ALL Sudo versions prior to 1.8.28 (CEntOS 6 is currently synced with v 1.8.6p3) are susceptible to an escalation flaw related to user -1. The report said that linux distros would be updated as soon as possible but I havent found any information about when CEntOS would sync up with the safer version, does anyone know? This seems like a pretty major flaw
https://thehackernews.com/2019/10/linux ... -flaw.html
Sudo CVE-2019-14287 Reported Oct 14
-
- Posts: 519
- Joined: 2012/06/26 14:20:47
Re: Sudo CVE-2019-14287 Reported Oct 14
I'd say it's a pretty minor flaw as I wouldn't expect many people to have set up a vulnerable configuration. It's easy enough to fix your own configuration if you have done so.
Re: Sudo CVE-2019-14287 Reported Oct 14
Please see https://access.redhat.com/security/cve/cve-2019-14287 for both information about what configurations are vulnerable and for progress about the path to a patch. News about the fix will appear on that page first and when Redhat release it for RHEL then CentOS will pick it up and rebuild it too.
Due to the fact that the exploit is local only and also has very specific configuration requirements before your system will be vulnerable - even with the unpatched version - the majority of people will be unaffected.
Due to the fact that the exploit is local only and also has very specific configuration requirements before your system will be vulnerable - even with the unpatched version - the majority of people will be unaffected.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Sudo CVE-2019-14287 Reported Oct 14
Frankly, if somebody is already in as in they can execute sudo, you've got bigger problems ...