Upgrade sudo to 1.9.5p2 version due to CVE-2021–3156 vulnerability
This vulnerability was mitigated by the Ubuntu Security Team on 19 January 2021.
See https://ubuntu.com/security/CVE-2021-3156.
sudo 1.8.31
was patched, which is the normal way of handling most CVEs. The Ubuntu 20.04 package was bumped from 1.8.31-1ubuntu1.1 to 1.8.31-1ubuntu1.2 due to the patches. The 20.04 package won't be upgraded to 1.9.x.
Most users already have the patched version installed: Security updates are automatically detected and installed by your Ubuntu system's Unattended Upgrades application without any user action needed.
How to determine if you are using the patched package: Since this was a patch instead of a new upstream release, sudo --version
will merely (and correctly) return 1.18.31
which won't help you. Instead, use apt. Here's an example using apt list
. Note the NEW package version (1.8.31-1ubuntu1.2) is installed.
$ apt list sudo
Listing... Done
sudo/focal-updates,focal-security,now 1.8.31-1ubuntu1.2 amd64 [installed]
To check whether sudo
is vulnerable to CVE-2021-3156
the maintainers recommend doing:
sudoedit -s '\' `perl -e 'print "A" x 65536'`
If the sudo
is patched it will respond with an error that starts with “usage:”.