Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
Il 2021-01-28 19:17 James Pearson ha scritto: I don't know of another way of testing if this build fixes the issue ? According to Qualys blog, sudoedit -s '\' `perl -e 'print "A" x 65536'` should core-dump on vulnerable versions. I just tried on stock 6.10 and it core-dumps, indeed. Upgrading to the OL6 sudo package fixes the issue, indeed (no more core dump). So it seems to work fine to me. Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.da...@assyoma.it - i...@assyoma.it GPG public key ID: FF5F32A8 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
Barry Brimer: > > I just installed this on a previously fully updated CentOS Linux 6 (x86_64) > VM. > The package installed fine, the sudo functionality still works but according > to > the test described in the qualys advisory of running "sudoedit -s /” > (without quotes) this system is still vulnerable. I guess that is a question to ask those that support OL6 ? I noticed the same - but I don't know if running 'sudoedit -s /' is an absolute measure of the vulnerability being fixed? There is definitely a 'CVE-2021-3156' patch that is applied in the SRPM ... I don't know of another way of testing if this build fixes the issue ? James Pearson ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
I just installed this on a previously fully updated CentOS Linux 6 (x86_64) VM. The package installed fine, the sudo functionality still works but according to the test described in the qualys advisory of running "sudoedit -s /” (without quotes) this system is still vulnerable. My CentOS Linux 7 (x86_64), CentOS Linux 8 (x86_64), and CentOS Stream 8 (x86_64) VM running the actual CentOS package do not appear vulnerable running this test. Migrating the previously mentioned CentOS Linux 6 vm to Oracle Linux and running the same test shows the fully updated Oracle Linux 6 to be vulnerable as well. Has anyone else tried this? Do your results match or differ from mine? Thanks, Barry On January 28, 2021 9:15:47 AM UTC, James Pearson wrote: >Maxim Shpakov: >> >> You can use oracle linux 6 , it is still supported (till March 2021) > >Looks like Oracle's el6 sudo update is now available: > >https://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.x86_64.rpm >https://yum.oracle.com/repo/OracleLinux/OL6/latest/i386/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.i686.rpm >http://oss.oracle.com/ol6/SRPMS-updates/sudo-1.8.6p3-29.0.2.el6_10.3.src.rpm > >* Tue Jan 26 2021 Qing Lin - >1.8.6p3-29.0.2.el6_10.3 >- backport the fix CVE-2021-3156.patch from ol7. > >James Pearson >___ >CentOS mailing list >CentOS@centos.org >https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
Maxim Shpakov: > > You can use oracle linux 6 , it is still supported (till March 2021) Looks like Oracle's el6 sudo update is now available: https://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.x86_64.rpm https://yum.oracle.com/repo/OracleLinux/OL6/latest/i386/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.i686.rpm http://oss.oracle.com/ol6/SRPMS-updates/sudo-1.8.6p3-29.0.2.el6_10.3.src.rpm * Tue Jan 26 2021 Qing Lin - 1.8.6p3-29.0.2.el6_10.3 - backport the fix CVE-2021-3156.patch from ol7. James Pearson ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
Christian Anthon> > Centos-6 compatible packages are available from the official sudo > webpage. It's a later version of sudo and I'm not sure if that will > cause problems. I've tried installing it and so-far so-good. > > https://www.sudo.ws/download.html One minor problem - if you have sudo configured to use LDAP (using /etc/sudo-ldap.conf), then upgrading using the sudo.ws RPM will rename /etc/sudo-ldap.conf as /etc/sudo-ldap.conf.rpmsave and stop sudo working with LDAP Moving the original /etc/sudo-ldap.conf back fixes this - but it's a pity the sudo.ws RPM doesn't provide /etc/sudo-ldap.conf as a config file - which would prevent this happening James Pearson ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
Centos-6 compatible packages are available from the official sudo webpage. It's a later version of sudo and I'm not sure if that will cause problems. I've tried installing it and so-far so-good. https://www.sudo.ws/download.html Cheers, Christian. On 27/01/2021 08.38, Gionatan Danti wrote: Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6? While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002). So I wonder if some community-packaged patch exists... Thanks. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
I think it is just not released yet. OL6 is on support track still On Wed, 27 Jan 2021 at 12:33, Simon Matter wrote: > > Hi > > > > You can use oracle linux 6 , it is still supported (till March 2021) > > But I don't find this sudo update or the recent openssl update in their > repos? Is this for paying customers only or what? > > Simon > > > > > On Wed, 27 Jan 2021 at 09:38, Gionatan Danti wrote: > > > >> Hi all, > >> do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6? > >> > >> While CentOS 6 is now supported anymore, RedHat has it under its > >> payedsupport agreement (see: > >> https://access.redhat.com/security/vulnerabilities/RHSB-2021-002). > >> > >> So I wonder if some community-packaged patch exists... > >> Thanks. > >> > >> -- > >> Danti Gionatan > >> Supporto Tecnico > >> Assyoma S.r.l. - www.assyoma.it > >> email: g.da...@assyoma.it - i...@assyoma.it > >> GPG public key ID: FF5F32A8 > >> ___ > >> CentOS mailing list > >> CentOS@centos.org > >> https://lists.centos.org/mailman/listinfo/centos > >> > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
Il 2021-01-27 09:34 Walter H. ha scritto: is that what you expect to find? https://access.redhat.com/errata/RHSA-2021:0227 Yes, something similar... Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.da...@assyoma.it - i...@assyoma.it GPG public key ID: FF5F32A8 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
> Hi > > You can use oracle linux 6 , it is still supported (till March 2021) But I don't find this sudo update or the recent openssl update in their repos? Is this for paying customers only or what? Simon > > On Wed, 27 Jan 2021 at 09:38, Gionatan Danti wrote: > >> Hi all, >> do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6? >> >> While CentOS 6 is now supported anymore, RedHat has it under its >> payedsupport agreement (see: >> https://access.redhat.com/security/vulnerabilities/RHSB-2021-002). >> >> So I wonder if some community-packaged patch exists... >> Thanks. >> >> -- >> Danti Gionatan >> Supporto Tecnico >> Assyoma S.r.l. - www.assyoma.it >> email: g.da...@assyoma.it - i...@assyoma.it >> GPG public key ID: FF5F32A8 >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
Hi You can use oracle linux 6 , it is still supported (till March 2021) On Wed, 27 Jan 2021 at 09:38, Gionatan Danti wrote: > Hi all, > do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6? > > While CentOS 6 is now supported anymore, RedHat has it under its > payedsupport agreement (see: > https://access.redhat.com/security/vulnerabilities/RHSB-2021-002). > > So I wonder if some community-packaged patch exists... > Thanks. > > -- > Danti Gionatan > Supporto Tecnico > Assyoma S.r.l. - www.assyoma.it > email: g.da...@assyoma.it - i...@assyoma.it > GPG public key ID: FF5F32A8 > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 fix sudo CVE-2021-3156
is that what you expect to find? https://access.redhat.com/errata/RHSA-2021:0227 On 27.01.2021 08:38, Gionatan Danti wrote: Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6? While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002). So I wonder if some community-packaged patch exists... Thanks. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 fix sudo CVE-2021-3156
Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6? While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002). So I wonder if some community-packaged patch exists... Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.da...@assyoma.it - i...@assyoma.it GPG public key ID: FF5F32A8 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos