I just installed this on a previously fully updated CentOS Linux 6 (x86_64) VM. The package installed fine, the sudo functionality still works but according to the test described in the qualys advisory of running "sudoedit -s /” (without quotes) this system is still vulnerable.
My CentOS Linux 7 (x86_64), CentOS Linux 8 (x86_64), and CentOS Stream 8 (x86_64) VM running the actual CentOS package do not appear vulnerable running this test.
Migrating the previously mentioned CentOS Linux 6 vm to Oracle Linux and running the same test shows the fully updated Oracle Linux 6 to be vulnerable as well.
Has anyone else tried this? Do your results match or differ from mine?
Thanks,
Barry
On January 28, 2021 9:15:47 AM UTC, James Pearson <james-p@xxxxxxxxxxxxxxxxxx> wrote:
>Maxim Shpakov:
>>
>> You can use oracle linux 6 , it is still supported (till March 2021)
>
>Looks like Oracle's el6 sudo update is now available:
>
>https://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.x86_64.rpm
>https://yum.oracle.com/repo/OracleLinux/OL6/latest/i386/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.i686.rpm
>http://oss.oracle.com/ol6/SRPMS-updates/sudo-1.8.6p3-29.0.2.el6_10.3.src.rpm
>
>* Tue Jan 26 2021 Qing Lin <qing.lin@xxxxxxxxxx> -
>1.8.6p3-29.0.2.el6_10.3
>- backport the fix CVE-2021-3156.patch from ol7.
>
>James Pearson
>_______________________________________________
>CentOS mailing list
>CentOS@xxxxxxxxxx
>https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
