Koozali.org: home of the SME Server

sudo CVE-2021-3156 fix

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
sudo CVE-2021-3156 fix
« on: February 08, 2021, 09:33:24 AM »
Today has been released sudo-1.8.6p3-30.el6.sme rpm.

This is an important fix against CVE-2021-3156
This could affect any SME 9 with non root user with ssh or local access to command line as it allows root privileges escalation.


one can choose to install as fix:
- the present update in SME9 smeupdates repo
- oracle ol6 rpm 
- sudo  1.9 for Rhel6 from sudo
https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo-1.9.5-3.el6.x86_64.rpm
https://github.com/sudo-project/sudo/releases/download/SUDO_1_9_5p2/sudo-1.9.5-3.el6.i386.rpm
- or cloudlinux sudo rpm with fix
https://mirrors.mediatemple.net/cloudlinux-centos6-els/x86_64/


Also was available the following workaround
Code: [Select]
chmod 0644 /usr/bin/sudo

Remember SME 9 is not maintained anymore as upstream does not maintain CentOS 6 anymore and this security fix is only provided as SME10 is not ready for release.
You should be ready to migrate as soon as possible to next release.