb setuid root instead, and add code at the start of main() (or maybe in init\_security() or something) to drop to MAN\_OWNER if necessary.
 2) Mitigate the bug by making the cron job run as the man user rather than root; at least then it isn't \*guaranteed\* that mandb will be run as root.  (Note that Debian's cron jobs have run as the man user for at least 17 years.)
 3) Stop installing mandb setuid by default.

Option 1 might be a good idea, and is probably the only way to preserve the setuid setup while immunising against this bug.  On the other hand, it adds a bit more attack surface and would have to be done carefully.

Option 2 seems to have no obvious downsides.  Assuming it works in the Gentoo setup, you surely ought to do this even if it isn't a complete fix for this bug.

Option 3 is almost certainly the right long-term fix.

Comment 6 Lars Wendler (Polynomial-C) (RETIRED)  2019-01-06 15:13:23 UTC

Michael, please check if this attempt is sufficient to get rid of this root escalation issue.

Comment 7 Michael Orlitzky  2019-01-06 16:09:49 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #6)
\> Michael, please check if this attempt is sufficient to get rid of this root
> escalation issue.

In the past, I'm almost certain that portage would not change the owner or group of a file that already exists during merge. So, I was expecting /usr/bin/mandb to still be "man:man" after an upgrade.

Good news: it isn't!

Bad news: I don't know why, or if we can rely on that happening. I'm going to ask around to see if something changed in portage to make this reliable.


But the fix generally looks good to me. In the future you might want to create /var/cache/man in src\_install, so that you don't have to do it in both the cron job and pkg\_preinst, and you don't have to chown/chmod it every time (this can also be dangerous if /var/cache isn't owned by root).

Then, instead of the shell script cron job that we have now, you could put something simpler in /etc/cron.d:

  <minute> <hour> \* \* \* man mandb --quiet

Comment 8 Michael Orlitzky  2019-01-07 16:04:57 UTC

(In reply to Michael Orlitzky from comment #7)
\> 
> In the past, I'm almost certain that portage would not change the owner or
> group of a file that already exists during merge. So, I was expecting
> /usr/bin/mandb to still be "man:man" after an upgrade.
> 

This still happens for directories but not for files. I tested back to portage-2.3.6, so we'd best assume the simplest explanation: I'm remembering wrong, and the ownership of \*files\* will be updated.

Comment 9 Lars Wendler (Polynomial-C) (RETIRED)  2019-01-11 09:02:34 UTC

(In reply to Michael Orlitzky from comment #7)
\> 
> But the fix generally looks good to me. In the future you might want to
> create /var/cache/man in src\_install, so that you don't have to do it in
> both the cron job and pkg\_preinst, and you don't have to chown/chmod it
> every time (this can also be dangerous if /var/cache isn't owned by root).

No can do as this would put the content of /var/cache/man into the package's content which we wanna avoid (by doing it in pkg\_preinst).
 
\> Then, instead of the shell script cron job that we have now, you could put
> something simpler in /etc/cron.d:
> 
>   <minute> <hour> \* \* \* man mandb --quiet

That sounds like a good idea. Care to file a separate bug for that?

