ALAS2-2021-1590


Amazon Linux 2 Security Advisory: ALAS-2021-1590
Advisory Release Date: 2021-01-25 23:09 Pacific
Advisory Updated Date: 2021-01-26 18:48 Pacific
Severity: Important
References: CVE-2021-3156 

Issue Overview:

When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command's arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn't expect the escape characters) if the command is being run in shell mode. (CVE-2021-3156 )


Affected Packages:

sudo


Issue Correction:
Run yum update sudo to update your system.

New Packages:
aarch64:
    sudo-1.8.23-4.amzn2.2.1.aarch64
    sudo-devel-1.8.23-4.amzn2.2.1.aarch64
    sudo-debuginfo-1.8.23-4.amzn2.2.1.aarch64

i686:
    sudo-1.8.23-4.amzn2.2.1.i686
    sudo-devel-1.8.23-4.amzn2.2.1.i686
    sudo-debuginfo-1.8.23-4.amzn2.2.1.i686

src:
    sudo-1.8.23-4.amzn2.2.1.src

x86_64:
    sudo-1.8.23-4.amzn2.2.1.x86_64
    sudo-devel-1.8.23-4.amzn2.2.1.x86_64
    sudo-debuginfo-1.8.23-4.amzn2.2.1.x86_64