Sudo CVE-2019-14287 Reported Oct 14

Support for security such as Firewalls and securing linux
Post Reply
jakepogo
Posts: 3
Joined: 2014/02/07 17:49:48

Sudo CVE-2019-14287 Reported Oct 14

Post by jakepogo » 2019/10/18 14:41:37

ALL Sudo versions prior to 1.8.28 (CEntOS 6 is currently synced with v 1.8.6p3) are susceptible to an escalation flaw related to user -1. The report said that linux distros would be updated as soon as possible but I havent found any information about when CEntOS would sync up with the safer version, does anyone know? This seems like a pretty major flaw :(

https://thehackernews.com/2019/10/linux ... -flaw.html

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: Sudo CVE-2019-14287 Reported Oct 14

Post by stevemowbray » 2019/10/18 15:24:58

I'd say it's a pretty minor flaw as I wouldn't expect many people to have set up a vulnerable configuration. It's easy enough to fix your own configuration if you have done so.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sudo CVE-2019-14287 Reported Oct 14

Post by TrevorH » 2019/10/18 16:57:02

Please see https://access.redhat.com/security/cve/cve-2019-14287 for both information about what configurations are vulnerable and for progress about the path to a patch. News about the fix will appear on that page first and when Redhat release it for RHEL then CentOS will pick it up and rebuild it too.

Due to the fact that the exploit is local only and also has very specific configuration requirements before your system will be vulnerable - even with the unpatched version - the majority of people will be unaffected.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Sudo CVE-2019-14287 Reported Oct 14

Post by aks » 2019/10/23 17:38:51

Frankly, if somebody is already in as in they can execute sudo, you've got bigger problems ...

Post Reply