The fix for this issue has been released in sudo version 1.9.17p1. However Fedora and a couple of other distributions has not updated to this version as yet. Here is a discussion on Fedora’s website. CVE-2025-32463 vulnerability mitigation - Fedora Discussion.
I began picking up on some news of this topic a few weeks ago, but never paid attention to it. I just checked that my version of sudo on Fedora is 1.9.15p5. I haven’t panicked but it did raise my heartbeat a couple of levels.
Were you aware of this vulnerability? What are your plans to mitigate it?
I have realized that some tech news websites are making a huge deal out of this. One website says this has been a huge risk since 2013. They also mentioned all major distros are affected.
Although this vulnerability is serious, I am getting the sense from one or two experienced bloggers that first, the perpetrator would have to get access to your user account before they can elevate themselves to root using the sudo weakness.
Therefore I would think one way to mitigate this threat is to make sure that your computer does not use an automatic login, and that your password is strong.
I’m back out to work and had a closer look. Yes, exploiting these vulnerabilities requires the attacker to already have some level of sudo access or be a local user with sudo privileges.
I know vulnerabilities might be nasty, but I’m sure mostly often updated distros as Fedora will have the hotfix soon, I’m guessing 1 week maximum and development team will release the update.
The only defence we having against these CVEs is keeping the system often updated. The problem would be more consistent using Ubuntu or some Debian stable derivates, in this case packages versions are stuck for months. (I just checked Debian stable currently is using sudo version 1.9.13p3)
For a home user he might either don’t know anything about CVEs, so Ubuntu usage will not be a daily problem for him. For a professional user instead he need to update soon. In case of Debian stable for having the last package version you might claw some critical updates from sid repository when you heard something as CVEs.
Also seems in Debian and Ubuntu already patched the CVE by theirself
In general guys keep in mind system updates, expecially security patches, are importants and you should do them as soon they are available, as best maintanance practice.
