Cannonical has released a critical security update for Ubuntu 17.04 (Zesty Zapus), Ubuntu 16.10 (Yakkety Yak), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 LTS (Trusty Tahr).
Advertising
Ubuntu's sudo command contains a critical vulnerability CVE-2017-1000367, which affects the these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the file system, bypassing intended permissions. Cannonical has issued a security bulletin, detailing the issue and offers updates. (via)