CVE-2018-25078: root privilege escalation through setuid executable and cron job

Debian Linux Security Advisory 5327-1 - Sebastien Meriot discovered that the S3 API of Swift, a distributed virtual object store, was susceptible to information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5327-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : swiftCVE ID         : CVE-2022-47950Debian Bug     : 1029200Sebastien Meriot discovered that the S3 API of Swift, a distributedvirtual object store, was susceptible to information disclosure.For the stable distribution (bullseye), this problem has been fixed inversion 2.26.0-10+deb11u1.We recommend that you upgrade your swift packages.For the detailed security status of swift please refer toits security tracker page at:https://security-tracker.debian.org/tracker/swiftFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPQNhQACgkQEMKTtsN8TjY5qw//YHxQJWvmsTZRDzYbyllUh4hfXkfNDKDbMOYv53ebgTSci77Q3di54rXok6OLR02mJaFsiccYVH8O9oWoEZveVkGhgB3fO5QcGhmHP218nXXknHtBWpfMrjzWIWQJLhU6lczlZtCuDxp4FGs1L/dw3HWDjRDC4/O6X4LDV11GGmM8v4OSEFicM5KMih/kNYt/DLHl2J3vb1cOLxNZCPAQoHhknpoE4NXdWnBZju8ufT1E0+OqhAnOTS3SXTZ7LuBmtArY0XwK+rKLeXg65RiJchpNIS7uOi0x+ZgvMbmaad5gKm5hA6ZRDdvsGrw0hUu9Atj40QShghCWhjKVRxXu+jMgFZhew/3drqYERv1sdQr94frmagjLdTlId6QYZCznfGEJTCL2cH+tlW4jBolL5cvS3UcrWHeFh6WNEb3fayeLr3811dJ0D+/bNXoiUTVPIBp37ycVg26Xehz4axrLPyHTDqXTqy5aEn1jee1810F1OeNfZODju8BxXgRxLCQaR7VoWtux+0ZQBhBziii2D2BPSZBzIP14llkqyYdxgMVBI67zDOu1VUXMy2gqJRvlzclimpmWbXXVV16gB3I6Kxt8MQKdMZpinUIYUjdp4Dm7p5pgTU8Jk8qJmdOu43mRnAgMOavLO7/1GeyOvDFnnW0gDsBbGLWRM7VbHGmB+7M=QW6t-----END PGP SIGNATURE-----

Debian Security Advisory 5327-1

Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5326-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : nodejsCVE ID         : CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215                 CVE-2022-35255 CVE-2022-35256 CVE-2022-43548Multiple vulnerabilities were discovered in Node.js, which could resultin HTTP request smuggling, bypass of host IP address validation and weakrandomness setup.For the stable distribution (bullseye), these problems have been fixed inversion 12.22.12~dfsg-1~deb11u3.We recommend that you upgrade your nodejs packages.For the detailed security status of nodejs please refer toits security tracker page at:https://security-tracker.debian.org/tracker/nodejsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPQNhIACgkQEMKTtsN8TjaRmA/+KDFkQcd2sE/eAAx9cVikICNkfu7uIVKHpeDH9o5oq5M2nj4zHJCeAArpWblguyZwEtqzAOO2WesbrmwfXLmglhrNZwRMOrsbu63JxSnecp7qcMwR8A4JWdmdTxb4aZr6Prmwq6fT0G3K6oV8Hw+OeqYA/RZKenxtkBf/jdzVahGJHJ/NrFKKWVQWxbqHwCkP7uUlm+5UR5XzNrodTRCQYHJvUmDUrjEOjM6x+sqYirKWiERN0A14kVn90Ufrw6+Z2tKhdKFZfU1BtDthhlH/nybz0h3aHsk+E5/vx20WAURiCEDVi7nf8+RfEtbCxaqV+/xVoPmXStHY/ogCo8CgRVsyYUIemgi4q5LwVx/Oqjm2CJ/xCwOKh0E2idXLJfLSpxxBe598MUn9iKbnFFCN9DQZXf7BYs3djtn8ALFVBSHZSF1QXFoFQ86wY9xGhBQzfEgCoEW7H4S30ZQ+Gz+ZnOMCSH+MKIMtSpqbc7wLtrKf839DO6Uux7B7u0WR3lZlsihi92QKq9X/VRkyy8ZiA2TYy3IE+KDKlXDHKls9FR9BUClYe9L8RiRuboP8KPFUHUsSVaTzkufMStdKkcXCqgj/6KhJL6E9ZunTBpTmqx1Ty7/N2qktLFnHujrffzV3rCE6eIg7ps8OdZbjCfqUqmQk9/pV6ZDjymqjZ1LKZDsþRn-----END PGP SIGNATURE-----

