20

With the news of the vulnerability found in sudo versions prior to 1.8.28, I am trying to upgrade to that version, but have had no luck. I did sudo apt-get update and sudo apt-get upgrade and sudo continues to be at the same version. Even tried sudo apt-get upgrade sudo and it says it's at the latest, which cannot be entirely true since 1.8.28 was released earlier today.

How does one typically go about updating packages using apt-get to latest versions?

Improve this question
4
  • 3
    Related: Why don't the Ubuntu repositories have the latest versions of software? but security patches get usually backported to the specific version a release uses pretty quickly.
    – Byte Commander
    Commented Oct 14, 2019 at 20:48
  • 1
    Please share the CVE number if you really worry.
    – N0rbert
    Commented Oct 14, 2019 at 20:48
  • 1
    Just came out today, See here, usn.ubuntu.com/4154-1 I see the sudo update here in both 16.04 and 18.04.. If you don't see make sure bionic-updates and bionic-security are enabled in your sources.
    – doug
    Commented Oct 14, 2019 at 20:49
  • 2
    With security issues, one typically goes about updating by ensuring you have the -security repository enabled. That's where the Ubuntu Security Team uploads to.
    – user535733
    Commented Oct 14, 2019 at 22:24

2 Answers 2

Reset to default
16

It is known as CVE-2019-14287 and already fixed as backport.

All you need - is to run:

sudo apt update
sudo apt upgrade

(but is more likely that unattended-upgrades was already installed all updates)

See USN https://usn.ubuntu.com/4154-1/ :

sudo

and was indicated in changelog of sudo 1.8.21p2-3ubuntu1.1 for 18.04 LTS.

Improve this answer
3
  • 3
    To add a bit of info to this answer, security fixes like this one are backported and applied to the application version currently in the repositories as the Ubuntu repositories don't offer the latest version of packages after an OS has been released (To be precise, once the packages' version is frozen during development). For example, the sudo package in 14.04 is still version 1.8.9 as you can see in the screenshot, but it is actually patched to include the fix for the vulnerability.
    – Dan
    Commented Oct 15, 2019 at 7:20
  • "the packages' version is frozen during development" - How do I get the latest versions of things on linux, if they're not in the repositories? I have to clone and compile everything?
    – Adam Barnes
    Commented Oct 15, 2019 at 15:58
  • 2
    @AdamBarnes It's hard to give justice to an answer to that question in a comment. I strongly recommend checking the answers to the question I linked in my previous comment. If none of them answers your question, you can always ask a new one!
    – Dan
    Commented Oct 16, 2019 at 16:04
4

For me it was enough to run:

  1. sudo apt update
  2. apt-cache policy sudo and check versions (Installed: 1.8.16-0ubuntu1.5, Candidate: 1.8.16-0ubuntu1.8 = this version fixed problem)
  3. sudo apt-get install sudo

And the package was updated and check that bug: sudo -u#-1 whoami no more works

Improve this answer
3
  • 3
    Question for "+1"-voters - why do you think that this answer is an answer? The third command will fail with "E: The update command takes no arguments" error. So it should be edited to become correct. Otherwise it is bad and low-quality answer. We can not use it to get positive result. Also apt-cache do not require sudo rights. I'll recommend @user1005724 to read man apt-get and man apt-cache before posting answers for very serious topics about security.
    – N0rbert
    Commented Oct 16, 2019 at 20:45
  • 3
    3. Should be either sudo apt upgrade to apply all available updates, or sudo apt install sudo or sudo apt install --only-upgrade sudo for only that specific upgrade. Right now, the suggested command does not work, as N0rbert correctly pointed out.
    – Byte Commander
    Commented Oct 17, 2019 at 19:39
  • 1
    Yeah, you are correct Byte Commander, I have updated the answer. My bad. Thanks for pointing this out. The goal was to point out that it is enough to update just a single package to solve the problem. There are a lot of admins who cannot afford to upgrade whole system like a charm ... :-)
    – Honza P.
    Commented Oct 18, 2019 at 10:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .