CentOS 6 Fix Sudo CVE-2021-3156
Hi all, do you know if a fix for sudo CVE-2021-3156 is available for CentOS 6?
While CentOS 6 is now supported anymore, RedHat has it under its payedsupport agreement (see:
https://access.redhat.com/security/vulnerabilities/RHSB-2021-002).
So I wonder if some community-packaged patch exists… Thanks.
11 thoughts on - CentOS 6 Fix Sudo CVE-2021-3156
is that what you expect to find?
https://access.redhat.com/errata/RHSA-2021:0227
Hi
You can use oracle linux 6 , it is still supported (till March 2021)
But I don’t find this sudo update or the recent openssl update in their repos? Is this for paying customers only or what?
Simon
Il 2021-01-27 09:34 Walter H. ha scritto:
Yes, something similar… Thanks.
I think it is just not released yet. OL6 is on support track still
CentOS-6 compatible packages are available from the official sudo webpage. It’s a later version of sudo and I’m not sure if that will cause problems. I’ve tried installing it and so-far so-good.
https://www.sudo.ws/download.html
Cheers, Christian.
Christian Anthon>
One minor problem – if you have sudo configured to use LDAP (using /etc/sudo-ldap.conf), then upgrading using the sudo.ws RPM will rename /etc/sudo-ldap.conf as /etc/sudo-ldap.conf.rpmsave and stop sudo working with LDAP
Moving the original /etc/sudo-ldap.conf back fixes this – but it’s a pity the sudo.ws RPM doesn’t provide /etc/sudo-ldap.conf as a config file – which would prevent this happening
James Pearson
Maxim Shpakov:
Looks like Oracle’s el6 sudo update is now available:
https://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.x86_64.rpm https://yum.oracle.com/repo/OracleLinux/OL6/latest/i386/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.i686.rpm http://oss.oracle.com/ol6/SRPMS-updates/sudo-1.8.6p3-29.0.2.el6_10.3.src.rpm
* Tue Jan 26 2021 Qing Lin – 1.8.6p3-29.0.2.el6_10.3
– backport the fix CVE-2021-3156.patch from ol7.
James Pearson
I just installed this on a previously fully updated CentOS Linux 6 (x86_64) VM. The package installed fine, the sudo functionality still works but according to the test described in the qualys advisory of running “sudoedit -s /” (without quotes) this system is still vulnerable.
My CentOS Linux 7 (x86_64), CentOS Linux 8 (x86_64), and CentOS Stream 8 (x86_64) VM running the actual CentOS package do not appear vulnerable running this test.
Migrating the previously mentioned CentOS Linux 6 vm to Oracle Linux and running the same test shows the fully updated Oracle Linux 6 to be vulnerable as well.
Has anyone else tried this? Do your results match or differ from mine?
Thanks, Barry
Barry Brimer:
I guess that is a question to ask those that support OL6 ?
I noticed the same – but I don’t know if running ‘sudoedit -s /’ is an absolute measure of the vulnerability being fixed?
There is definitely a ‘CVE-2021-3156’ patch that is applied in the SRPM …
I don’t know of another way of testing if this build fixes the issue ?
James Pearson
Il 2021-01-28 19:17 James Pearson ha scritto:
According to Qualys blog, sudoedit -s ‘\’ `perl -e ‘print “A” x 65536’`
should core-dump on vulnerable versions.
I just tried on stock 6.10 and it core-dumps, indeed. Upgrading to the OL6 sudo package fixes the issue, indeed (no more core dump).
So it seems to work fine to me. Thanks.