CVE 2021 3156: Baron Samedit
Apple have posted a Knowledgebase Article detailing the content of an update which patches CVE-2021-3156 otherwise known as Baron Samedit.
In it is the following:
Sudo
Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6 Impact: A local attacker may be able to elevate their privileges Description: This issue was addressed by updating to sudo version 1.9.5p2. CVE-2021-3156: Qualys
When run on a Mac with macOS 11.2 this is the difference.
macOS 11.2 with sudo 1.8.31
After: macOS 11.2.1 (20D74) with sudo 1.9.5p2
As of yet I can’t find links to direct downloads but will update this article with them as I they make themselves known. For the time being you can get them through softwareupdate on the command line or Software Update in System Preferences.
The direct downloads for Mojave and Catalina have been made available on Apple’s support download site. Big Sur is missing as - for a while now - it seems to be Apple’s intent to move away from offering updates and patches through a web download and moving more and more into the softwareupdate functionality of the macOS.
Security Update 2021-002 (Mojave)
Security Update 2021-001 (Catalina)
WARNING
There are TWO downloads available with the name ‘Security Update 2021-001 (Catalina)’! Be sure to download the one with the date stamp of Feb 8th, 2021.
Beware: Two updates with the same name!
The sha512 checksum of the correct DMG I downloaded is:
2eeaa8e9dca44c00b4ecf75e28a9923f70b5f9ea2c5d34e762610bd44ea8fb8705b59d00a7bb1efa4f452cd7b7a5e269c303d6c3b5b5f4f2c6cc6a71448f7379
If you don’t already know, you can verify the sha512 checksum with the command shasum -a 512 /path/to/file I use sha512 as it has been shown that md5 checksums are far more vulnerable to collisions, but that is a long story for another time.