安全公告详情

NS-SA-2019-0215

2019-11-22 16:16:52

简介

critical: sudo/thunderbird security update

严重级别

critical

主题

An update for sudo/thunderbird is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

sudo: Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines.
thunderbird: Mozilla Thunderbird is a standalone mail and newsgroup client.


Security Fix(es):
sudo: A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.(CVE-2019-14287)
sudo: bugfix
thunderbird: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.(CVE-2019-15903)
thunderbird: No description is available for this CVE.(CVE-2019-11757)
thunderbird: No description is available for this CVE.(CVE-2019-11758)
thunderbird: No description is available for this CVE.(CVE-2019-11762)
thunderbird: No description is available for this CVE.(CVE-2019-11763)
thunderbird: No description is available for this CVE.(CVE-2019-11764)
thunderbird: No description is available for this CVE.(CVE-2019-11759)
thunderbird: No description is available for this CVE.(CVE-2019-11760)
thunderbird: No description is available for this CVE.(CVE-2019-11761)
thunderbird: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F19.

影响组件

  • sudo
  • thunderbird

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["sudo-1.8.23-4.el7_7.1.x86_64.rpm","sudo-debuginfo-1.8.23-4.el7_7.1.x86_64.rpm","sudo-devel-1.8.23-4.el7_7.1.x86_64.rpm"],"source":"sudo-1.8.23-4.el7_7.1.src.rpm"},{"binary":["thunderbird-68.2.0-1.el7.centos.x86_64.rpm","thunderbird-debuginfo-68.2.0-1.el7.centos.x86_64.rpm"],"source":"thunderbird-68.2.0-1.el7.centos.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["sudo-1.8.23-4.el7_7.1.x86_64.rpm","sudo-debuginfo-1.8.23-4.el7_7.1.x86_64.rpm","sudo-devel-1.8.23-4.el7_7.1.x86_64.rpm"],"source":"sudo-1.8.23-4.el7_7.1.src.rpm"},{"binary":["thunderbird-68.2.0-1.el7.centos.x86_64.rpm","thunderbird-debuginfo-68.2.0-1.el7.centos.x86_64.rpm"],"source":"thunderbird-68.2.0-1.el7.centos.src.rpm"}]}]}

CVE

参考