Security update for sudo SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:4240-1 Final 1 1 2022-11-28T08:05:41Z current 2022-11-28T08:05:41Z 2022-11-28T08:05:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sudo This update for sudo fixes the following issues: Security fixes: - CVE-2022-43995: Fixed a potential heap-based buffer over-read when entering a password of seven characters or fewer and using the crypt() password backend (bsc#1204986). Other: - Make sure SIGCHLD is not ignored when sudo is executed; fixes race condition (bsc#1203201). - Change sudo-ldap schema from ASCII to UTF8 (bsc#1197998). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-4240,SUSE-OpenStack-Cloud-9-2022-4240,SUSE-OpenStack-Cloud-Crowbar-9-2022-4240,SUSE-SLE-SAP-12-SP4-2022-4240,SUSE-SLE-SERVER-12-SP3-BCL-2022-4240,SUSE-SLE-SERVER-12-SP4-LTSS-2022-4240 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20224240-1/ Link for SUSE-SU-2022:4240-1 https://lists.suse.com/pipermail/sle-security-updates/2022-November/013119.html E-Mail link for SUSE-SU-2022:4240-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1197998 SUSE Bug 1197998 https://bugzilla.suse.com/1203201 SUSE Bug 1203201 https://bugzilla.suse.com/1204986 SUSE Bug 1204986 https://www.suse.com/security/cve/CVE-2022-43995/ SUSE CVE CVE-2022-43995 page SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 sudo-1.8.20p2-3.33.1 sudo-devel-1.8.20p2-3.33.1 sudo-test-1.8.20p2-3.33.1 sudo-1.8.20p2-3.33.1 as a component of SUSE Linux Enterprise Server 12 SP3-BCL sudo-1.8.20p2-3.33.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS sudo-1.8.20p2-3.33.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 sudo-1.8.20p2-3.33.1 as a component of SUSE OpenStack Cloud 9 sudo-1.8.20p2-3.33.1 as a component of SUSE OpenStack Cloud Crowbar 9 Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. CVE-2022-43995 SUSE Linux Enterprise Server 12 SP3-BCL:sudo-1.8.20p2-3.33.1 SUSE Linux Enterprise Server 12 SP4-LTSS:sudo-1.8.20p2-3.33.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:sudo-1.8.20p2-3.33.1 SUSE OpenStack Cloud 9:sudo-1.8.20p2-3.33.1 SUSE OpenStack Cloud Crowbar 9:sudo-1.8.20p2-3.33.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20224240-1/ https://www.suse.com/security/cve/CVE-2022-43995.html CVE-2022-43995 https://bugzilla.suse.com/1204986 SUSE Bug 1204986 https://bugzilla.suse.com/1205838 SUSE Bug 1205838 https://bugzilla.suse.com/1205969 SUSE Bug 1205969 https://bugzilla.suse.com/1206905 SUSE Bug 1206905