Update sudo!So, now news,
sudohad a very astonishing bug: you can gain access as superuser specifying a negative user ID.
Now, first of all, no flame and no panic: this works only if you are allowed to run
A little more panic: many (Linux) distributions do configure the main user with an
ALL** command alias, and therefore are vulnerable. <br/> **Versions before1.8.28` are affected, and therefore upgrades are required.**
I decided to have a look at my systems, to see how to upgrade.
KubuntuMy Kubuntu machines were running
1.8.23(gosh!). Since I’m on Kubuntu 18.10 (not LTS!), it seems I cannot update it without upgrading my systems, and the page references that my distro is not affected while it is (obviously).
FreeBSDMy FreeBSD machines were running
1.8.27, truly the most updated version around all my systems. Issuing a
pkg upgradeproposed me
sudoas an upgrade, so I got the new shiny version running.
FedoraMy Fedora 30 machine gets updated easily with the new version of sudo.
1.8.23and there’s no automatic upgrade.
ConclusionsAgain, I’m not much impressed by the Ubuntu way of handling updates. And I’m positively impressed by how FreeBSD handles them precisely. I don’t have enough experience to judge Fedora nor CentOS, but let’s say the former sounds to me a little better in this particular case.
So what I have to do after all? Upgrade as much binaries as possible, or compile a new `sudo** version by my own! At least I got my system patched!