Page 1 of 3 123 LastLast
Results 1 to 10 of 21
  1. #1
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,666

    Default Calling all *nix Admins -PATCH YOUR CRAP-

    https://www.qualys.com/2021/01/26/cv...rflow-sudo.txt

    And before anyone asks, YES this does impact Untangle. But you aren't supposed to have anyone SSH'ing into the thing so it doesn't matter.

    Patches are already in the Debian repo.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,385

    Default

    NGFW does not use sudo.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,666

    Default

    Code:
    Last login: Fri Jan  8 09:56:47 2021 from 174.79.53.76
    [root @ untangle] ~ # dpkg -l | grep sudo
    ii  sudo                                               1.8.27-1+deb10u2                                                     amd64        Provide limited super user privileges to specific users
    [root @ untangle] ~ #
    It's still installed, on every single box I have. Again, not a real problem because to exploit this bug you have to have an SSH login first. And since that means you've got web admin access for Untangle the fight is already lost.

    So even if the unpatched sudo remains, it's no additional risk for Untangle.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,206

    Default

    DO NOT DO THIS
    But to manually patch
    Code:
    cd /tmp
    wget https://debian.sipwise.com/debian-security/pool/main/s/sudo/sudo_1.8.27-1+deb10u3_amd64.deb
    dpkg -i sudo_1.8.27-1+deb10u3_amd64.deb
    To validate before and after
    Before: if you run "sudoedit -s /" you will get the response "sudoedit: /: not a regular file"
    After: you will get "usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file"


    Again DONT DO IT IS UNSUPPORTED

  5. #5
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,442

    Default

    Another incident to prove Untangle should be using apt. There are ways to prevent updating the packages you modify.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,666

    Default

    Untangle is using apt... what are you talking about?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,385

    Default

    Nope, as this problem does not affect Untangle. While sudo package is there, it's not used in a way to be affected.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,666

    Default

    Yeah I didn't put this here to beat up Untangle. Yes, vulnerable software is on Untangle, but since you have to log in to either the web ui or ssh to take advantage of that fact, it's irrelevant.

    Untangle servers that have a login lost are GONE. They aren't multi-user systems for normal users to break the sandbox. This notice is here to remind people to update their junk. Untangle doesn't really matter, and will take care of itself soon enough anyway.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,442

    Default

    Untangle may be using apt but security fixes are delayed until the next update from them. Updates are rolled out slowly as I am sure you know. So security updates also roll out slower than is possible. Also many don't upgrade for months or years.

    Allowing us to run apt we would already have this and other security updates. As it is now we will need to wait for 16.3 and 16.2 has not rolled out to many yet.
    The only good news is that sudo is not that effected for Untangle? What about dnsmask?
    Last edited by donhwyo; 01-28-2021 at 07:40 AM.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,666

    Default

    What about it?

    My Untangle has dnsmasq 2.80-1 installed, that's current for Debian as indicated here: https://packages.debian.org/buster/dnsmasq

    Untangle uses APT, it's also its own OS and yes Untangle has control over their repos. But, as you saw above in this thread if you REALLY want to patch it yourself it's actually pretty trivial to do so. What you want, is Untangle to do it FOR YOU. While they're making a different decision based on their own uses and data.

    It's open source, put on your big boy pants and learn how to manage your own Debian-ish installations.

    But in regards to the recent dnsmasq issues, no patch has been made available by the Debian maintainers, once they do... Untangle will push it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2