[Important] [Security] Fix for a vulnerability in sudo, CVE-2021-3156, for Virtuozzo Hybrid Server 7.x and Virtuozzo 6¶
Issue date: 2021-01-27
Applies to: Virtuozzo 6.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5
Virtuozzo Advisory ID: VZA-2021-004
1. Overview¶
The update fixes the vulnerability in sudo registered as CVE-2021-3156. The new sudo packages are available for Virtuozzo Hybrid Server 7.x and Virtuozzo 6.
2. Security Fixes¶
[Important] A flaw was found in sudo. A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command (by default, any local user can execute sudo) without authentication. Successful exploitation of this flaw could lead to privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3156)
3. Installing the Update¶
Install the update with ‘yum update’.
4. References¶
http://repo.virtuozzo.com/vzlinux/6/x86_64/updates/Packages/s/sudo-1.8.6p3-29.vl6.4.x86_64.rpm
http://repo.virtuozzo.com/vzlinux/7/x86_64/os/Packages/s/sudo-1.8.23-10.vl7.1.x86_64.rpm
The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-004.json.