Koozali.org: home of the SME Server

sudo CVE-2021-3156 fix

Offline Jean-Philippe Pialasse

  • *
  • 2,274
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
sudo CVE-2021-3156 fix
« on: February 08, 2021, 09:33:24 AM »
Today has been released sudo-1.8.6p3-30.el6.sme rpm.

This is an important fix against CVE-2021-3156
This could affect any SME 9 with non root user with ssh or local access to command line as it allows root privileges escalation.

one can choose to install as fix:
- the present update in SME9 smeupdates repo
- oracle ol6 rpm 
- sudo  1.9 for Rhel6 from sudo
- or cloudlinux sudo rpm with fix

Also was available the following workaround
Code: [Select]
chmod 0644 /usr/bin/sudo

Remember SME 9 is not maintained anymore as upstream does not maintain CentOS 6 anymore and this security fix is only provided as SME10 is not ready for release.
You should be ready to migrate as soon as possible to next release.