Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (3) →
Dries Dokter
Dries Dokter
Offline

Fix for Sudo vulnerability Baron Samedit

Resolved
0 votes
3 days ago this was published:
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

The sudo team has provided an updated sudo package but this is not available on ClearOS yet. When will this one become available?

Easy check to see if your sudo is effected:
Bad:
dries@mail:~$ sudoedit -s /

sudoedit: /: not a regular file

Good:
[root@mail ~]# sudoedit -s /

usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...


Of course one can just install the update from the sudo team directly:
yum install https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo-1.9.5-3.el7.x86_64.rpm
In Software Updates
Friday, January 29 2021, 07:37 AM
Subscribe via email
Share this post:
Responses (3)

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Friday, January 29 2021, 09:17 AM - #Permalink
    Resolved
    0 votes
    I've now injected the package into the contribs repo for automatic updating to both Community and Paid customers. It is sync'ing to the repos now (it is already in the US repos) and should be available justabout everywhere in the next couple of hours. A simple:
    yum update sudo
    should then pull it down.
    The reply is currently minimized Show

  • Accepted Answer

    Dries Dokter
    Dries Dokter
    Offline
    Friday, January 29 2021, 09:02 AM - #Permalink
    Resolved
    0 votes
    Thanks Nick!
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Friday, January 29 2021, 08:55 AM - #Permalink
    Resolved
    1 votes
    It will be fixed as soon as 7.9 is out. We were going to release it to the community this week but have been asked to delay it until the second week of Feb. Paid versions will be a week or two later.

    In the meanwhile you can fix it with:
    yum update sudo --enablerepo=centos-updates-unverified


    I'll see if I can release that package in advance, but I am not so sure of that.
    The reply is currently minimized Show
Your Reply