ALAS-2019-1309


Amazon Linux AMI Security Advisory: ALAS-2019-1309
Advisory Release Date: 2019-10-14 17:12 Pacific
Severity: Important
References: CVE-2019-14287 

Issue Overview:

When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. (CVE-2019-14287 )

Further details can be found here: https://www.sudo.ws/alerts/minus_1_uid.html


Affected Packages:

sudo


Issue Correction:
Run yum update sudo to update your system.

New Packages:
i686:
    sudo-debuginfo-1.8.6p3-29.28.amzn1.i686
    sudo-devel-1.8.6p3-29.28.amzn1.i686
    sudo-1.8.6p3-29.28.amzn1.i686

src:
    sudo-1.8.6p3-29.28.amzn1.src

x86_64:
    sudo-devel-1.8.6p3-29.28.amzn1.x86_64
    sudo-debuginfo-1.8.6p3-29.28.amzn1.x86_64
    sudo-1.8.6p3-29.28.amzn1.x86_64