1

I tried to patch the new sudo vulnerability as described in https://access.redhat.com/security/vulnerabilities/RHSB-2021-002

I'm getting the following error.

# stap -g sudoedit-block.stap
Checking "/lib/modules/3.10.0-1062.9.1.el7.x86_64/build/.config" failed with error: No such file or directory
Incorrect version or missing kernel-devel package, use: yum install kernel-devel-3.10.0-1062.9.1.el7.x86_64

However that package is not available. This is on CentOS 7.

# yum install kernel-devel-3.10.0-1062.9.1.el7.x86_64
Loaded plugins: auto-update-debuginfo, fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* epel: mirror.its.dal.ca
* epel-debuginfo: mirror.its.dal.ca
No package kernel-devel-3.10.0-1062.9.1.el7.x86_64 available.

What's the path forward in protecting against this vulnerability?

360man
  • 13
  • 1
  • 4

1 Answers1

1

I strongly suggest installing the new sudo package as recommended in the bulletin that you linked to.

I believe https://access.redhat.com/errata/RHSA-2021:0221 is the relevant errata entry for RHEL 7, noting the release of sudo-1.8.23-10.el7_9.1.x86_64.rpm.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • How could you tell I was using CentOS? I installed the latest sudo yum package, but the cve checker script says it's still not protected. `Detected 'sudo' package: sudo-1.8.23-10.el7.x86_64 This sudo version is vulnerable.` – 360man Jan 27 '21 at 23:56
  • @MichaelHampton Ah, I did pick the wrong errata entry. Updated. – Håkan Lindqvist Jan 27 '21 at 23:57
  • @360man Right, if this is about Centos, I assume there will be a package available relatively soon there as well. Maybe add a note about that particular situation to the question? – Håkan Lindqvist Jan 28 '21 at 00:00
  • @360man My last CentOS 7 system (almost everything is on 8 now) already picked up the update, so your local mirror probably doesn't have it yet. Give it a 24 hours. – Michael Hampton Jan 28 '21 at 00:01
  • @MichaelHampton Did you run the cve checker script that they provide at the bottom of the page? – 360man Jan 28 '21 at 00:03
  • @360man I didn't need to. I could see the package version number already. And it was in the changelog. But just for your curiosity the script says: "Detected 'sudo' package: sudo-1.8.23-10.el7_9.1.x86_64 This sudo version is not vulnerable." in pleasant green text. – Michael Hampton Jan 28 '21 at 00:07
  • @360man Maybe a simple `yum update --refresh` is all you need? – Håkan Lindqvist Jan 28 '21 at 00:40
  • `Command line error: no such option: --refresh` – 360man Jan 28 '21 at 01:09
  • @MichaelHampton Which repo has that package? I just tried to update sudo and it didn't find a newer version. – 360man Jan 28 '21 at 19:18
  • @360man http://mirror.centos.org/centos/7/updates/x86_64/Packages/ or any mirror. Ie, normal centos updates repo. – Håkan Lindqvist Jan 28 '21 at 20:08
  • 1
    @360man At this point you should check your system to ensure that you are actually using official CentOS repos and not some third party mirrors. All official mirrors should have it already. – Michael Hampton Jan 28 '21 at 20:28
  • One of my repo files has `baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/` in it, would that contain it? Is it possible that this is being skipped? – 360man Jan 29 '21 at 18:26
  • @360man The question is if you have one that says `http://mirror.centos.org/centos/$releasever/updates/$basearch/` or something along those lines? – Håkan Lindqvist Jan 29 '21 at 18:38
  • The closest thing I have to that is `baseurl=http://mirror.centos.org/centos/$releasever/cr/$basearch/` – 360man Jan 29 '21 at 21:10