New critical sudo vulnerability - CVE-2021-3156

Support for security such as Firewalls and securing linux
treimers
Posts: 2
Joined: 2021/01/29 18:55:24

Re: New critical sudo vulnerability - CVE-2021-3156

Post by treimers » 2021/01/30 22:44:43

Thanks!

Appreciate that....

fuzzy4096
Posts: 12
Joined: 2020/12/14 16:29:11

Re: New critical sudo vulnerability - CVE-2021-3156

Post by fuzzy4096 » 2021/02/02 08:48:37

Blair wrote:
2021/01/28 07:59:46
Hello again.
I just checked sudo official website. https://www.sudo.ws/sudo/
They have released source code for 1.9.5p2 and a updated rpm package for stable branch, even for Centos 6 :)
I don't know if they are going to made a legacy release.
Greetings
Sorry for hijacking the conversation, what does that mean ? Can I simply download the .rpm from their site and run a yum localinstall on it ? Will this not break things ? Quoting from the CentOS wiki
" DO NOT attempt to install software packages which are part of CentOS as a source package, because you think you absolutely need the newest version. THIS WILL OFTEN BREAK THINGS"
or
"A common objection runs like this: But package foo in version x.y.1 has security holes which are gone in version x.z.1!
That may be the case. But normally version x.z.1 also has new features over x.y.1 and those may break the expected behaviour of the software
"
Any input on this folks ?


PS. I have even see recommendations to install the patched rpm for CentOS 6 from https://yum.oracle.com/repo/OracleLinux ... x86_64.rpm
Thank you!

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: New critical sudo vulnerability - CVE-2021-3156

Post by sml » 2021/02/02 11:06:39

Yes, the package from Oracle Linux is the best available option right now. Actually, you have to migrate to CentOS 7 or CentOS 8 ASAP.

Blair
Posts: 6
Joined: 2021/01/27 12:01:26

Re: New critical sudo vulnerability - CVE-2021-3156

Post by Blair » 2021/02/03 17:02:52

Thanks sml and fuzzy.
Best regards.

ahmdahashem
Posts: 3
Joined: 2021/03/03 21:41:58

Re: New critical sudo vulnerability - CVE-2021-3156

Post by ahmdahashem » 2021/03/03 21:47:16

TrevorH wrote:
2021/01/27 12:18:53
The update is already out and public for CentOS 7. I believe it's also out for CentOS Stream and CentOS Linux 8 is pending and will be along soon (for some definition of...).

CentOS 6 is based on RHEL 6 and is EOL and is unlikely to receive the fix. If Red Hat decide to publish a public fix for RHEL 6.x then I would suspect that it will get rebuilt for CentOS 6 too but I do not think this will happen.
I have tried yum update
yum upgrade
yum upgrade sudo*
but I still have sudo-1.8.23
Do you have any suggestion to upgrade sudo without installing a .rpm separate package. a suggestion that make yum update able to update the seúdo version??

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: New critical sudo vulnerability - CVE-2021-3156

Post by TrevorH » 2021/03/04 09:41:59

CentOS 6 is EOL and there are no more updates to it after the end of Nov 2020. This vulnerability was made public and fixed long after that so there is no fix for CentOS 6 for this problem.

You should be looking at how to get off CentOS 6 ASAP. Preferably about 4 months ago or more.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

ahmdahashem
Posts: 3
Joined: 2021/03/03 21:41:58

Re: New critical sudo vulnerability - CVE-2021-3156

Post by ahmdahashem » 2021/03/04 11:00:41

TrevorH wrote:
2021/03/04 09:41:59
CentOS 6 is EOL and there are no more updates to it after the end of Nov 2020. This vulnerability was made public and fixed long after that so there is no fix for CentOS 6 for this problem.

You should be looking at how to get off CentOS 6 ASAP. Preferably about 4 months ago or more.
Hi

I am using CentOS7!

I have tried yum update
yum upgrade
yum update sudo on all my server with CentOS7 and that doesn't update sudo version
when I type #sudo -V still have version 1.8.23
when I check the: rpm -q --changelog sudo | grep -i cve-2021-3156
- CVE-2021-3156

I would like ti avoid installing the sudo package from official sudo "https://www.sudo.ws/download.html#binary"site separately!
My server is in production and I need help to update the sudo from yum..

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: New critical sudo vulnerability - CVE-2021-3156

Post by TrevorH » 2021/03/04 11:35:34

The fixed version for CentOS 7 is sudo-1.8.23-10.el7_9.1.x86_64 - try rpm -q sudo to check.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

ahmdahashem
Posts: 3
Joined: 2021/03/03 21:41:58

Re: New critical sudo vulnerability - CVE-2021-3156

Post by ahmdahashem » 2021/03/04 12:16:55

TrevorH wrote:
2021/03/04 11:35:34
The fixed version for CentOS 7 is sudo-1.8.23-10.el7_9.1.x86_64 - try rpm -q sudo to check.
rpm -q sudo
shows
sudo-1.8.23-10.el7_9.1.x86_64
that is right! Thanks alot!
what confused me when #sudo -V
Can you explain the difference between #sudo -V and #rpm -q sudo
My problem is solved with your help, but explain as extra info :)

presleye69
Posts: 1
Joined: 2021/03/04 22:41:11

Re: New critical sudo vulnerability - CVE-2021-3156

Post by presleye69 » 2021/03/04 22:59:02

Hi TrevorH,

You are obviously intelligent and very knowledgeable about CentOS. You have also posted some good advice and information and Thank You for that. However, some of your answers are not helpful.

You should be looking at how to get off CentOS 6 ASAP.

For those that don't realize CentOS 6 is EOL, thank you. After the first post however, not helpful. Here's a scenario:
Non-profit org with two junior linux admin volunteers managing an inherited environment of Linux servers. Several servers run their accounting, HR, Payroll, administration and in-house management software. Some software is OpenSource, but some are commercial apps purchased 8-10 years ago. The software works and is stable but there is little money for replacements or upgrades. These older systems run on CentOS 5.6 because that is the latest CentOS supported by these aging commercial apps. Certainly not the ideal situation but sometimes "it is what it is". Now the admins are working hard to patch a serious security vulnerability in 'sudo' and are reaching out for help. Can you please tell me how repeating the phrase above helps the situation? Not trying to be difficult but trying to get you to see that not all admins CAN upgrade to CentOS 8 or even 7. Not all of us have the authority, budget, time or skills to stay on the supported release and some of us inherit an awful situation with little resources to fix it, at least in the short-term.

Please try to remember that we can't all stay on the latest or even supported release and sometimes our situation is not of our making or within our ability to immediately resolve. Sometimes we just need an answer to our question, even if that answer is "I don't know" or "that is not possible".

Thanks again for all your help and please keep the good advice and great information coming. :)

Post Reply