https://www.qualys.com/2021/01/26/cv...rflow-sudo.txt
And before anyone asks, YES this does impact Untangle. But you aren't supposed to have anyone SSH'ing into the thing so it doesn't matter.
Patches are already in the Debian repo.
https://www.qualys.com/2021/01/26/cv...rflow-sudo.txt
And before anyone asks, YES this does impact Untangle. But you aren't supposed to have anyone SSH'ing into the thing so it doesn't matter.
Patches are already in the Debian repo.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
NGFW does not use sudo.
Attention: Support and help on the Untangle Forums is provided by
volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
It's still installed, on every single box I have. Again, not a real problem because to exploit this bug you have to have an SSH login first. And since that means you've got web admin access for Untangle the fight is already lost.Code:Last login: Fri Jan 8 09:56:47 2021 from 174.79.53.76 [root @ untangle] ~ # dpkg -l | grep sudo ii sudo 1.8.27-1+deb10u2 amd64 Provide limited super user privileges to specific users [root @ untangle] ~ #
So even if the unpatched sudo remains, it's no additional risk for Untangle.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
DO NOT DO THIS
But to manually patch
To validate before and afterCode:cd /tmp wget https://debian.sipwise.com/debian-security/pool/main/s/sudo/sudo_1.8.27-1+deb10u3_amd64.deb dpkg -i sudo_1.8.27-1+deb10u3_amd64.deb
Before: if you run "sudoedit -s /" you will get the response "sudoedit: /: not a regular file"
After: you will get "usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file"
Again DONT DO IT IS UNSUPPORTED
Last edited by WebFooL; 01-27-2021 at 12:59 PM.
Another incident to prove Untangle should be using apt. There are ways to prevent updating the packages you modify.
Untangle is using apt... what are you talking about?
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Nope, as this problem does not affect Untangle. While sudo package is there, it's not used in a way to be affected.
Attention: Support and help on the Untangle Forums is provided by
volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
Yeah I didn't put this here to beat up Untangle. Yes, vulnerable software is on Untangle, but since you have to log in to either the web ui or ssh to take advantage of that fact, it's irrelevant.
Untangle servers that have a login lost are GONE. They aren't multi-user systems for normal users to break the sandbox. This notice is here to remind people to update their junk. Untangle doesn't really matter, and will take care of itself soon enough anyway.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Untangle may be using apt but security fixes are delayed until the next update from them. Updates are rolled out slowly as I am sure you know. So security updates also roll out slower than is possible. Also many don't upgrade for months or years.
Allowing us to run apt we would already have this and other security updates. As it is now we will need to wait for 16.3 and 16.2 has not rolled out to many yet.
The only good news is that sudo is not that effected for Untangle? What about dnsmask?
Last edited by donhwyo; 01-28-2021 at 07:40 AM.
What about it?
My Untangle has dnsmasq 2.80-1 installed, that's current for Debian as indicated here: https://packages.debian.org/buster/dnsmasq
Untangle uses APT, it's also its own OS and yes Untangle has control over their repos. But, as you saw above in this thread if you REALLY want to patch it yourself it's actually pretty trivial to do so. What you want, is Untangle to do it FOR YOU. While they're making a different decision based on their own uses and data.
It's open source, put on your big boy pants and learn how to manage your own Debian-ish installations.
But in regards to the recent dnsmasq issues, no patch has been made available by the Debian maintainers, once they do... Untangle will push it.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com