Hi,
Forgive me if this was posted before, but does the below CentOS 7 version support the latest sudo 1.8.28 release to mitigate vulnerability CVE-2019-14287?
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.17.1.el7.x86_64
Architecture: x86-64
Thanks,
Daniel
Sudo 1.8.28
Re: Sudo 1.8.28
You have way bigger problems than that sudo update. That kernel version is from CentSO 7.4 and dates from sometime in 2017. That means you are missing the entirety of the last 2 years worth of security updates and if the kernel is backlevel then the chances are that the rest of your system is too. You need to run a full yum update to get yourself off 7.4 and onto 7.7 plus all the latest updates.Kernel: Linux 3.10.0-693.17.1.el7.x86_64
Now, the sudo update, while important, only affects a very limited number of installations as you need to have a very specific setup in order to be able to exploit the bug. Read https://access.redhat.com/security/cve/cve-2019-14287 and look at the examples they give there. If your sudo config is not like those then you do not have a vulnerable system.
The update is fixed in the sudo-1.8.23-4.el7_7.1.x86_64 package. That was released for RHEL on the 24th Oct and is now out for CentOS though you may need to do a yum clean all to make sure you fetch the latest metadata from the mirror network before you yum update
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Sudo 1.8.28
Hi Trevor,
Yeah; thanks for pointing this out to us. We have upgraded the kernel to version 3.10.0-1062.4.1.el7.x86_64, and we have not configured our Sudoers file to include a user that can run All commands that includes and exclusion of root.
Best,
Daniel
Yeah; thanks for pointing this out to us. We have upgraded the kernel to version 3.10.0-1062.4.1.el7.x86_64, and we have not configured our Sudoers file to include a user that can run All commands that includes and exclusion of root.
Best,
Daniel
-
- Posts: 2
- Joined: 2019/08/16 07:37:11
Re: Sudo 1.8.28
I was expecting it to also be fixed in sudo-1.8.23-4.el7.x86_64.rpm then, but I cannot see any mention of CV-2019-14287 in the changelog for that package.
Code: Select all
rpm -qp --changelog /home/service/sudo-1.8.23-4.el7.x86_64.rpm
Re: Sudo 1.8.28
$ rpm -q sudo --changelog
* Wed Oct 16 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4.1
- RHEL-7.7.z
- fixed CVE-2019-14287
Resolves: rhbz#1760694
$ rpm -q sudo
sudo-1.8.23-4.el7_7.1.x86_64
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Sudo 1.8.28
Why?LesserBabkaX wrote: ↑2020/02/11 11:14:12I was expecting it to also be fixed in sudo-1.8.23-4.el7.x86_64.rpm
Doesn't it's changelog start something like:
Code: Select all
* Wed Feb 20 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4
- RHEL-7.7 erratum
How about the Build Date in:
Code: Select all
rpm -qip /home/service/sudo-1.8.23-4.el7.x86_64.rpm
The 4.el7_7.1 has Build Date: 2019-10-24
If you install packages only from /home/service/, then you should check that your collection is up to date.