Debian Security Advisory 5326-1

Debian Linux Security Advisory 5325-1 - It was discovered that SPIP, a website engine for publishing, would allow a malicious user to SQL injection attacks, or bypass authorization access.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5325-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : spipIt was discovered that SPIP, a website engine for publishing, wouldallow a malicious user to SQL injection attacks, or bypassauthorization access.For the stable distribution (bullseye), this problem has been fixed inversion 3.2.11-3+deb11u6.We recommend that you upgrade your spip packages.For the detailed security status of spip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/spipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmPPpdYACgkQEL6Jg/PVnWT7GQgAgemz9C/cvulSLwEuV38WAaZwy8RFC3CGw3DirFLf2tVeC6KDI+tGs/u4XSY7M45xEr4y1TR3NMfovrnX6iR/JgPU/3ZJsFquq8O5Z9WCeZFe2YCkmuqP9hQvtxXfOoL4c9b1hfgtv4nVcqLyCFFJhfqLiAy8Eb18vzuggjLVYKa1kioa8wAGk/YBB9rvoKNN1bBfow7A7704Gk2bJMfcxIC9P4anHm6u0OZ4HgC0GYpVYZXegfrFICs7fylqgcg6Ub+HH+6e3wEDN1oqnj0IQDy09lFj4kCT5xQjhQM8oMZChExndWdmRRI2iEmUN/gg7RVhdUfNvv8VTy1lo+wd4g==XA3L-----END PGP SIGNATURE-----

Debian Security Advisory 5325-1

A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1.

**4.8.1¶**

Released: 20th of January 2023

**Bug Fixes¶**

*   Avoid unbounded recursion when retrieving DS records from some misconfigured domains. CVE-2023-22617.¶
    
    References: pull request 12442
    

**4.8.0-beta2¶**

Released: 7th of November 2022

**Improvements¶**

*   Only replace protobuf logger config objects if the reload changed them.¶
    
    References: #12063, pull request 12146
    
*   Be more lenient replacing auth by non-auth records in cache.¶
    
    References: #12140, pull request 12150
    

**Bug Fixes¶**

*   Fix SNMP OID numbers for rcode stats.¶
    
    References: #12155, pull request 12163
    
*   Implement output operator for QTypes, avoids numeric qtypes in trace logs.¶
    
    References: #12122, pull request 12162
    
*   Handle IXFR connect and transfer timeouts.¶
    
    References: #12125, pull request 12161
    
*   Log invalid RPZ content when obtained via IXFR.¶
    
    References: #12081, pull request 12145
    
*   Detect invalid bytes in makeBytesFromHex().¶
    
    References: #12066, pull request 12147
    

**4.8.0-beta1¶**

Released: 5th of October 2022

**Improvements¶**

*   Add support for NOD/UDR notifications using dnstap.¶
    
    References: pull request 12047
    
*   Protobuf and dnstap metrics, including rec\_control subcommand to show them.¶
    
    References: #11841, pull request 11903, pull request 12049
    
*   Provide metrics for rcode received from authoritative servers.¶
    
    References: #7164, pull request 11949
    
*   Proxymapping metrics, including rec\_control subcommand to show them.¶
    
    References: #11648, pull request 11866
    
*   Add querytime attribute to Lua DNSQuestion object, to see the time a query was received.¶
    
    References: pull request 11909
    
*   Enable include-dir by default in RPM builds, to be in line with DEB builds (Frank Louwers).¶
    
    References: #11766, pull request 11768
    
*   Improve error message when invalid values for local-address are provided in recursor config file.¶
    
    References: pull request 11989
    
*   Enable SNMP support for debian and ubuntu builds.¶
    
    References: #11999, pull request 12011
    
*   Warn if snmp-agent is set but SNMP support is not available.¶
    
    References: #11998, pull request 12009
    
*   A few tweaks to structured logging calls.¶
    
    References: pull request 11959
    

**Bug Fixes¶**

*   Fix –config (should be equal to –config=default), followup to #11907.¶
    
    References: pull request 12048
    
*   Fix compilation of the event ports multiplexer.¶
    
    References: #12044, pull request 12046
    
*   When an expired NSEC3 entry is seen move it to the front of the expiry queue.¶
    
    References: pull request 12038
    
*   If new data is auth and existing data is not, replace even if cache locking is active.¶
    
