Amazon Linux 1 Security Advisory: ALAS-2021-1478
Advisory Release Date: 2021-01-26 00:11 Pacific
Advisory Updated Date: 2021-01-26 19:04 Pacific
When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command's arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn't expect the escape characters) if the command is being run in shell mode. (CVE-2021-3156)
Affected Packages:
sudo
Issue Correction:
Run yum update sudo to update your system.
i686:
sudo-debuginfo-1.8.23-9.56.amzn1.i686
sudo-devel-1.8.23-9.56.amzn1.i686
sudo-1.8.23-9.56.amzn1.i686
src:
sudo-1.8.23-9.56.amzn1.src
x86_64:
sudo-1.8.23-9.56.amzn1.x86_64
sudo-devel-1.8.23-9.56.amzn1.x86_64
sudo-debuginfo-1.8.23-9.56.amzn1.x86_64