{"id":"MGASA-2020-0246","summary":"Updated sudo packages fix security vulnerability","details":"Updated sudo packages fix security vulnerabilities:\n\nIt was found that sudo always allowed commands to be run with unknown\nuser or group ids if the sudo configuration allowed it for example via\nthe \"ALL\" alias. This could allow sudo to impersonate non-existent\naccount and depending on how applications are configured, could lead to\ncertain restriction bypass. This is now explicitly disabled. A new\nsetting called \"allow_unknown_runas_id\" was introduced in order to enable\nthis (CVE-2019-19232).\n\nWhen an account is disabled via the shadow file, by replacing the\npassword hash with \"!\", it is not considered disabled by sudo. And\ndepending on the configuration, sudo can be run by using such disabled\naccount (CVE-2019-19234).\n\nThe sudo package has been updated to version 1.8.31p1, fixing these\nissues and other bugs.\n","modified":"2026-04-16T04:42:08.972772512Z","published":"2020-06-10T22:26:12Z","upstream":["CVE-2019-19232","CVE-2019-19233","CVE-2019-19234"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0246.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26314"},{"type":"ADVISORY","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"},{"type":"ADVISORY","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19234"},{"type":"WEB","url":"https://www.sudo.ws/legacy.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/"}],"affected":[{"package":{"name":"sudo","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/sudo?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.31p1-1.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0246.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}