Sudo 1.8.20p2

[wvos]

When are we going to see sudo 1.8.20p2 in the repositories?

Yum is happy with version 1.8.6p7-20.el7.x86_64 from 2013.
There is at least one security issue ( CVE-2017-1000367 ) with this old version.

[TrevorH]

Bzzzt,wrong.

Code: Select all

$rpm -q sudo
sudo-1.8.6p7-22.el7_3.x86_64
$ rpm -q --changelog sudo | less
* Mon May 29 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.6p7-22
- Fixes CVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing [rhel-7.3.z]
  Resolves: rhbz#1455401
...

Please read https://access.redhat.com/security/updates/backporting

[wvos]

Interesting (and confusing as stated in that article).

Is there a reason why we need to stick with 1.8.6 and not just upgrade to 1.8.20 ?

[TrevorH]

Because that's the one we supply and upgrading to 1.8.20 will stop you from getting future updates from us since they would also be 1.8.6-xy and would not be greater than 1.8.20.

[jlehtone]

Interesting (and confusing as stated in that article).

Is there a reason why we need to stick with 1.8.6 and not just upgrade to 1.8.20 ?

Do you ask, why does Red Hat backport rather than upgrade? In the same article:

For most products, our default practice is to backport security fixes, but we do sometimes provide version updates for some packages after careful testing and analysis. These are likely to be packages that have no interaction with others, or those used by an end-user, such as web browsers and instant messaging clients.

Back in time, the latest and greatest bells and whistles did look awesome. However, after a time the jewels cease to sparkle, the gold loses its luster, and a stable system starts to beckon.