Sudo vulnerability

Pretty serious indeed. What's even worse is the triviality of the bug itself.

A frigging format string bug in a security tool. Come on..
 
FYI - looks like 7.x and 8.x use Sudo 1.6.9p20. Thus, they are unaffected.

eg:

Code: 
%sudo -V
Sudo version 1.6.9p20
%uname -a
FreeBSD ns1.byrnecut.com.au 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
%


edit:
ack. no maybe thats not right. Sudo is a port, isn't it? I remember now that i added sudo as a package on that box. X.Y-RELEASE packages are updated regularly, or only the ports tree?


(above box is actually on 8.2p4, but there was no kernel change and i run stock binaries on that box...)
 
security/sudo so yes it's a port and not part of the base OS. The newest version may have been 1.6.* at the time when 8.2 was released. However if you had updated installed ports/packages like you should have you would now have 1.8.* version installed.
 
throAU said:
FYI - looks like 7.x and 8.x use Sudo 1.6.9p20. Thus, they are unaffected.
Click to expand...
All versions of FreeBSD use the same ports tree. They could therefor all have a vulnerable sudo installed. The version of the base OS is irrelevant in this case.

X.Y-RELEASE packages are updated regularly, or only the ports tree?
Click to expand...
The -RELEASE packages are never updated. The -STABLE packages however are regularly rebuilt from a current ports tree.
 
You must log in or register to reply here.
Back
Top