The officially official Devuan Forum!

You are not logged in.

#1 Re: News & Announcements » Sudo Vulnerability CVE-2021-3156 » 2021-10-06 05:18:05

GlennW wrote:

Now I'm confused. And I don't use sudo or would have it installed if I could arrange it.

Using the example above... I get

glenn@asus-r552jv:~$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
glenn@asus-r552jv:~$

My bad. I used the command wrong.

~ % sudoedit -s/
sudoedit: Ungültige Option -- /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
                prompt] [-T timeout] [-u user] file ...

I also get this

~ % sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
                prompt] [-T timeout] [-u user] file ...

I will give doas a try.

#2 Re: News & Announcements » Sudo Vulnerability CVE-2021-3156 » 2021-10-05 10:20:49

Thanks for the reply GlennW

hope this helps.

It still confuses me. I thought that, because I'm on stable, I should get security patches.

As I have sudo version 1.8.27-1+deb10u3, I think I still have the vulnerable version.

Affected version
sudo: 1.8.2 – 1.8.31p2
sudo: 1.9.0 – 1.9.5p1

I'm confused hmm

SOLVED:

Ok, after a little search on debian.org if found out that the version I have (1.8.27-1+deb10u3) is fixed!

I have the fixed version (https://www.debian.org/security/2021/dsa-4839) but still the behavior described on https://haxf4rall.com/2021/01/27/cve-20 … ity-alert/.

How to exploit this bug

Log in to the system as a non-root user and use the command sudoedit -s /

    -If you see an error that starts with sudoedit:, it indicates that there is a vulnerability.
    -If you see an error starting with usage:, then the patch has taken effect.

#3 Re: News & Announcements » Sudo Vulnerability CVE-2021-3156 » 2021-10-05 09:55:59

dice wrote:

if you havent apt updated in a while today would be the day to do it if you use sudo.

Affected version
sudo: 1.8.2 – 1.8.31p2
sudo: 1.9.0 – 1.9.5p1

Solution
In this regard, we recommend that users upgrade sudo to the latest version in time.

Hi. I don't understand. I do check for updates regulary. My version von sudo is:

~ % apt list sudo -a         
Auflistung... Fertig
sudo/stable,stable-security,now 1.8.27-1+deb10u3 amd64  [installiert]
sudo/stable,stable-security 1.8.27-1+deb10u3 i386

And I'm on Devuan 3.1.

My sources-list:

## package repositories
deb http://deb.devuan.org/merged beowulf main contrib non-free
deb http://deb.devuan.org/merged beowulf-updates main contrib non-free
deb http://deb.devuan.org/merged beowulf-security main contrib non-free
deb http://deb.devuan.org/merged beowulf-backports main contrib non-free

What is it I do not understand?
Do I something wroing?

Board footer

Forum Software