A few minutes ago, Canonical published a new security report. The vulnerability corrected this time is another of those that could go unnoticed and we could have missed, but it is striking for being in something that all Ubuntu users know: the command sudo. The published report is the USN-4154-1 and, as you might expect, it affects all supported Ubuntu versions.
To specify a little more, the supported versions to which we refer are Ubuntu 19.04, Ubuntu 18.04, and Ubuntu 16.04 in its normal cycle and Ubuntu 14.04 and Ubuntu 12.04 in its ESM (Extended Security Maintenance) version. If we access the page of the corrected vulnerability, the one published by Canonical, we see that there are already patches available for all the versions mentioned above, but that Ubuntu 19.10 Eoan Ermine is still affected as we can read in the text in red "needed".
sudo is updated to version 1.8.27 to correct a vulnerability
The corrected bug is the CVE-2019-14287, which is described as:
When sudo is configured to allow a user to execute commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to execute commands as root by specifying user ID -1 or 4294967295.
Canonical has labeled the ruling as of medium priority. Still, "sudo" and "root" make us think of Lockdown, a security module that will make its appearance with Linux 5.4. This module will further restrict the permissions, which is more secure on the one hand but on the other hand it will prevent the owners of a team from being a kind of "God" with it. For this reason, there has been a debate about it for a long time and Lockdown will be disabled by default, although the main reason for this is that it could damage existing operating systems.
The update is already available from the different software centers. Taking into account how easy and fast it is to update, in theory it is not necessary to restart, update now.