Researchers from Qualys found a new (actually, 10 year old) bug in sudo. The reason for the bug is quit standard for c/c++ (heap overflow) , but the result is really (really, really) bad, because with a simple command you can gain root permissions with every valid user. The user doesn’t even has to be in a sudo group, so basically every (unrestricted) php shell is fine.
Vulnerable versions
Qualys writes:
The following versions of sudo are vulnerable:
All legacy versions from 1.8.2 to 1.8.31p2
All stable versions from 1.9.0 to 1.9.5p1
They also put an command in their FAQ with which you can check if your local version is (still) vulnerable. But all main distros have updates by now, so happy updating.
Here again the link to the Qualys Blog.
