I just installed this on a previously fully updated CentOS Linux 6 (x86_64) VM. The package installed fine, the sudo functionality still works but according to the test described in the qualys advisory of running "sudoedit -s /” (without quotes) this system is still vulnerable.
My CentOS Linux 7 (x86_64), CentOS Linux 8 (x86_64), and CentOS Stream 8 (x86_64) VM running the actual CentOS package do not appear vulnerable running this test.
Migrating the previously mentioned CentOS Linux 6 vm to Oracle Linux and running the same test shows the fully updated Oracle Linux 6 to be vulnerable as well.
Has anyone else tried this? Do your results match or differ from mine?
Thanks, Barry
On January 28, 2021 9:15:47 AM UTC, James Pearson james-p@moving-picture.com wrote:
Maxim Shpakov:
You can use oracle linux 6 , it is still supported (till March 2021)
Looks like Oracle's el6 sudo update is now available:
https://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/sudo-1.... https://yum.oracle.com/repo/OracleLinux/OL6/latest/i386/getPackage/sudo-1.8.... http://oss.oracle.com/ol6/SRPMS-updates/sudo-1.8.6p3-29.0.2.el6_10.3.src.rpm
- Tue Jan 26 2021 Qing Lin qing.lin@oracle.com -
1.8.6p3-29.0.2.el6_10.3
- backport the fix CVE-2021-3156.patch from ol7.
James Pearson _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos