Yellow Dog Linux Security Announcement
--------------------------------------

Package:	sudo	
Issue Date: 	January 27, 2002	
Priority:	high		
Advisory ID: 	YDU-20020127-7


1. 	Topic:

	Updated sudo packages fixing a security problem are available.


2. 	Problem:

	Versions of sudo prior to 1.6.4 would not clear the environment before
	sending an email notification about unauthorized sudo attempts, making it
	possible for an attacker to supply parameters to the mail program. In the
	worst case, this could lead to a local root exploit.

	Users of sudo are advised to upgrade to version 1.6.4 which is not
	vulnerable to this issue.
	(from Red Hat advisory)


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

   		yup update sudo

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/
		rpm -Fvh sudo-1.6.4-0.7x.2a.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
b0294d6c81cb337f9c97ac6b65896a28  ppc/sudo-1.6.4-0.7x.2a.ppc.rpm
20aa45cc12c602313854061f5d410b5a  SRPMS/sudo-1.6.4-0.7x.2a.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml