Does Software Update patch the "sudo" and "dnsmasq" bugs?

Asked by Jonathan on 2021-02-16

Hello.

I run Software Update regularly but noticed that both "sudo" and "dnsmasq" have outdated version numbers.

$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

That being said, it seems that the version running on my system does not exhibit the known vulnerability documented in https://www.sudo.ws/alerts/unescape_overflow.html

I understand that Network Manager uses the "dnsmasq-base" package and when I run "dnsmasq --version" I see a version number that's vulnerable to the "dnspooq" vulnerability.

$ dnsmasq --version
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley

First of all, when will "sudo" be updated to 1.8.32 or 1.9.5p2? Second, why is it already secure even though it hasn't been updated? And third, is dnsmasq-base vulnerable or just the full version of dnsmasq? And finally, when will dnsmasq-base be updated?

Thanks.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
2021-02-16
Last query:
2021-02-16
Last reply:
2021-02-16
Manfred Hampl (m-hampl) said : #1

The versions in Ubuntu focal (at least I assume that you are talking about Ubuntu 20.04) are already patched.

see https://ubuntu.com/security/CVE-2021-3156 and https://ubuntu.com/security/CVE-2020-25681

The Ubuntu strategy is not to update a package to a newer version, but to apply a bugfix to the version already published in Ubuntu and increasing the very last part of the version string (e.g. for sudo from 1.8.31-1ubuntu1.1 to 1.8.31-1ubuntu1.2)

Jonathan (jonathandl2) said : #2

When I execute the commands with the "--version" parameter, it doesn't display the new version string.
That being said, I can't argue with the fact that "sudoedit" passed the "sudoedit -s /" test!

Manfred Hampl (m-hampl) said : #3

With the --version parameter you only see the base version, but not the Ubuntu version dot numbers

Jonathan (jonathandl2) said : #4

What command can I use to see the full version number at a glance?

Thanks!

Best Manfred Hampl (m-hampl) said : #5

There is no direct command to see it with the command in question, but you can query the package management system.

dpkg -l sudo dnsmasq dnsmasq-base

or

apt-cache policy sudo dnsmasq dnsmasq-base

Jonathan (jonathandl2) said : #6

sounds good! Thanks for answering my questions.