Amazon Linux 2 Security Advisory: ALAS-2021-1590
Advisory Release Date: 2021-01-25 23:09 Pacific
Advisory Updated Date: 2021-01-26 18:48 Pacific
When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command's arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn't expect the escape characters) if the command is being run in shell mode. (CVE-2021-3156)
Affected Packages:
sudo
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update sudo to update your system.
aarch64:
sudo-1.8.23-4.amzn2.2.1.aarch64
sudo-devel-1.8.23-4.amzn2.2.1.aarch64
sudo-debuginfo-1.8.23-4.amzn2.2.1.aarch64
i686:
sudo-1.8.23-4.amzn2.2.1.i686
sudo-devel-1.8.23-4.amzn2.2.1.i686
sudo-debuginfo-1.8.23-4.amzn2.2.1.i686
src:
sudo-1.8.23-4.amzn2.2.1.src
x86_64:
sudo-1.8.23-4.amzn2.2.1.x86_64
sudo-devel-1.8.23-4.amzn2.2.1.x86_64
sudo-debuginfo-1.8.23-4.amzn2.2.1.x86_64