[jart]

Developers: your moment has come at last to humble your local system administrator for wearing those "I read your emails" t-shirts. This is as day zero as day zero gets. Red Hat and Debian published their security announcements just two hours ago at the exact same moment this was posted on Hacker News. It would have been more responsible to keep something this bad under wraps a bit longer. Because all the people who still use things like cpanel virtual hosting are at risk.

[stevekemp]

cpanel is a web-based thing though, isn't it?

You'd need shell access to the host to execute `sudo` and attempt to exploit it.

[jart]

CPanel is a web gui for managing Linux systems. It's mainly used to configure and resell apache virtual hosts. Shell accounts is one of the things it manages. These companies normally have like hundreds of customers per server since they charge ~$1/month for hosting. So anyone who pays one dollar a month extra for shell access can compromise a whole lot of people. I tried tweeting at these virtual hosting providers to bring the vulnerability to their attention, but no one's responded.