Heap-based buffer overflow in Sudo vulnerability - sudo version impacted?

The list of versions you’re looking at only documents versions of sudo released by the sudo project itself. Distributions such as Ubuntu typically add patches to address such security vulnerabilities, instead of upgrading to the latest version of sudo.

To determine whether your version is affected, you need to look at the security information provided by your distribution; in this instance, the relevant notice is USN-4705-1, which indicates that your version is fixed.

You can also look at the package changelog, in /usr/share/doc/sudo/changelog.Debian.gz; this should list the CVEs addressed by the version currently installed on your system (if any):

  * SECURITY UPDATE: dir existence issue via sudoedit race
    - debian/patches/CVE-2021-23239.patch: fix potential directory existing
      info leak in sudoedit in src/sudo_edit.c.
    - CVE-2021-23239
  * SECURITY UPDATE: heap-based buffer overflow
    - debian/patches/CVE-2021-3156-pre1.patch: check lock record size in
      plugins/sudoers/timestamp.c.
    - debian/patches/CVE-2021-3156-pre2.patch: sanity check size when
      converting the first record to TS_LOCKEXCL in
      plugins/sudoers/timestamp.c.
    - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
      MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
    - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
      plugin in plugins/sudoers/policy.c.
    - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
      when unescaping backslashes in plugins/sudoers/sudoers.c.
    - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
      converting a v1 timestamp to TS_LOCKEXCL in
      plugins/sudoers/timestamp.c.
    - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
      allocated as a single flat buffer in src/parse_args.c.
    - CVE-2021-3156