MX Linux Forum

pls have a look at https://www.sudo.ws/alerts/minus_1_uid.html

Sudo versions prior to 1.8.28 are affected
sudo vers. MX 18.3, 1.18.19

Thanks Kulmbacher!

It seems the vulnerability is that a user who is allowed to run commands as any user other than root can also run commands as root. I don't think this is significant for desktop systems like MX where the the main reason for using sudo is to allow a normal user to run commands as root. A proof of concept is: This should display -1 but it displays 0 showing that the id command was run as root. But on our systems we are allowed to run commands as root directly: So this does not really affect us. It does not make our system less safe because, for us, it is not even a privilege escalation. We've had to react to a number of serious vulnerabilities ovef the past couple of years including Spectre, Meltdown and others. Thank goodness this is not another one.

Thanks Bitjam

Saw this early this AM, now there appears to be a Deb update ?

Your advice, please Sir

Regards

Jack

BitJam wrote: Tue Oct 15, 2019 5:18 am
So this does not really affect us. It does not make our system less safe because, for us, it is not even a privilege escalation. We've had to react to a number of serious vulnerabilities ovef the past couple of years including Spectre, Meltdown and others. Thank goodness this is not another one.

Debian is still providing support for Stretch until 2022.

Keep calm and carry on. This vulnerability does not make a normal MX system less secure.

I'm glad Kulmbacher brought it to our attention because we have had some really terrible vulnerabilities not too long ago.

meanwhile i read this german article, (BitJam`s words ;-)
https://www.linux-magazin.de/news/siche ... e-in-sudo/

The first article i read, was a bit of sensationel Linux vulnerability version ...