diff --git a/sudo-1.9.14p3.tar.gz b/sudo-1.9.14p3.tar.gz deleted file mode 100644 index 91e3ffb..0000000 --- a/sudo-1.9.14p3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a08318b1c4bc8582c004d4cd9ae2903abc549e7e46ba815e41fe81d1c0782b62 -size 5232320 diff --git a/sudo-1.9.14p3.tar.gz.sig b/sudo-1.9.14p3.tar.gz.sig deleted file mode 100644 index a01c16f..0000000 Binary files a/sudo-1.9.14p3.tar.gz.sig and /dev/null differ diff --git a/sudo-1.9.15p2.tar.gz b/sudo-1.9.15p2.tar.gz new file mode 100644 index 0000000..8576656 --- /dev/null +++ b/sudo-1.9.15p2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:199c0cdbfa7efcfffa9c88684a8e2fb206a62b70a316507e4a91c89c873bbcc8 +size 5303642 diff --git a/sudo-1.9.15p2.tar.gz.sig b/sudo-1.9.15p2.tar.gz.sig new file mode 100644 index 0000000..25c31e7 Binary files /dev/null and b/sudo-1.9.15p2.tar.gz.sig differ diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch index ba60208..f051502 100644 --- a/sudo-sudoers.patch +++ b/sudo-sudoers.patch @@ -1,8 +1,8 @@ -Index: sudo-1.9.14p3/plugins/sudoers/sudoers.in +Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.9.14p3.orig/plugins/sudoers/sudoers.in -+++ sudo-1.9.14p3/plugins/sudoers/sudoers.in -@@ -32,32 +32,23 @@ +--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in ++++ sudo-1.9.15p2/plugins/sudoers/sudoers.in +@@ -41,32 +41,23 @@ ## ## Defaults specification ## @@ -52,13 +52,17 @@ Index: sudo-1.9.14p3/plugins/sudoers/sudoers.in ## ## Uncomment to restore the historic behavior where a command is run in ## the user's own terminal. -@@ -72,10 +63,15 @@ +@@ -81,7 +72,6 @@ ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output # Defaults maxseq = 1000 + ## +@@ -95,6 +85,12 @@ + ## slower by these options and also can clutter up the logs. + # Defaults!PKGMAN !intercept, !log_subcmds +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly @@ -69,7 +73,7 @@ Index: sudo-1.9.14p3/plugins/sudoers/sudoers.in ## ## Runas alias specification ## -@@ -91,13 +87,5 @@ root ALL=(ALL:ALL) ALL +@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL diff --git a/sudo.changes b/sudo.changes index 0869b7f..2e39476 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,80 @@ +------------------------------------------------------------------- +Wed Nov 22 12:46:00 UTC 2023 - Otto Hollmann + +- Update to 1.9.15p2: + * Fixed a bug on BSD systems where sudo would not restore the + terminal settings on exit if the terminal had parity enabled. + GitHub issue #326. +- Update to 1.9.15p1: + * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based + sudoers from being able to read the ldap.conf file. + GitHub issue #325. +- Update to 1.9.15: + * Fixed an undefined symbol problem on older versions of macOS + when "intercept" or "log_subcmds" are enabled in sudoers. + GitHub issue #276. + * Fixed "make check" failure related to getpwent(3) wrapping + on NetBSD. + * Fixed the warning message for "sudo -l command" when the command + is not permitted. There was a missing space between "list" and + the actual command due to changes in sudo 1.9.14. + * Fixed a bug where output could go to the wrong terminal if + "use_pty" is enabled (the default) and the standard input, output + or error is redirected to a different terminal. Bug #1056. + * The visudo utility will no longer create an empty file when the + specified sudoers file does not exist and the user exits the + editor without making any changes. GitHub issue #294. + * The AIX and Solaris sudo packages on www.sudo.ws now support + "log_subcmds" and "intercept" with both 32-bit and 64-bit + binaries. Previously, they only worked when running binaries + with the same word size as the sudo binary. GitHub issue #289. + * The sudoers source is now logged in the JSON event log. This + makes it possible to tell which rule resulted in a match. + * Running "sudo -ll command" now produces verbose output that + includes matching rule as well as the path to the sudoers file + the matching rule came from. For LDAP sudoers, the name of the + matching sudoRole is printed instead. + * The embedded copy of zlib has been updated to version 1.3. + * The sudoers plugin has been modified to make it more resilient + to ROWHAMMER attacks on authentication and policy matching. + This addresses CVE-2023-42465. + * The sudoers plugin now constructs the user time stamp file path + name using the user-ID instead of the user name. This avoids a + potential problem with user names that contain a path separator + ('/') being interpreted as part of the path name. A similar + issue in sudo-rs has been assigned CVE-2023-42456. + * A path separator ('/') in a user, group or host name is now + replaced with an underbar character ('_') when expanding escapes + in @include and @includedir directives as well as the "iolog_file" + and "iolog_dir" sudoers Default settings. + * The "intercept_verify" sudoers option is now only applied when + the "intercept" option is set in sudoers. Previously, it was + also applied when "log_subcmds" was enabled. Sudo 1.9.14 + contained an incorrect fix for this. Bug #1058. + * Changes to terminal settings are now performed atomically, where + possible. If the command is being run in a pseudo-terminal and + the user's terminal is already in raw mode, sudo will not change + the user's terminal settings. This prevents concurrent sudo + processes from restoring the terminal settings to the wrong values. + GitHub issue #312. + * Reverted a change from sudo 1.9.4 that resulted in PAM session + modules being called with the environment of the command to be + run instead of the environment of the invoking user. + GitHub issue #318. + * New Indonesian translation from translationproject.org. + * The sudo_logsrvd server will now raise its open file descriptor + limit to the maximum allowed value when it starts up. Each + connection can require up to nine open file descriptors so the + default soft limit may be too low. + * Better log message when rejecting a command if the "intercept" + option is enabled and the "intercept_allow_setid" option is + disabled. Previously, "command not allowed" would be logged and + the user had no way of knowing what the actual problem was. + * Sudo will now log the invoking user's environment as "submitenv" + in the JSON logs. The command's environment ("runenv") is no + longer logged for commands rejected by the sudoers file or an + approval plugin. + ------------------------------------------------------------------- Tue Nov 21 08:56:42 UTC 2023 - Dominique Leuenberger diff --git a/sudo.spec b/sudo.spec index 020cc26..5266389 100644 --- a/sudo.spec +++ b/sudo.spec @@ -25,7 +25,7 @@ %endif Name: sudo -Version: 1.9.14p3 +Version: 1.9.15p2 Release: 0 Summary: Execute some commands as root License: ISC