    References: #11958, pull request 12027
    

**4.8.0-alpha1¶**

Released: 23rd of September 2022

**Improvements¶**

*   Lock record cache entries if enabled by record-cache-locked-ttl-perc.¶
    
    References: pull request 11958
    
*   Use nullptr in getNSEC3PARAM + init bool at call site (Axel Viala).¶
    
    References: pull request 11957
    
*   Axfr-retriever: abort on chunk with TC set.¶
    
    References: #11804, pull request 11953
    
*   Clarify return codes for the Lua hooks in the Recursor (Frank Louwers).¶
    
    References: pull request 11955
    
*   Recursor: Add --config[=check|=diff|=default].¶
    
    References: pull request 11907
    
*   Implement optional Serve stale functionality, enabled by serve-stale-extensions..¶
    
    References: pull request 11776
    
*   Implement padding of (DoT) messages to authoritative servers, if set by edns-padding-out (default yes).¶
    
    References: pull request 11906
    
*   Log socket directory path if there is a problem.¶
    
    References: pull request 11800
    
*   Handle Lua script loading errors.¶
    
    References: pull request 11823
    
*   Stop sending Server: header (Chris Hofstaedtler).¶
    
    References: #4979, pull request 11813
    
*   Keep time and count metrics when maintenance is called.¶
    
    References: #6981, pull request 11869
    
*   Consider dns64 processing in more cases than Rcode == NoError.¶
    
    References: pull request 11849
    
*   Set rec_control_LDFLAGS, needed for MacOS or any platforms where libcrypto is not in default lib path.¶
    
    References: #11855, pull request 11857
    
*   Replace/remove jQuery (Chris Hofstaedtler)¶
    
    References: pull request 11812
    
*   Remove unused jsrender.js (Chris Hofstaedtler).¶
    
    References: pull request 11811
    
*   Save the last nameserver speed recorded plus output it in rec_control dump-nsspeeds.¶
    
    References: #11736, pull request 11780
    
*   Set TCP_NODELAY on in and outgoing TCP.¶
    
    References: #11734, pull request 11754
    
*   Remove > 5 check on TTL of glue from the cache.¶
    
    References: pull request 11744
    
*   Structured logging for various subsystems.¶
    
    References: pull request 11631, pull request 11642, pull request 11654, pull request 11662, pull request 11681, pull request 11693, pull request 11710, pull request 11714, pull request 11854
    
*   Make edns table a sparse table.¶
    
    References: pull request 11704, pull request 11779
    
*   Shared ednsmap.¶
    
    References: pull request 11601
    
*   Load IPv6 entries from etc-hosts file.¶
    
    References: #2248, pull request 11682
    
*   Use systemd-journal for structured logging if it is available and set by structured-logging-backend.¶
    
