New critical sudo vulnerability - CVE-2021-3156
New critical sudo vulnerability - CVE-2021-3156
Hello everyone
Yesterday it was published a heap overflow vulnerability in sudo.
It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host, so it is severe.
You can get extended info at this URL: https://blog.qualys.com/vulnerabilities ... on-samedit
CentOS Team, can we expect a quick sudo package update in the incoming days? At least for 7.x and 8.x releases?
Can you give us some information about CentOS 6.x? Will it get a sudo rpm update at least? Maybe through Vault Repo?
Many thanks
Best regards
Yesterday it was published a heap overflow vulnerability in sudo.
It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host, so it is severe.
You can get extended info at this URL: https://blog.qualys.com/vulnerabilities ... on-samedit
CentOS Team, can we expect a quick sudo package update in the incoming days? At least for 7.x and 8.x releases?
Can you give us some information about CentOS 6.x? Will it get a sudo rpm update at least? Maybe through Vault Repo?
Many thanks
Best regards
Re: New critical sudo vulnerability - CVE-2021-3156
The update is already out and public for CentOS 7. I believe it's also out for CentOS Stream and CentOS Linux 8 is pending and will be along soon (for some definition of...).
CentOS 6 is based on RHEL 6 and is EOL and is unlikely to receive the fix. If Red Hat decide to publish a public fix for RHEL 6.x then I would suspect that it will get rebuilt for CentOS 6 too but I do not think this will happen.
CentOS 6 is based on RHEL 6 and is EOL and is unlikely to receive the fix. If Red Hat decide to publish a public fix for RHEL 6.x then I would suspect that it will get rebuilt for CentOS 6 too but I do not think this will happen.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: New critical sudo vulnerability - CVE-2021-3156
Hello TrevorH,
Thank you for your extreme quick answer
Red Hat has published today: https://access.redhat.com/errata/RHSA-2021:0227 for Red Hat Enterprise Linux Server - Extended Life Cycle Support 6.
Can it give us some hope about a possible fix?
About 7.x, yes, I just updated a Centos 7.9 and I confirm that the sudo fix is already released.
Best regards
Thank you for your extreme quick answer
Red Hat has published today: https://access.redhat.com/errata/RHSA-2021:0227 for Red Hat Enterprise Linux Server - Extended Life Cycle Support 6.
Can it give us some hope about a possible fix?
About 7.x, yes, I just updated a Centos 7.9 and I confirm that the sudo fix is already released.
Best regards
Re: New critical sudo vulnerability - CVE-2021-3156
No, ELS updates are not public. You have to have a RH ELS subscription to be able to access them.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: New critical sudo vulnerability - CVE-2021-3156
Thanks again, TrevorH
Greetings
Greetings
Re: New critical sudo vulnerability - CVE-2021-3156
Since I have a few el6 boxes still around, I downloaded the latest SRPM for CentOS 6 sudo from vault and also the patch from the CentOS 7 SRPM that was just released and tried to rebuild the el6 copy including the el7 patch. It fails as there are files in the el7 version that are not in the el6 one so the patch will not apply.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: New critical sudo vulnerability - CVE-2021-3156
Hello TrevorH,
You has given us better and quicker support/help than Red Hat Support sincerely. My team send you their gratitude.
We are going to highly recommend to our customers to migrate their 6.10 servers to 7.9 ASAP.
Best regards
You has given us better and quicker support/help than Red Hat Support sincerely. My team send you their gratitude.
We are going to highly recommend to our customers to migrate their 6.10 servers to 7.9 ASAP.
Best regards
Re: New critical sudo vulnerability - CVE-2021-3156
Hello again.
I just checked sudo official website. https://www.sudo.ws/sudo/
They have released source code for 1.9.5p2 and a updated rpm package for stable branch, even for Centos 6
I don't know if they are going to made a legacy release.
Greetings
I just checked sudo official website. https://www.sudo.ws/sudo/
They have released source code for 1.9.5p2 and a updated rpm package for stable branch, even for Centos 6
I don't know if they are going to made a legacy release.
Greetings
Re: New critical sudo vulnerability - CVE-2021-3156
Hi TrevorH ---TrevorH wrote: ↑2021/01/27 12:18:53The update is already out and public for CentOS 7. I believe it's also out for CentOS Stream and CentOS Linux 8 is pending and will be along soon (for some definition of...).
CentOS 6 is based on RHEL 6 and is EOL and is unlikely to receive the fix. If Red Hat decide to publish a public fix for RHEL 6.x then I would suspect that it will get rebuilt for CentOS 6 too but I do not think this will happen.
How can I find out which version of sudo is the patched version for Centos 7 ???
I have done a yum update sudo*
That upgraded me from
sudo 1.8.23-4
to
sudo 1.8.23-10
However ---
http://cve.mitre.org/cgi-bin/cvename.cg ... -2021-3156
https://www.deepwatch.com/blog/sudo-vulnerability/
"The flaw was introduced in a change made in July 2011, so it is present in sudo legacy versions (1.8.2 to 1.8.31p2) and all stable versions (1.9.0 to 1.9.5p1) "
The new version that Yum Update just installed (sudo 1.8.23-10) was _not_ beyond the range of affected versions....
It would seem that a "fixed" version of Sudo for Centos7 would have had a version something higher than 1.8.31p2
If you have knowledge of how to obtain a version of sudo greater than 1.8.31p2
can you share that?
Does not seem that yum update fixes this..... yet...
Running transaction
Updating : sudo-1.8.23-10.el7_9.1.x86_64 1/2
Cleanup : sudo-1.8.23-4.el7_7.1.x86_64 2/2
Verifying : sudo-1.8.23-10.el7_9.1.x86_64 1/2
Verifying : sudo-1.8.23-4.el7_7.1.x86_64 2/2
Updated:
sudo.x86_64 0:1.8.23-10.el7_9.1
Re: New critical sudo vulnerability - CVE-2021-3156
Updates in RHEL and CentOS do not follow upstream ones. You should Google "rhel backporting" and then read the link on the Red Hat web site that it shows you and that explains how it all works.
For checking: rpm -q --changelog sudo | grep -i cve-2021-3156
For checking: rpm -q --changelog sudo | grep -i cve-2021-3156
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke