Update sudo!
So, now news,sudo
had a very astonishing bug: you can gain access as superuser specifying a negative user ID.
Now, first of all, no flame and no panic: this works only if you are allowed to run
ALL
commands.
A little more panic: many (Linux) distributions do configure the main user with an
ALL** command alias, and therefore are vulnerable.
<br/>
**Versions before
1.8.28` are affected, and therefore upgrades are required.**
I decided to have a look at my systems, to see how to upgrade.
Kubuntu
My Kubuntu machines were running1.8.23
(gosh!). Since I’m on Kubuntu 18.10 (not LTS!), it seems I cannot update it without upgrading my systems, and the page references that my distro is not affected while it is (obviously).
FreeBSD
My FreeBSD machines were running1.8.27
, truly the most updated version around all my systems.
Issuing a pkg upgrade
proposed me sudo
as an upgrade, so I got the new shiny version running.
Fedora
My Fedora 30 machine gets updated easily with the new version of sudo.CentOS
My CentOS7.5
is running 1.8.23
and there’s no automatic upgrade.
Conclusions
Again, I’m not much impressed by the Ubuntu way of handling updates. And I’m positively impressed by how FreeBSD handles them precisely. I don’t have enough experience to judge Fedora nor CentOS, but let’s say the former sounds to me a little better in this particular case.So what I have to do after all? Upgrade as much binaries as possible, or compile a new `sudo** version by my own! At least I got my system patched!