    References: #11705, #11706, pull request 11660, pull request 11709
    
*   Fix typos in stats log messages (Matt Nordhoff).¶
    
    References: #11654, #11671, pull request 11671, pull request 11680
    
*   Shared throttle map.¶
    
    References: pull request 11598
    
*   Adaptive root refresh interval, normally at 80% of max-cache-ttl.¶
    
    References: pull request 11381
    

**Bug Fixes¶**

*   Libssl: Properly load ciphers and digests with OpenSSL 3.0.¶
    
    References: #11853, pull request 11862
    
*   rec\_control: test for --version before requiring an argument.¶
    
    References: #11864, pull request 11867
    
*   Make rec zone files with trailing dot (phonedph1).¶
    
    References: pull request 11672
    
*   Handle file related errors initially loading Lua script.¶
    
    References: #10079, #11818, pull request 11820

CVE-2023-22617: Changelogs for 4.8.X — PowerDNS Recursor documentation

Debian Linux Security Advisory 5323-1 - It was discovered that the CompareTool of iText, a Java PDF library which uses the external ghostscript software to compare PDFs at a pixel level, allowed command injection when parsing a specially crafted filename.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5323-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyJanuary 19, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libitext5-javaCVE ID         : CVE-2021-43113Debian Bug     : 1014597It was discovered that the CompareTool of iText, a Java PDF library which usesthe external ghostscript software to compare PDFs at a pixel level, allowedcommand injection when parsing a specially crafted filename.For the stable distribution (bullseye), this problem has been fixed inversion 5.5.13.2-1+deb11u1.We recommend that you upgrade your libitext5-java packages.For the detailed security status of libitext5-java please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libitext5-javaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmPJxhlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSSQw//dNjqrUajjV4/7uztzOajIWwBM7Ra3PNl3Up9jaZJaKdhdBAtDT4qRjK+lVx9CNojQplJQ6k4N3Yzq0Ose3HozR99+bj2J/MC8+skq8LpChDzKCVdVww9To9TXxWaHWHlxSyn9j8nZTvbBAiQcr/KdZFuivFlLtmiLKG0n0S/Czp3YEwYcmv27LbSCehfmOjxpgbLOWGScqQqk9e3aisQ7twMIVU1ED3rKDsjqSHOkxEq9ZZo04TRxGnfokue6KYTizeQq396mzLPd8HlFzTJGDjMqokyrNYBPxFZqPVXm40GSyZiA2OEXcbaTxikx6+XSi/yqngVZxa9gZPL1ATCNaPoJh+n/4eLczHXm90MZ7JWHe8AIGV4mA5iW3olP4blcyRcS10bxwR/qwNikrr0j7PSLv/SP6T/p+ZUzpBXcV9+tPPfzAQ/Wsjd9h/fuPiAdA06OBe0r9hXwO6hX6bxCVVwK6gA8vzCY84kgQp8HUXa6RBSxy/xbfFEGqQW1VToiOOL4IhMY7Pl/4NAaUJUxc4kbpFh2Y8BKytPAivk+DfZGpfsGxP+QXYR5l7nfnIS+j6+F/wL77cxaCGgF7NgH9YuRYQypstHRDrAqGbA97ZE2bAfBX/9TpIGeyqG9sE+rrCbcm/dDr7be31f5TVQ4XmV4gZSE5iw7x5tg+1Wj9c==Z8P9-----END PGP SIGNATURE-----

Debian Security Advisory 5323-1

Debian Linux Security Advisory 5322-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5322-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 18, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2022-46871 CVE-2022-46877 CVE-2023-23598 CVE-2023-23601                 CVE-2023-23602 CVE-2023-23603 CVE-2023-23605Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, information disclosure or spoofing.For the stable distribution (bullseye), these problems have been fixed inversion 102.7.0esr-1~deb11u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPIReIACgkQEMKTtsN8TjY9yA//SO/eLiE3HONwHc8t5XH/P7ZypHDsFaLLfmARCE+c6Lpa6Im5KFHW85rtntXhsvfrDDhjc89yqk/dnFTjOuL4l0sPiOmBt5ziu5l7SPz758LqFBIr8i00oWhdE+DtdUDNtHP7w3IHkxKFqVWKLUo5E29vrDrZCMXvl91VOTQ8SGszrm9zzMAinadW0cmv9HPR5P+9nhwU/Idv4evKZfMOZsgthE+qjVGa1XLhvkCs1ca2i9nnlnB9ZMYuO1AgKwJ64xv0GJ0oc8lcuPeUqKwA5NQIc6ImZMyi5gpa5pdbyXEQhPoagb1b4TNY0XDY+eVKBCqK5fRECJElh+OJ9qgD2t+bIsuNVBH1dZ+Ud/9toWKO+dRrBtJC6AWP0qZIUGsT8CF+4GMM2QsYiyXnxaudi+KgU1IIT04WkWIZlwBQCtgDme8eHwu0NuLXRs+1DvUzsU5Wh8XqNFIhEwJPLPqT1L8d3LdiFq1CqsV3bzy+PL9UzVQWfiPtBCOr7rkp464Vh5rzB5w5syc8G1kjGPZVjmK9gJrKSO2IBFC8TEZOZyRVrIgWtLsdbp9cQvAjhP3slEjzrdE4sYaRTDR1QINBHk4snFaNgi4Dqg9m+tH7JIrw3E/JLgwprAvyAFjW8VQ4gVpbVqkckBcB9qEVKv/wr2kPKFYxRQPf8lbMcYihVbY=gXru-----END PGP SIGNATURE-----

