Security update for sudo SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:1699-1 Final 1 1 2023-03-30T10:18:46Z current 2023-03-30T10:18:46Z 2023-03-30T10:18:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sudo This update for sudo fixes the following issue: Security fixes: - CVE-2023-28486: Fixed missing control characters escaping in log messages (bsc#1209362). - CVE-2023-28487: Fixed missing control characters escaping in sudoreplay output (bsc#1209361). Other fixes: - Fix a situation where 'sudo -U otheruser -l' would dereference a NULL pointer (bsc#1206483). - Do not re-enable the reader when flushing the buffers as part of pty_finish() (bsc#1203201). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-1699,SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-1699,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-1699,SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-1699,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-1699,SUSE-SLE-Product-SLES_SAP-15-SP1-2023-1699,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-1699,SUSE-Storage-7-2023-1699 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20231699-1/ Link for SUSE-SU-2023:1699-1 https://lists.suse.com/pipermail/sle-updates/2023-March/028500.html E-Mail link for SUSE-SU-2023:1699-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203201 SUSE Bug 1203201 https://bugzilla.suse.com/1206483 SUSE Bug 1206483 https://bugzilla.suse.com/1209361 SUSE Bug 1209361 https://bugzilla.suse.com/1209362 SUSE Bug 1209362 https://www.suse.com/security/cve/CVE-2023-28486/ SUSE CVE CVE-2023-28486 page https://www.suse.com/security/cve/CVE-2023-28487/ SUSE CVE CVE-2023-28487 page SUSE Enterprise Storage 7 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 sudo-1.8.27-150000.4.43.1 sudo-devel-1.8.27-150000.4.43.1 sudo-test-1.8.27-150000.4.43.1 sudo-1.8.27-150000.4.43.1 as a component of SUSE Enterprise Storage 7 sudo-devel-1.8.27-150000.4.43.1 as a component of SUSE Enterprise Storage 7 sudo-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS sudo-devel-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS sudo-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS sudo-devel-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS sudo-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS sudo-devel-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS sudo-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS sudo-devel-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS sudo-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 sudo-devel-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 sudo-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 sudo-devel-1.8.27-150000.4.43.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 Sudo before 1.9.13 does not escape control characters in log messages. CVE-2023-28486 SUSE Enterprise Storage 7:sudo-1.8.27-150000.4.43.1 SUSE Enterprise Storage 7:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server 15 SP1-LTSS:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server 15 SP1-LTSS:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server 15 SP2-LTSS:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server 15 SP2-LTSS:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:sudo-devel-1.8.27-150000.4.43.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20231699-1/ https://www.suse.com/security/cve/CVE-2023-28486.html CVE-2023-28486 https://bugzilla.suse.com/1209362 SUSE Bug 1209362 Sudo before 1.9.13 does not escape control characters in sudoreplay output. CVE-2023-28487 SUSE Enterprise Storage 7:sudo-1.8.27-150000.4.43.1 SUSE Enterprise Storage 7:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server 15 SP1-LTSS:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server 15 SP1-LTSS:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server 15 SP2-LTSS:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server 15 SP2-LTSS:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:sudo-devel-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:sudo-1.8.27-150000.4.43.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:sudo-devel-1.8.27-150000.4.43.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20231699-1/ https://www.suse.com/security/cve/CVE-2023-28487.html CVE-2023-28487 https://bugzilla.suse.com/1209361 SUSE Bug 1209361