Received: from trent.utfs.org (trent.utfs.org [94.185.90.103])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 62BDF223214
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 16 Mar 2023 11:25:46 +0000 (UTC)
Received: from localhost (localhost [IPv6:::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by trent.utfs.org (Postfix) with ESMTPS id 125705F7A3;
	Thu, 16 Mar 2023 12:25:45 +0100 (CET)
Date: Thu, 16 Mar 2023 12:25:45 +0100 (CET)
From: Christian Kujau <lists@nerdbynature.de>
To: Christian Dupuis <christian.dupuis@docker.com>
cc: ~alpine/devel@lists.alpinelinux.org
Subject: Re: CVE-2021-3156 version number of sudo
In-Reply-To: <A3BBFD61-8DED-453B-8827-BCD02699C49B@docker.com>
Message-ID: <4e6896b6-d218-aa6d-4189-a1f43eaf543d@nerdbynature.de>
References: <A3BBFD61-8DED-453B-8827-BCD02699C49B@docker.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8BIT

On Thu, 16 Mar 2023, Christian Dupuis wrote:
> is it possible that there’s a typo in the version number '1.9.5p2-r0' of ‘sudo' in CVE-2021-3156? Should the version number be '1.9.5_p2-r0’ instead?

So, https://security.alpinelinux.org/vuln/CVE-2021-3156 (and NVD too) 
states "Sudo before 1.9.5p2 contains...", I don't know where this 
"1.9.5_p2" is coming from. But, sudo 1.9.5p2[0] is from 2021 (i.e. Alpine 
v3.12[1]), so I'm curious to know what this question is really about :-)

C.

[0] https://www.sudo.ws/releases/stable/#1.9.5p2
[1] https://pkgs.alpinelinux.org/package/v3.12/main/x86_64/sudo
-- 
BOFH excuse #451:

astropneumatic oscillations in the water-cooling