Debian Security Advisory 5322-1

Debian Linux Security Advisory 5321-1 - Matthieu Barjole and Victor Cutillas discovered that sudoedit in sudo, a program designed to provide limited super user privileges to specific users, does not properly handle '--' to separate the editor and arguments from files to edit. A local user permitted to edit certain files can take advantage of this flaw to edit a file not permitted by the security policy, resulting in privilege escalation.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5321-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJanuary 18, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sudoCVE ID         : CVE-2023-22809Matthieu Barjole and Victor Cutillas discovered that sudoedit in sudo, aprogram designed to provide limited super user privileges to specificusers, does not properly handle '--' to separate the editor andarguments from files to edit. A local user permitted to edit certainfiles can take advantage of this flaw to edit a file not permitted bythe security policy, resulting in privilege escalation.Details can be found in the upstream advisory athttps://www.sudo.ws/security/advisories/sudoedit_any/ .For the stable distribution (bullseye), this problem has been fixed inversion 1.9.5p2-3+deb11u1.We recommend that you upgrade your sudo packages.For the detailed security status of sudo please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/sudoFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmPIEYBfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RNgg/+PsJxpzc9hop4XU9Jsou45EcQ6bMf1rG/P1EDOTZjoebxe5xemlMAKtNkj5m+ZCAV/jNt+RPuNA9H9IFEE6LBRx17bzTjU0V+q/OXXlHUj9il0I6NnJEUrwya9hFeg28qpRViKMdLN/ok2GJKjH73hr3Y/WZkw8kMbXK8gOiCGqCOLrNYCMq20a1Dp4nlZN94VMO07crU0NLf3CRgLM0qqF4kSPpUSDw/RCefY4ojOwQnuEc7AbGyLrR8GsXzyRTZuSJmFSfIUltXn+DnTy7E1mnQ11wT+80NjbrGvNBCMF36L2nCJzyU0Dz0s6Tp2H25lQYwKtV/ALl2kLH4JMTV4MJQg3X9vnmWVf7LhZyCtVVQxMVg53pKoIHHSmiHiaYKmE/PKPjj+uPIINlKKpozjE6h+lr3VcyLhQbNmL93KZHNeZHGwTaYv6n3dRJjnRFDlFMVhx/8wLgg1egqvxXFOKvpS4cEyIjlb4jW0L8ua4F8y/BHcXOSsAxWgOEDhmEXxOgPnWdaE7//tk+a01zh04mdHwZXSwBnFI1RkuajlTqsBHr5MOU55RIFG0t/0Amr59x/6ChiSVDYJDfy+mXi2AOhJlxeDVk46kdFsX3UHjommVF3YYMgFi3zkoqUuS1eY7e1Z2Bi9Myz7LaDY5GZ9rHFhmGjqjkDjdHoyB1b33AüWy-----END PGP SIGNATURE-----

