Ubuntu's move to Rust-based system utilities has hit some bumps. Earlier, a bug in the Rust-based date command broke automatic updates. The command returned current time instead of file modification timestamps, causing Ubuntu 25.10 systems to stop automatically checking for software updates.
That issue was quickly fixed, but now, two security vulnerabilities have been found in sudo-rs.
Better Now than Later
The first vulnerability involves password exposure during timeouts. When users type a password but don't press enter, the timeout causes those keystrokes to replay onto the console. This could reveal partial passwords in shell history or on screen.
The second issue affects timestamp authentication. When Defaults targetpw or Defaults rootpw options are enabled, sudo-rs incorrectly recorded the wrong user ID in timestamps. This allowed bypassing authentication by reusing cached credentials even when policy required a different password.
Patches for both issues have been released in sudo-rs 0.2.10. Ubuntu is set to push the fixes through a Stable Release Update (SRU).
These bugs being caught in Ubuntu 25.10 is actually a good sign. The interim release serves as a testing ground before Ubuntu 26.04 LTS arrives in April 2026. Finding critical security flaws now allows developers ample time to address them.
Here's the Fix!
At the time of writing, the updated sudo-rs package had not yet arrived in the Ubuntu 25.10 repositories. But it should be available soon.
Once the update is live, you can get the fix using the graphical Software Updater tool by launching it from your application menu and installing any available security updates.
sudo-rs' upgrade process on Ubuntu 25.10.
Alternatively, you can use the terminal. Run these commands one after the other to get the patch:
sudo-rs updatesudo-rs upgradePS: Using sudo instead of sudo-rs also works the same.
Via: Phoronix
Suggested Read π
Abhishek Prakash
