Calling all *nix Admins -PATCH YOUR CRAP-

[sky-knight]

https://www.qualys.com/2021/01/26/cv...rflow-sudo.txt

And before anyone asks, YES this does impact Untangle. But you aren't supposed to have anyone SSH'ing into the thing so it doesn't matter.

Patches are already in the Debian repo.

[jcoffin]

NGFW does not use sudo.

[sky-knight]

Code:

Last login: Fri Jan  8 09:56:47 2021 from 174.79.53.76
[root @ untangle] ~ # dpkg -l | grep sudo
ii  sudo                                               1.8.27-1+deb10u2                                                     amd64        Provide limited super user privileges to specific users
[root @ untangle] ~ #

It's still installed, on every single box I have. Again, not a real problem because to exploit this bug you have to have an SSH login first. And since that means you've got web admin access for Untangle the fight is already lost.

So even if the unpatched sudo remains, it's no additional risk for Untangle.

[WebFooL]

DO NOT DO THIS
But to manually patch

Code:

cd /tmp
wget https://debian.sipwise.com/debian-security/pool/main/s/sudo/sudo_1.8.27-1+deb10u3_amd64.deb
dpkg -i sudo_1.8.27-1+deb10u3_amd64.deb

To validate before and after
Before: if you run "sudoedit -s /" you will get the response "sudoedit: /: not a regular file"
After: you will get "usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file"


Again DONT DO IT IS UNSUPPORTED

[donhwyo]

Another incident to prove Untangle should be using apt. There are ways to prevent updating the packages you modify.

[sky-knight]

Untangle is using apt... what are you talking about?

[jcoffin]

Nope, as this problem does not affect Untangle. While sudo package is there, it's not used in a way to be affected.

[sky-knight]

Yeah I didn't put this here to beat up Untangle. Yes, vulnerable software is on Untangle, but since you have to log in to either the web ui or ssh to take advantage of that fact, it's irrelevant.

Untangle servers that have a login lost are GONE. They aren't multi-user systems for normal users to break the sandbox. This notice is here to remind people to update their junk. Untangle doesn't really matter, and will take care of itself soon enough anyway.

[donhwyo]

Untangle may be using apt but security fixes are delayed until the next update from them. Updates are rolled out slowly as I am sure you know. So security updates also roll out slower than is possible. Also many don't upgrade for months or years.

Allowing us to run apt we would already have this and other security updates. As it is now we will need to wait for 16.3 and 16.2 has not rolled out to many yet.
The only good news is that sudo is not that effected for Untangle? What about dnsmask?

[sky-knight]

What about it?

My Untangle has dnsmasq 2.80-1 installed, that's current for Debian as indicated here: https://packages.debian.org/buster/dnsmasq

Untangle uses APT, it's also its own OS and yes Untangle has control over their repos. But, as you saw above in this thread if you REALLY want to patch it yourself it's actually pretty trivial to do so. What you want, is Untangle to do it FOR YOU. While they're making a different decision based on their own uses and data.

It's open source, put on your big boy pants and learn how to manage your own Debian-ish installations.

But in regards to the recent dnsmasq issues, no patch has been made available by the Debian maintainers, once they do... Untangle will push it.