On Sat, Jan 30, 2021 at 05:27:30AM +0000, Robbi Nespu wrote: > Hi > > On Fri, 29 Jan 2021 10:58:06 -0600, David Wright wrote: > > https://security-tracker.debian.org/tracker/CVE-2021-3156 > > is a timely example of how Debian deals with such problems. > > Note in particular the line > > > > stretch (security) 1.8.19p1-2.1+deb9u3 fixed > > > > showing that stretch's version gets a fix, not an upgrade. > > How you can confirm 1.8.19p1-2.1+deb9u3 fix CVE-2021-3156? > > I could not see source code for that version here[1], I only can find > 1.8.19p1-2.1+deb9u2 . Do source repository for security release are > separated? > > 1. https://sources.debian.org/src/sudo/ I subscribed to the debian security announce list, so I received a security update announce about sudo a few days ago. You can find the web archive of this email at this link [1]. As said in the email, you can find the detailed security status of sudo in its security tracker page at: [2] For the source code, I can also not find the 1.8.19p1-2.1+deb9u3 version, but I noticed that there is a 1.8.27-1+deb10u3 version [3]. This is the version mentioned in the security update announce, which is suitable for the latest stable version (Debian 10) [1] https://lists.debian.org/debian-security-announce/2021/msg00020.html [2] https://security-tracker.debian.org/tracker/sudo [3] https://sources.debian.org/src/sudo/1.8.27-1+deb10u3/ -- OpenPGP fingerprint: 3C47 5977 4819 267E DD64 C7E4 6332 5675 A739 C74E
Attachment:
signature.asc
Description: PGP signature