Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6?
While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002).
So I wonder if some community-packaged patch exists... Thanks.
is that what you expect to find? https://access.redhat.com/errata/RHSA-2021:0227
On 27.01.2021 08:38, Gionatan Danti wrote:
Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6?
While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002).
So I wonder if some community-packaged patch exists... Thanks.
Il 2021-01-27 09:34 Walter H. ha scritto:
is that what you expect to find? https://access.redhat.com/errata/RHSA-2021:0227
Yes, something similar... Thanks.
Hi
You can use oracle linux 6 , it is still supported (till March 2021)
On Wed, 27 Jan 2021 at 09:38, Gionatan Danti g.danti@assyoma.it wrote:
Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6?
While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002).
So I wonder if some community-packaged patch exists... Thanks.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi
You can use oracle linux 6 , it is still supported (till March 2021)
But I don't find this sudo update or the recent openssl update in their repos? Is this for paying customers only or what?
Simon
On Wed, 27 Jan 2021 at 09:38, Gionatan Danti g.danti@assyoma.it wrote:
Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6?
While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002).
So I wonder if some community-packaged patch exists... Thanks.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I think it is just not released yet. OL6 is on support track still
On Wed, 27 Jan 2021 at 12:33, Simon Matter simon.matter@invoca.ch wrote:
Hi
You can use oracle linux 6 , it is still supported (till March 2021)
But I don't find this sudo update or the recent openssl update in their repos? Is this for paying customers only or what?
Simon
On Wed, 27 Jan 2021 at 09:38, Gionatan Danti g.danti@assyoma.it wrote:
Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6?
While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002).
So I wonder if some community-packaged patch exists... Thanks.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Maxim Shpakov:
You can use oracle linux 6 , it is still supported (till March 2021)
Looks like Oracle's el6 sudo update is now available:
https://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/sudo-1.... https://yum.oracle.com/repo/OracleLinux/OL6/latest/i386/getPackage/sudo-1.8.... http://oss.oracle.com/ol6/SRPMS-updates/sudo-1.8.6p3-29.0.2.el6_10.3.src.rpm
* Tue Jan 26 2021 Qing Lin qing.lin@oracle.com - 1.8.6p3-29.0.2.el6_10.3 - backport the fix CVE-2021-3156.patch from ol7.
James Pearson
I just installed this on a previously fully updated CentOS Linux 6 (x86_64) VM. The package installed fine, the sudo functionality still works but according to the test described in the qualys advisory of running "sudoedit -s /” (without quotes) this system is still vulnerable.
My CentOS Linux 7 (x86_64), CentOS Linux 8 (x86_64), and CentOS Stream 8 (x86_64) VM running the actual CentOS package do not appear vulnerable running this test.
Migrating the previously mentioned CentOS Linux 6 vm to Oracle Linux and running the same test shows the fully updated Oracle Linux 6 to be vulnerable as well.
Has anyone else tried this? Do your results match or differ from mine?
Thanks, Barry
On January 28, 2021 9:15:47 AM UTC, James Pearson james-p@moving-picture.com wrote:
Maxim Shpakov:
You can use oracle linux 6 , it is still supported (till March 2021)
Looks like Oracle's el6 sudo update is now available:
https://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/sudo-1.... https://yum.oracle.com/repo/OracleLinux/OL6/latest/i386/getPackage/sudo-1.8.... http://oss.oracle.com/ol6/SRPMS-updates/sudo-1.8.6p3-29.0.2.el6_10.3.src.rpm
- Tue Jan 26 2021 Qing Lin qing.lin@oracle.com -
1.8.6p3-29.0.2.el6_10.3
- backport the fix CVE-2021-3156.patch from ol7.
James Pearson _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Barry Brimer:
I just installed this on a previously fully updated CentOS Linux 6 (x86_64) VM. The package installed fine, the sudo functionality still works but according to the test described in the qualys advisory of running "sudoedit -s /” (without quotes) this system is still vulnerable.
I guess that is a question to ask those that support OL6 ?
I noticed the same - but I don't know if running 'sudoedit -s /' is an absolute measure of the vulnerability being fixed?
There is definitely a 'CVE-2021-3156' patch that is applied in the SRPM ...
I don't know of another way of testing if this build fixes the issue ?
James Pearson
Il 2021-01-28 19:17 James Pearson ha scritto:
I don't know of another way of testing if this build fixes the issue ?
According to Qualys blog, sudoedit -s '' `perl -e 'print "A" x 65536'` should core-dump on vulnerable versions.
I just tried on stock 6.10 and it core-dumps, indeed. Upgrading to the OL6 sudo package fixes the issue, indeed (no more core dump).
So it seems to work fine to me. Thanks.
Centos-6 compatible packages are available from the official sudo webpage. It's a later version of sudo and I'm not sure if that will cause problems. I've tried installing it and so-far so-good.
https://www.sudo.ws/download.html
Cheers, Christian.
On 27/01/2021 08.38, Gionatan Danti wrote:
Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6?
While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see: https://access.redhat.com/security/vulnerabilities/RHSB-2021-002).
So I wonder if some community-packaged patch exists... Thanks.
Christian Anthon>
Centos-6 compatible packages are available from the official sudo webpage. It's a later version of sudo and I'm not sure if that will cause problems. I've tried installing it and so-far so-good.
One minor problem - if you have sudo configured to use LDAP (using /etc/sudo-ldap.conf), then upgrading using the sudo.ws RPM will rename /etc/sudo-ldap.conf as /etc/sudo-ldap.conf.rpmsave and stop sudo working with LDAP
Moving the original /etc/sudo-ldap.conf back fixes this - but it's a pity the sudo.ws RPM doesn't provide /etc/sudo-ldap.conf as a config file - which would prevent this happening
James Pearson
-
Barry Brimer -
Christian Anthon -
Gionatan Danti -
James Pearson -
Maxim Shpakov -
Simon Matter -
Walter H.