http://www.sudo.ws/sudo/alerts/bash_functions.html

It appears that the sudo in warty and hoary are vulnerable to script subversion....

http://www.sudo.ws/sudo/alerts/bash_functions.html

It appears that the sudo in warty and hoary are vulnerable to script subversion....
Hmm... that's no good for publicity, since that's the main way of doing things... is there a fix coming into hoary anytime soon?

Hmm... that's no good for publicity, since that's the main way of doing things... is there a fix coming into hoary anytime soon?
I assume the fix will come to Warty as well. (That is, afterall, what the security apt repositories are for.)

I assume the fix will come to Warty as well. (That is, afterall, what the security apt repositories are for.)
yeah, what you said *L* I think I was just stuck on hoary. Just basically asking if a fix was coming in anytime soon.

https://bugzilla.ubuntu.com/show_bug.cgi?id=3750

I filed a P1 bug report on it, hoping to get some light shed.

Well, Martin Pitt rejected it as a Warty update, noting that Sudo is inherently insecure:


I do not regard this as a security bug. Using sudo is inherently insecure and
you do not need to trick an user into exporting some functions. The user using
sudo is principally equivalent to root anyway. In addition, calling bash
functions with sudo could also be considered a feature, so I do not want to
change the warty version for that.

Hoary will probably contain the change due to syncing to Debian, though.

Never mind, another dev accepted the patch; Warty now has updated sudo!

Never mind, another dev accepted the patch; Warty now has updated sudo!
I thought that quoted dev response was shaky reasoning. Especially calling it added functionality lol Im gonna use that one at work sometime. "Did you patch that exchange server yesterday?" "Nah, Windows 2000 is inherently insecure and those abilities to remotely execute code can be considered a feature."
Then I get to leave work early and never come back ROTFL

Devs are busy people... it's understandable that they may skim the link and not notice it.

That's why there's not just one dev managing security! Plus, that's where the community comes in.

https://bugzilla.ubuntu.com/show_bug.cgi?id=3830

I'm trying my luck again, with kernel smbfs vulns.

https://bugzilla.ubuntu.com/show_bug.cgi?id=3830

I'm trying my luck again, with kernel smbfs vulns.
you mean they actually denied that one too?
thats what security.ubuntu is for, i thought

no, they haven't said anything yet; it's been assigned to Martin Pitt & friends....

no, they haven't said anything yet; it's been assigned to Martin Pitt & friends....
pitt has addressed it already - that was quick