Page 1 of 1

Sudo 1.8.28

Posted: 2019/10/29 12:53:42
by dscoland

Forgive me if this was posted before, but does the below CentOS 7 version support the latest sudo 1.8.28 release to mitigate vulnerability CVE-2019-14287?

Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-693.17.1.el7.x86_64
Architecture: x86-64


Re: Sudo 1.8.28

Posted: 2019/10/29 14:04:40
by TrevorH
Kernel: Linux 3.10.0-693.17.1.el7.x86_64
You have way bigger problems than that sudo update. That kernel version is from CentSO 7.4 and dates from sometime in 2017. That means you are missing the entirety of the last 2 years worth of security updates and if the kernel is backlevel then the chances are that the rest of your system is too. You need to run a full yum update to get yourself off 7.4 and onto 7.7 plus all the latest updates.

Now, the sudo update, while important, only affects a very limited number of installations as you need to have a very specific setup in order to be able to exploit the bug. Read and look at the examples they give there. If your sudo config is not like those then you do not have a vulnerable system.

The update is fixed in the sudo-1.8.23-4.el7_7.1.x86_64 package. That was released for RHEL on the 24th Oct and is now out for CentOS though you may need to do a yum clean all to make sure you fetch the latest metadata from the mirror network before you yum update

Re: Sudo 1.8.28

Posted: 2019/10/29 17:26:17
by dscoland
Hi Trevor,

Yeah; thanks for pointing this out to us. We have upgraded the kernel to version 3.10.0-1062.4.1.el7.x86_64, and we have not configured our Sudoers file to include a user that can run All commands that includes and exclusion of root.


Re: Sudo 1.8.28

Posted: 2020/02/11 11:14:12
by LesserBabkaX
TrevorH wrote:
2019/10/29 14:04:40
The update is fixed in the sudo-1.8.23-4.el7_7.1.x86_64 package.
I was expecting it to also be fixed in sudo-1.8.23-4.el7.x86_64.rpm then, but I cannot see any mention of CV-2019-14287 in the changelog for that package.

Code: Select all

rpm -qp --changelog /home/service/sudo-1.8.23-4.el7.x86_64.rpm
Am I missing something or is it really not included?

Re: Sudo 1.8.28

Posted: 2020/02/11 13:37:12
by TrevorH
$ rpm -q sudo --changelog
* Wed Oct 16 2019 Radovan Sroka <> 1.8.23-4.1
- RHEL-7.7.z
- fixed CVE-2019-14287
Resolves: rhbz#1760694
$ rpm -q sudo

Re: Sudo 1.8.28

Posted: 2020/02/12 07:38:53
by jlehtone
LesserBabkaX wrote:
2020/02/11 11:14:12
I was expecting it to also be fixed in sudo-1.8.23-4.el7.x86_64.rpm

Doesn't it's changelog start something like:

Code: Select all

* Wed Feb 20 2019 Radovan Sroka <> 1.8.23-4
- RHEL-7.7 erratum
Feb 2019 was way before this thread did start.

How about the Build Date in:

Code: Select all

rpm -qip /home/service/sudo-1.8.23-4.el7.x86_64.rpm
It's probably late Aug 2019. (I've updated 3.el7 => 4.el7 from CR repo in 2019-09-02.)

The 4.el7_7.1 has Build Date: 2019-10-24

If you install packages only from /home/service/, then you should check that your collection is up to date.