- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3732-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
February 03, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : sudo
Version        : 1.8.27-1+deb10u6
CVE ID         : CVE-2023-7090 CVE-2023-28486 CVE-2023-28487

Sudo, a program designed to allow a sysadmin to give limited
root privileges to users and log root activity, was vulnerable.

CVE-2023-7090

    A flaw was found in sudo in the handling of ipa_hostname, where
    ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo.
    Therefore, it leads to privilege mismanagement vulnerability in
    applications, where client hosts retain privileges even after
    retracting them.

CVE-2023-28486

    Sudo did not escape control characters in log messages.

CVE-2023-28487

    Sudo did not escape control characters in sudoreplay output.

For Debian 10 buster, these problems have been fixed in version
1.8.27-1+deb10u6.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/sudo

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS