[CentOS] CentOS 6 fix sudo CVE-2021-3156

Thu Jan 28 17:20:11 UTC 2021
Barry Brimer <lists at brimer.org>

I just installed this on a previously fully updated CentOS Linux 6 (x86_64) VM. The package installed fine, the sudo functionality still works but according to the test described in the qualys advisory of running "sudoedit -s /” (without quotes) this system is still vulnerable.

My CentOS Linux 7 (x86_64), CentOS Linux 8 (x86_64), and CentOS Stream 8 (x86_64) VM running the actual CentOS package do not appear vulnerable running this test.

Migrating the previously mentioned CentOS Linux 6 vm to Oracle Linux and running the same test shows the fully updated Oracle Linux 6 to be vulnerable as well.

Has anyone else tried this? Do your results match or differ from mine?


On January 28, 2021 9:15:47 AM UTC, James Pearson <james-p at moving-picture.com> wrote:
>Maxim Shpakov:
>> You can use oracle linux 6 , it is still supported (till March 2021)
>Looks like Oracle's el6 sudo update is now available:
>* Tue Jan 26 2021 Qing Lin <qing.lin at oracle.com> -
>- backport the fix CVE-2021-3156.patch from ol7.
>James Pearson
>CentOS mailing list
>CentOS at centos.org