CentOS

While installing Qualys scan recommended package update, I am being diverted to RedHat site.
Package Installed Version Required Version | sudo 1.8.23-4.el7.x86_64 1.8.23-4.el7_7.1.

How can i update this package "sudo 1.8.23-4.el7.x86_64" so that I can remove security vulnerabilities.

You update on CentOS by running yum update. That will offer you all pending updates, any of which could be for security purposes. The current version of sudo is sudo-1.8.23-9.el7.x86_64

Thanks for Reply @TrevorH

While resolving the vulnerability, I am being directed to CentOS link that is broken(Not exactly broken but takes me to RHEL Page)

###SOLUTION:
To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 7 for updates and patch information.(https://lists.centos.org/pipermail/cent ... 23499.html)

Patch:
Following are links for downloading patches to fix the vulnerabilities:

CESA-2019 centos 7(https://lists.centos.org/pipermail/cent ... 23499.html)

Also the tool is advising to upgrade to wrong package.

Package
Installed Version
sudo
1.8.23-3.el7.x86_64

Required Version
1.8.23-4.el7_7.1

And that version has been superceded by a more recent one. If you just run yum update it will offer it to you. And if you're going through security scans then you should make sure you are entirely up to date before you start as it's just going to find things that are already fixed but not on your system. So yum update _then_ scan.

What "tool"? What "link"?

Using Qualys tool for Vulnerability scans.

The problem persist as whatever recommendation I get is not "Actionable"
Landing to same Advisory page (https://lists.centos.org/pipermail/cent ... 35643.html)

Package Installed_Version Required_Version
sudo 1.8.23-4.el7__7.1.x86__64 1.8.23-4.el7__7.2

1.8.23-4.el7__7.2 this is not CentOS package.

Again, the latest and only supported version of sudo on CentOS 7 is sudo-1.8.23-9.el7.x86_64. It contains all security updates that have previously been released in lower numbered versions.

Code: Select all

[root@centos7 ~]# yum list sudo --enablerepo=C7.\*-{base,updates} --noplugins --showdupli
Installed Packages
sudo.x86_64                         1.8.23-9.el7                               @qa              
Available Packages
sudo.x86_64                         1.8.6p7-11.el7                             C7.0.1406-base   
sudo.x86_64                         1.8.6p7-13.el7                             C7.1.1503-base   
sudo.x86_64                         1.8.6p7-16.el7                             C7.2.1511-base   
sudo.x86_64                         1.8.6p7-17.el7_2                           C7.2.1511-updates
sudo.x86_64                         1.8.6p7-20.el7                             C7.3.1611-base   
sudo.x86_64                         1.8.6p7-21.el7_3                           C7.3.1611-updates
sudo.x86_64                         1.8.6p7-22.el7_3                           C7.3.1611-updates
sudo.x86_64                         1.8.6p7-23.el7_3                           C7.3.1611-updates
sudo.x86_64                         1.8.19p2-10.el7                            C7.4.1708-base   
sudo.x86_64                         1.8.19p2-11.el7_4                          C7.4.1708-updates
sudo.x86_64                         1.8.19p2-13.el7                            C7.5.1804-base   
sudo.x86_64                         1.8.19p2-14.el7_5                          C7.5.1804-updates
sudo.x86_64                         1.8.23-3.el7                               C7.6.1810-base   
sudo.x86_64                         1.8.23-4.el7                               C7.7.1908-base   
sudo.x86_64                         1.8.23-4.el7_7.1                           C7.7.1908-updates
sudo.x86_64                         1.8.23-4.el7_7.2                           C7.7.1908-updates
sudo.x86_64                         1.8.23-9.el7                               base

Thanks for your support and quick reply.
Will use your recommendations.

Your tool finds an email that did announce availability updated CentOS 7 sudo package.
The package and announcement were made after Red Hat had published that update for RHEL 7.7.
The email refers to Red Hat's announcement, as is proper.

Since then, Red Hat had published RHEL 7.8. Red Hat has announcements of packages that went into 7.8.
For example: https://access.redhat.com/errata/RHBA-2020:1048

CentOS has released CentOS 7 (2003) that is derived from RHEL 7.8. No announcement emails of individual packages have been generated. Your tool can't track that.

you update is and has been actionable the whole time.

There can be slight delay between RHEL release and CentOS release of an update. You are free to purchase RHEL, if that is not acceptable.

If a vulnerability is described and Red Hat has not released an update, then the rationale is on upstream (Red Hat's) documentation. (Won't fix, workaround, ...)

CentOS

Where can I find updated repo of package 1.8.23-4.el7.x86_64

Where can I find updated repo of package 1.8.23-4.el7.x86_64

Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64

Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64

Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64

Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64

Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64

Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64

Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64

Re: Where can I find updated repo of package 1.8.23-4.el7.x86_64