- Update to 1.8.31
Major changes between version 1.8.31 and 1.8.30:
* This version fixes a potential security issue that can lead to
a buffer overflow if the pwfeedback option is enabled in
sudoers [CVE-2019-18634] [bsc#1162202]
* The sudoedit_checkdir option now treats a user-owned directory
as writable, even if it does not have the write bit set at the
time of check. Symbolic links will no longer be followed by
sudoedit in any user-owned directory. Bug #912.
* Fixed a crash introduced in sudo 1.8.30 when suspending sudo
at the password prompt. Bug #914.
* Fixed compilation on systems where the mmap MAP_ANON flag is
not available. Bug #915.
Major changes between version 1.8.30 and 1.8.29:
* Sudo now closes file descriptors before changing uids. This
prevents a non-root process from interfering with sudo's ability
to close file descriptors on systems that support the prlimit(2)
system call.
* Sudo now treats an attempt to run sudo sudoedit as simply
sudoedit If the sudoers file contains a fully-qualified path
to sudoedit, sudo will now treat it simply as sudoedit
(with no path). Visudo will will now treat a fully-qualified
path to sudoedit as an error. Bug #871.
* Fixed a bug introduced in sudo 1.8.28 where sudo would warn
about a missing /etc/environment file on AIX and Linux when
PAM is not enabled. Bug #907.
* Fixed a bug on Linux introduced in sudo 1.8.29 that prevented
the askpass program from running due to an unlimited stack size
resource limit. Bug #908.
* If a group provider plugin has optional arguments, the argument
OBS-URL: https://build.opensuse.org/request/show/772142
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=160
- Update to 1.8,28p1
* The fix for Bug #869 caused "sudo -v" to prompt for a password
when "verifypw" is set to "all" (the default) and all of the
user's sudoers entries are marked with NOPASSWD. Bug #901.
- Update to 1.8.28
* Fixed CVE-2019-14287 (bsc#1153674),
a bug where a sudo user may be able to
run a command as root when the Runas specification explicitly
disallows root access as long as the ALL keyword is listed first.
* Sudo will now only set PAM_TTY to the empty string when no
terminal is present on Solaris and Linux. This workaround is
only needed on those systems which may have PAM modules that
misbehave when PAM_TTY is not set.
* The mailerflags sudoers option now has a default value even if
sendmail support was disabled at configure time. Fixes a crash
when the mailerpath sudoers option is set but mailerflags is not.
Bug #878.
* Sudo will now filter out last login messages on HP-UX unless it
a shell is being run via "sudo -s" or "sudo -i". Otherwise,
when trusted mode is enabled, these messages will be displayed
for each command.
* Sudo has a new -B command line option that will ring the terminal
bell when prompting for a password.
* Sudo no longer refuses to prompt for a password when it cannot
determine the user's terminal as long as it can open /dev/tty.
This allows sudo to function on systems where /proc is unavailable,
such as when running in a chroot environment.
* The "env_editor" sudoers flag is now on by default. This makes
source builds more consistent with the packages generated by
OBS-URL: https://build.opensuse.org/request/show/738914
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=156
- Update to 1.8.22
* Commands run in the background from a script run via sudo will
no longer receive SIGHUP when the parent exits and I/O logging
is enabled
* A particularly offensive insult is now disabled by default
* The description of sudo -i now correctly documents that the
env_keep and env_check sudoers options are applied to the
environment
* Fixed a crash when the system's host name is not set
* The sudoers2ldif script now handles #include and #includedir
directives.
* Fixed a bug where sudo would silently exit when the command
was not allowed by sudoers and the passwd_tries sudoers option
was set to a value less than one.
* Fixed a bug with the listpw and verifypw sudoers options and
multiple sudoers sources. If the option is set to all a
password should be required unless none of a user's sudoers
entries from any source require authentication.
* Fixed a bug with the listpw and verifypw sudoers options in
the LDAP and SSSD back-ends. If the option is set to any and
the entry contained multiple rules, only the first matching
rule was checked. If an entry contained more than one matching
rule and the first rule required authentication but a
subsequent rule did not, sudo would prompt for a password when
it should not have.
* When running a command as the invoking user (not root), sudo
would execute the command with the same group vector it was
started with. Sudo now executes the command with a new group
vector based on the group database which is consistent with how
su(1) operates.
* Fixed a double free in the SSSD back-end that could occur when
ipa_hostname is present in sssd.conf and is set to an unqualified
host name.
* When I/O logging is enabled, sudo will now write to the terminal
even when it is a background process. Previously, sudo would only
write to the tty when it was the foreground process when I/O
logging was enabled. If the TOSTOP terminal flag is set, sudo
will suspend the command (and then itself) with the SIGTTOU signal.
* A new authfail_message sudoers option that overrides the default
N incorrect password attempt(s).
* An empty sudoRunAsUser attribute in the LDAP and SSSD backends
will now match the invoking user. This is more consistent with
how an empty runas user in the sudoers file is treated.
* Documented that in check mode, visudo does not check the owner /
mode on files specified with the -f flag
* It is now an error to specify the runas user as an empty string
on the command line. Previously, an empty runas user was treated
the same as an unspecified runas user
* When timestamp_type option is set to tty and a terminal is
present, the time stamp record will now include the start time
of the session leader. When the timestamp_type option is set
to ppid or when no terminal is available, the start time of the
parent process is used instead. This significantly reduces the
likelihood of a time stamp record being re-used when a user logs
out and back in again.
* The sudoers time stamp file format is now documented in the new
sudoers_timestamp manual.
* Visudo will now use the SUDO_EDITOR environment variable (if
present) in addition to VISUAL and EDITOR.
- rebase sudoers2ldif-env.patch
- cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/568794
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=130
