CISA adds critical Sudo flaw CVE-2025-32463 and four other exploited vulnerabilities to KEV list.
  • Einar@lemmy.zipEnglish
    22·
    1 day ago

    The vulnerability in question is CVE-2025-32463 (CVSS score: 9.3), which affects Sudo versions prior to 1.9.17p1

    Check your version: sudo --version

    As mentioned above, sudo version 1.9.17p1 patches this. This version was already released in June of this year, so many distributions should have it.

    • SayCyberOnceMore@feddit.ukEnglish
      2·
      12 hours ago

      Thanks for posting the version.

      Looks like Arch updated to this version on 1st July.

      My DMZ node had it installed a week later, so I’m all smug today

      • GJdan@programming.devEnglish
        2·
        9 hours ago

        It should be backported in supported ubuntu versions.

        sudo apt changelog sudo

        Tap for spoiler

        sudo (1.9.15p5-3ubuntu5.24.04.1) noble-security; urgency=medium

        • SECURITY UPDATE: Local Privilege Escalation via host option
          • debian/patches/CVE-2025-32462.patch: only allow specifying a host when listing privileges.
          • CVE-2025-32462
        • SECURITY UPDATE: Local Privilege Escalation via chroot option
          • debian/patches/CVE-2025-32463.patch: remove user-selected root directory chroot option.
          • CVE-2025-32463

        – Marc Deslauriers marc.deslauriers@ubuntu.com Wed, 25 Jun 2025 08:42:53 -0400

        • SSUPII@sopuli.xyzEnglish
          1·
          6 hours ago

          It does. In fact it is fixed.

          All decent LTS/stable distros will cherrypick security fixes into whatever version they stabilized themselves on.

    • HubertManne@piefed.socialEnglish
      41·
      22 hours ago

      Its funny because whenever I hear about something like this with foss it tends to be this way but when its proprietary I hear on how they were informed a while back, never patched it, and the founder of the bug is now disclosing based on the timetable they gave the. Feels that way anyway.