I agree it should be a message. I'm curious though, about how often you update on the server side? By the time I got the announcement the core repo had pushed that version to me already. On Fri, Jan 29, 2021 at 12:26 PM Łukasz Michalski via arch-general < arch-general@lists.archlinux.org> wrote:

Hi,

Just checked my servers and all were vulnerable:

[zork@archdevel ~]$ sudoedit -s '\' `perl -e 'print "A" x 65536'` malloc(): corrupted top size Aborted (core dumped)

Updating to the latest version (sudo-1.9.5.p2-1) closed this vulnerability. Maybe this should be posted as arch news message?

Regards, Łukasz

Am 29.01.2021 18:20, schrieb Łukasz Michalski via arch-general:

Hi,

Just checked my servers and all were vulnerable:

[zork@archdevel ~]$ sudoedit -s '\' `perl -e 'print "A" x 65536'` malloc(): corrupted top size Aborted (core dumped)

Updating to the latest version (sudo-1.9.5.p2-1) closed this vulnerability. Maybe this should be posted as arch news message?

Regards, Łukasz

There has been an ASA on arch-security [0] on top of huge press coverage, that should suffice. [0] https://lists.archlinux.org/pipermail/arch-security/2021-January/001699.html