The vulnerability in question is CVE-2025-32463 (CVSS score: 9.3), which affects Sudo versions prior to 1.9.17p1
Check your version:
sudo --versionAs mentioned above, sudo version 1.9.17p1 patches this. This version was already released in June of this year, so many distributions should have it.
On Ubuntu 24.04
Sudo version 1.9.15p5
Eep!
p5. The patch was backported.Wait, shouldn’t Ubuntu 24.04 LTS get security bugfixes?
It does. In fact it is fixed.
All decent LTS/stable distros will cherrypick security fixes into whatever version they stabilized themselves on.
Thanks for posting the version.
Looks like Arch updated to this version on 1st July.
My DMZ node had it installed a week later, so I’m all smug today
Its funny because whenever I hear about something like this with foss it tends to be this way but when its proprietary I hear on how they were informed a while back, never patched it, and the founder of the bug is now disclosing based on the timetable they gave the. Feels that way anyway.
This vulnerability could allow a local attacker to leverage sudo’s -R (–chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.
I tried using the systemd alternatie, run0 or whatever… it’s really weird
Laughs in opendoas
Ah yes. Security through obscurity.
nice meme
