Sudo 1.8.28

Support for security such as Firewalls and securing linux
Post Reply
dscoland
Posts: 4
Joined: 2019/10/21 16:04:24

Sudo 1.8.28

Post by dscoland » 2019/10/29 12:53:42

Hi,

Forgive me if this was posted before, but does the below CentOS 7 version support the latest sudo 1.8.28 release to mitigate vulnerability CVE-2019-14287?

Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.17.1.el7.x86_64
Architecture: x86-64

Thanks,
Daniel

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sudo 1.8.28

Post by TrevorH » 2019/10/29 14:04:40

Kernel: Linux 3.10.0-693.17.1.el7.x86_64
You have way bigger problems than that sudo update. That kernel version is from CentSO 7.4 and dates from sometime in 2017. That means you are missing the entirety of the last 2 years worth of security updates and if the kernel is backlevel then the chances are that the rest of your system is too. You need to run a full yum update to get yourself off 7.4 and onto 7.7 plus all the latest updates.

Now, the sudo update, while important, only affects a very limited number of installations as you need to have a very specific setup in order to be able to exploit the bug. Read https://access.redhat.com/security/cve/cve-2019-14287 and look at the examples they give there. If your sudo config is not like those then you do not have a vulnerable system.

The update is fixed in the sudo-1.8.23-4.el7_7.1.x86_64 package. That was released for RHEL on the 24th Oct and is now out for CentOS though you may need to do a yum clean all to make sure you fetch the latest metadata from the mirror network before you yum update
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

dscoland
Posts: 4
Joined: 2019/10/21 16:04:24

Re: Sudo 1.8.28

Post by dscoland » 2019/10/29 17:26:17

Hi Trevor,

Yeah; thanks for pointing this out to us. We have upgraded the kernel to version 3.10.0-1062.4.1.el7.x86_64, and we have not configured our Sudoers file to include a user that can run All commands that includes and exclusion of root.

Best,
Daniel

LesserBabkaX
Posts: 2
Joined: 2019/08/16 07:37:11

Re: Sudo 1.8.28

Post by LesserBabkaX » 2020/02/11 11:14:12

TrevorH wrote:
2019/10/29 14:04:40
The update is fixed in the sudo-1.8.23-4.el7_7.1.x86_64 package.
I was expecting it to also be fixed in sudo-1.8.23-4.el7.x86_64.rpm then, but I cannot see any mention of CV-2019-14287 in the changelog for that package.

Code: Select all

rpm -qp --changelog /home/service/sudo-1.8.23-4.el7.x86_64.rpm
Am I missing something or is it really not included?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sudo 1.8.28

Post by TrevorH » 2020/02/11 13:37:12

$ rpm -q sudo --changelog
* Wed Oct 16 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4.1
- RHEL-7.7.z
- fixed CVE-2019-14287
Resolves: rhbz#1760694
$ rpm -q sudo
sudo-1.8.23-4.el7_7.1.x86_64
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Sudo 1.8.28

Post by jlehtone » 2020/02/12 07:38:53

LesserBabkaX wrote:
2020/02/11 11:14:12
I was expecting it to also be fixed in sudo-1.8.23-4.el7.x86_64.rpm
Why?

Doesn't it's changelog start something like:

Code: Select all

* Wed Feb 20 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4
- RHEL-7.7 erratum
Feb 2019 was way before this thread did start.

How about the Build Date in:

Code: Select all

rpm -qip /home/service/sudo-1.8.23-4.el7.x86_64.rpm
It's probably late Aug 2019. (I've updated 3.el7 => 4.el7 from CR repo in 2019-09-02.)

The 4.el7_7.1 has Build Date: 2019-10-24

If you install packages only from /home/service/, then you should check that your collection is up to date.

Post Reply