Recently, sudo released version 1.9.17p1, which fixed two CVE security issues: CVE-2025-32462 and CVE-2025-32463, of which CVE-2025-32463 is rated by NVD as a critical vulnerability. The issue has been proposed on Redhat Bugzilla, but it has not been resolved yet. Since Fedora 41, 42, and Rawhide all uses sudo version 1.9.15, all the current Fedora versions are affected by this vulnerability. Could the latest version 1.9.17p1 be packed as soon as possible to fix this issue?
1 Like
I have multiple Fedora Server instances, and I am actually worried about this, as other distributions are taking action but Fedora.
The build servers have kinda been down with this datacenter move. It’s not like the developers don’t want to push a fix. They literally haven’t been able to, it’s just unfortunate timing.
2 Likes
Thanks Shawn, now I see https://www.fedorastatus.org/
Truly unfortunate timing 
I’m thinking a quick option could be to take the spec rpm, change it to a newer sudo package source, locally compile, and be good to go.
1 Like
Ok, I’m not a security expert and I don’t want to spread false sense of security. So please someone prove me wrong.
I don’t know your use cases, but for the records consider that this vulnerability “allows local users to obtain root access”: so the attack vector is local. Then, if you are the sole user of your system, you should not worry too much, IMHO.
In theory someone may argue that every process runs as a local user, but if the user with whom a process is running (i.e. Apache web server) is able to run sudo via a remote call, well, I think that the security issue you have is not related to this CVE…
Said that, what I mean is not that you can happily live with an unpatched system, but the real impact of every security advisory should be evaluated in relation to your environment.
2 Likes
replace sudo with doas or sudo-rs
i have done and installed sudo-rs.
once the issue resolves you come back to sudo.
5 Likes
I use Fedora workstation on my laptop and I am the only user. Should I be worried about this issue. In particular, can some unwanted entity run applications as root if I am connected to internet. I am sorry in advance for the dumb question.
If I understand the CVE correctly, if you are a sole user then the CVE will likely not effect you as the vulnerability seems to be about non-admin users getting sudo privileges.
It will likely also be getting patched tomorrow as update seems to be getting pushed to stable at the next window.
2 Likes
I did just uninstall sudo, systemd brings run0 and thats included anyways…
ohh good but issues with run0 is even systemd guys dont use run0 they made and they forget but yes run0 is good i still recommend sudo-rs as as replacement for sudo.