Debian Security Advisory 5321-1

Debian Linux Security Advisory 5320-1 - A logic error was discovered in the implementation of the "SafeSocks" option of Tor, a connection-based low-latency anonymous communication system, which did result in allowing unsafe SOCKS4 traffic to pass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5320-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 16, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : torCVE ID         : CVE-2023-23589A logic error was discovered in the implementation of the "SafeSocks"option of Tor, a connection-based low-latency anonymous communicationsystem, which did result in allowing unsafe SOCKS4 traffic to pass.For the stable distribution (bullseye), this problem has been fixed inversion 0.4.5.16-1.We recommend that you upgrade your tor packages.For the detailed security status of tor please refer toits security tracker page at:https://security-tracker.debian.org/tracker/torFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIyBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPFo7EACgkQEMKTtsN8TjYBiQ/3Z0/GsDkFaQcjChUneEGZwHDjyw1H/0FzOSbAl6KAjCeiPX645IQZ00Nilqc+uldH8YdXfbM3K330ld25VOb4F7ETgWqeP2nEGtqgTrYkg0EiQFWOtf+cF80wkwo+fK+Okq7FKT2ujBNXnZeUcUfwlUfa+Zuo87g9tYU5WNzyl5SB8F13sq9AyWRZK/1EKJqpeKhsjPfTM06ee2sEXX8vxMXEKvBtzdk5FonAPU2NLv0Nr+P82aFWUsCrSpjN0yU4qN6/mv7ePqWrk+OJlBdTi2sNv7Yu7S/kDnmkiBR0UqkL4eQve/+UUlR0FEVMrzgJKtITT5zLFsmBNHZmx9LDHkAQsNTSefze4SFYSPqykOYvKpF2UmYtwl+wWcttU/He7RVNiw6WE1i4Du+YOyD9BT3nVC2Aql3hcsKGsOHSxWXWUIXFtG9zIagzZ/KGLFWS7VnMXO6x3a7lYTjgR0LzZFruCpSyzh5polM9adaR3PBsoVLfUQpq5c2OWVMEAHbu8hCWPmVLiOnyLo8vTT7lxMwErWNC/fs4WshpDNu2hD+LW8ZZoRpqN2lzlUAsTaxyTLvDblS/NZM4byHfEcB0yFQEWLEreFyNR9qbgo0/gFrWk6OZdT0odTFVTeTUDnlf+WnJnwP8KV5OJl5GHvERnpDwPQCxH6UaPoF1BSos8A==jzew-----END PGP SIGNATURE-----

Debian Security Advisory 5320-1

Debian Linux Security Advisory 5319-1 - Two vulnerabilities were discovered in the LLPD implementation of Open vSwitch, software-based Ethernet virtual switch, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5319-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 13, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openvswitchCVE ID         : CVE-2022-4337 CVE-2022-4338Debian Bug     : 1027273Two vulnerabilities were discovered in the LLPD implementation of OpenvSwitch, software-based Ethernet virtual switch, which could result indenial of service.For the stable distribution (bullseye), these problems have been fixed inversion 2.15.0+ds1-2+deb11u2.We recommend that you upgrade your openvswitch packages.For the detailed security status of openvswitch please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openvswitchFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPBrj0ACgkQEMKTtsN8TjbVVw/+OXr/AQa61Y04slO3uhOLOa+llhszDFjIGlWFWlqMEg7CItYhqEdAf3nCelZy2/wqtv4VIMrz8IW+qDWSMkitgjWqbmn3dG92VhcLFD3Dq1RGXg3B8x22MMtGsBGYIfUPhDbG97NE4tqr2itN0ubl9Z8mnOFVv3D9eqxJT3df9WXMVZpX+jHiSMU3uLLhHor9rRBWpu3DEW5Cc6jLLghuN2FS2FADiUtf5MLAUk7gR1CRqOQm+41yNoBPqBF/C+OqJpHSitbVDtJjKacv/VUVgMzHt9Xf1gMNldLan9rO1MYkZaKkSuC+U5G5Kpj55we0LM/zAKRVnGFPk6QQUWHSCMG4Ae4+pRAWBX7ofwY38C6sxhUS+C9vMYao9sFZuWvKFElyQPgI/NVsUNDxYPGHRFxOXWgDyxDxNIBhf8s7QzgQBoegaaJ7A1LK4lhUsG7xQ1dmJRsB8jtYXR8v/QBNvnoU+JG1yi8yUPfD+VvAgnulKpWy/u12EVZBRot9tG39oZO0ReDGk6g/fLyHFo74gCGsjNZCHUzuk3q+axJnAH1z9Ss2Qp3g6snBo6Ku0ZxfN2hp4ylv/jXjNAP8jnQ3S94DJVZiJwlakzJD6J3pYdKzL7NWKuXhyjrAmOdQJnpZSKLr546Av5tAqoXvHCvmfTWPdbvST7cFraWs2X2StpE==a4Zt-----END PGP SIGNATURE-----

Tag

#debian