On Wed, Feb 03, 2021 at 10:13:26AM -0800, Tree Davies via lfs-dev wrote: > Hi Everyone, > > Just wanted to mention according to the article BLFS is using a vulnerable > version of Sudo (1.9.2). > Although I haven't been able to repro it... Has anyone else been successful? > > Cheers, > Tree > Hi Tree,
I'll mention in passing that blfs-dev is arguably a better place to have asked this, although in practice I think we're all here and could get by with just one -dev list for the two books. Anyway ... > https://frontpagelinux.com/news/sudo-vulnerability-discovered-how-to-protect-your-system-from-baron-samedit/ > > http://www.linuxfromscratch.org/blfs/view/stable-systemd/postlfs/sudo.html > That blfs link points to stable-systemd, i.e. 10.0 which was released on 1st September. Once a book is released, it is set in stone. Everything from then until the next release happens in the development books. For systemd see http://www.linuxfromscratch.org/blfs/view/systemd/postlfs/sudo.html which was updated to 1.9.5p2 on 26th January. At the moment, security vulnerabilities for BLFS (but not for LFS) are mentioned in the Errata (for 10.0) - follow the Errata links at http://www.linuxfromscratch.org/blfs/read.html for BLFS Errata and BLFS Systemd Errata. I am hoping to separate the vulnerabilities into new Security Advisory pages for both LFS and BLFS before we release 10.1. That is currently work in progress (I'm nearly up to the end of November in my local copy) - I've mentioned it on blfs-dev recently, some things have changed a little since then. I'll mention it more widely in a day or two, and since I have not yet got as far as any updates for sudo I won't provide the link here :) ĸen -- Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout. -- rfc 2324 (1st April 1998) -- http://lists.linuxfromscratch.org/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
