On 2/3/21 10:41 AM, Ken Moffat via lfs-dev wrote:
On Wed, Feb 03, 2021 at 10:13:26AM -0800, Tree Davies via lfs-dev wrote:
Hi Everyone,
Just wanted to mention according to the article BLFS is using a vulnerable
version of Sudo (1.9.2).
Although I haven't been able to repro it... Has anyone else been successful?
Cheers,
Tree
Hi Tree,
I'll mention in passing that blfs-dev is arguably a better place to
have asked this, although in practice I think we're all here and
could get by with just one -dev list for the two books. Anyway ...
https://frontpagelinux.com/news/sudo-vulnerability-discovered-how-to-protect-your-system-from-baron-samedit/
http://www.linuxfromscratch.org/blfs/view/stable-systemd/postlfs/sudo.html
That blfs link points to stable-systemd, i.e. 10.0 which was
released on 1st September. Once a book is released, it is set in
stone. Everything from then until the next release happens in the
development books. For systemd see
http://www.linuxfromscratch.org/blfs/view/systemd/postlfs/sudo.html
which was updated to 1.9.5p2 on 26th January.
At the moment, security vulnerabilities for BLFS (but not for LFS)
are mentioned in the Errata (for 10.0) - follow the Errata links at
http://www.linuxfromscratch.org/blfs/read.html for BLFS Errata and
BLFS Systemd Errata.
I am hoping to separate the vulnerabilities into new Security
Advisory pages for both LFS and BLFS before we release 10.1. That is
currently work in progress (I'm nearly up to the end of November in
my local copy) - I've mentioned it on blfs-dev recently, some things
have changed a little since then. I'll mention it more widely in a
day or two, and since I have not yet got as far as any updates for
sudo I won't provide the link here :)
ĸen
Aha! Thanks for the info guys.
Tree
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
