Amazon Linux 1 Security Advisory: ALAS-2013-259
Advisory Release Date: 2013-12-11 20:34 Pacific
Advisory Updated Date: 2014-09-16 22:10 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A flaw was found in the way sudo handled time stamp files. An attacker able to run code as a local user and with the ability to control the system clock could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. (CVE-2013-1775)
It was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. (CVE-2013-2776, CVE-2013-2777)
Affected Packages:
sudo
Issue Correction:
Run yum update sudo to update your system.
i686:
sudo-devel-1.8.6p3-12.17.amzn1.i686
sudo-debuginfo-1.8.6p3-12.17.amzn1.i686
sudo-1.8.6p3-12.17.amzn1.i686
src:
sudo-1.8.6p3-12.17.amzn1.src
x86_64:
sudo-devel-1.8.6p3-12.17.amzn1.x86_64
sudo-1.8.6p3-12.17.amzn1.x86_64
sudo-debuginfo-1.8.6p3-12.17.amzn1.x86_64