[alibob]

Why is "sudo 1.8.0 through 1.9.12" affected, but rhel8 shipping sudo 1.8.29 and rhel9 shipping sudo 1.9.5, are not affected?

<https://access.redhat.com/security/cve/CVE-2022-43995>

  Description:
  ... Sudo 1.8.0 through 1.9.12 ...
  Statement:
  The sudo package as distributed with Red Hat Enterprise Linux 7, 8 and 9 is not affected by this issue as it currently doesn't ship the affected code.

<https://access.redhat.com/downloads/content/sudo/x86_64/pack...>

  1.9.5p2-7.el9
  1.8.29-8.el8

[alibob]

<https://news.ycombinator.com/item?id=33467522>

Got it. Linux distributions (ex. RHEL) have --with-pam in configure, so not vulnerable (code not compiled). (If you have --with-passwd in configure, then passwd.c is compiled, and you are vulnerable, but Linux distributions do not do this.)

<https://ubuntu.com/security/CVE-2022-43995>

  sudo packages in Ubuntu are compiled with PAM support, so the vulnerable code isn't part of the binaries.
  Not vulnerable (code not compiled)