CVE-2021-3156 (sudo) vs Leap 15.1
Hi all, quick question: I know Leap 15.1 has basically reached EOL, but CVE-2021-3156 looks IMHO severe enough to justify fixing it still. Is this currently being considered by the community / SUSE (or has it been done and I simply overlooked it)? I just ran the last / latest updates against a 15.1 system and it appears to be still vulnerable. I can built packages with the fix myself if needed, but an official update for this one could make a massive difference. I can only guess how many people are still behind (like me ...) with updating to 15.2. Thanks, Sebastian
Hi Marcus,
The sudo update was released today for 15.1.
just for clarification: If I just updated my system, I should have this patch running? This would be: sudo-1.8.22-lp151.5.12.1.x86_64 (dated January 27). The Qualys blog post on this issue ... https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-he... ... states:
Right now, I get this:
Is their "test" "broken" or is this kind of test not applicable to Leap? Best regards, Sebastian
On Wed, Jan 27, 2021 at 03:17:12PM +0100, Sebastian M. Ernst wrote:
Yes. You can check: rpm -q --changelog sudo|head will list the new CVE.
try: sudoedit -s '\' `perl -e 'print "A" x 65536'` it will crash before, it should not crash after: BAD: malloc(): corrupted top size Aborted (core dumped) ciao, Marcus
On 2021-01-27 19:38, Frank Krüger wrote:
If I am not mistaken, current TW20210121 with sudo-1.9.5p1-1.1.x86_64 does not contain a fix for CVE-2021-3156.
That is expected. But I believe it's just around the corner. https://build.opensuse.org/package/show/openSUSE:Factory/sudo -- /bengan
participants (5)
-
Bengt Gördén -
Dirk Müller -
Frank Krüger -
Marcus Meissner -
Sebastian M. Ernst