File _patchinfo of Package patchinfo.27910
<patchinfo incident="27910">
<issue tracker="bnc" id="1206483">sudo crashes in sssd module on empty RunAs list</issue>
<issue tracker="bnc" id="1206772">sudo asks for password for non-existing command</issue>
<issue tracker="bnc" id="1203201">L3-Question: sudo block in ppoll syscall while child process already gone</issue>
<issue tracker="bnc" id="1209361">VUL-0: CVE-2023-28487: sudo: does not escape control characters in sudoreplay output.</issue>
<issue tracker="bnc" id="1208595">VUL-0: CVE-2023-27320: sudo: double free with per-command chroot sudoers rules</issue>
<issue tracker="bnc" id="1209362">VUL-0: CVE-2023-28486: sudo: does not escape control characters in log messages.</issue>
<issue tracker="cve" id="2023-27320"/>
<issue tracker="cve" id="2023-28486"/>
<issue tracker="cve" id="2023-28487"/>
<packager>jsikes</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for sudo</summary>
<description>This update for sudo fixes the following issue:
Security issues:
- CVE-2023-28486: Fixed sudo does not escape control characters in log messages. (bsc#1209362)
- CVE-2023-28487: Fixed sudo does not escape control characters in sudoreplay output. (bsc#1209361)
- CVE-2023-27320: Fixed a potential security issue with a double free with per-command chroot sudoers rules (bsc#1208595).
Bug fixes:
- Fix a situation where "sudo -U otheruser -l" would dereference a NULL pointer (bsc#1206483)
- If NOPASSWD is specified, don't ask for password if command is not found (bsc#1206772).
- Do not re-enable the reader when flushing the buffers as part of pty_finish() (bsc#1203201).
</description>
</patchinfo>