ALAS-2017-855

Amazon Linux 1 Security Advisory: ALAS-2017-855
Advisory Release Date: 2017-07-06 19:03 Pacific
Advisory Updated Date: 2017-07-06 22:56 Pacific

Severity: Medium

References: CVE-2017-1000368 RHSA-2017-1574
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368)

Affected Packages:

sudo

Issue Correction:
Run yum update sudo to update your system.

New Packages:

i686:
    sudo-1.8.6p3-29.27.amzn1.i686
    sudo-debuginfo-1.8.6p3-29.27.amzn1.i686
    sudo-devel-1.8.6p3-29.27.amzn1.i686

src:
    sudo-1.8.6p3-29.27.amzn1.src

x86_64:
    sudo-1.8.6p3-29.27.amzn1.x86_64
    sudo-debuginfo-1.8.6p3-29.27.amzn1.x86_64
    sudo-devel-1.8.6p3-29.27.amzn1.x86_64

Additional References

Red Hat: CVE-2017-1000368

Mitre: CVE-2017-1000368