* remove CVE-2013-1776
* The non-Unix group plugin is now supported when sudoers data is stored in LDAP.
* User messages are now always displayed in the user's locale, even when the
same message is being logged or mailed in a different locale.
* Log files created by sudo now explicitly have the group set to group ID 0
rather than relying on BSD group semantics (which may not be the default).
* A new exec_background sudoers option can be used to initially run the
command without read access to the terminal when running a command in a
pseudo-tty.
* Sudo now produces better error messages when there is an error in the sudo.conf file.
* Two new settings have been added to sudo.conf to give the admin better control of
how group database queries are performed.
* There is now a standalone sudo.conf manual page.
* New support for specifying a SHA-2 digest along with the command in sudoers.
Supported hash types are sha224, sha256, sha384 and sha512. See the description
of Digest_Spec in the sudoers manual or the description of sudoCommand in the
sudoers.ldap manual for details.
* Fixed potential false positives in visudo's alias cycle detection.
* Sudo now only builds Position Independent Executables (PIE) by default on Linux
systems and verifies that a trivial test program builds and runs.
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=56
- sudo 1.8.6p3
* Support for using the System Security Services Daemon (SSSD) as a source of sudoers data
* Fixed a race condition that could cause sudo to receive SIGTTOU (and stop)
when resuming a shell that was run via sudo when I/O logging (and use_pty) is not enabled.
* The sudoers plugin now takes advantage of symbol visibility controls when supported by the compiler or linker.
* Sending SIGTSTP directly to the sudo process will now suspend
the running command when I/O logging (and use_pty) is not enabled.
OBS-URL: https://build.opensuse.org/request/show/140141
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=47
- update to 1.8.5
Some of the changes:
* /etc/environment is no longer read directly on Linux systems when
PAM is used. Sudo now merges the PAM environment into the user's
environment which is typically set by the pam_env module.
* The plugin API has been extended
* The policy plugin's init_session function is now called by the
parent sudo process, not the child process that executes the command
This allows the PAM session to be open and closed in the same process,
which some PAM modules require.
* A new group provider plugin, system_group, is included
* Fixed a potential security issue in the matching of hosts against
an IPv4 network specified in sudoers.The flaw may allow a user who
is authorized to run commands on hosts belonging to one IPv4
network to run commands on a different host (CVE-2012-2337)
OBS-URL: https://build.opensuse.org/request/show/121223
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=41
- update to 1.8.4p2
Some of the changes:
* The -D flag in sudo has been replaced with a more general
debugging framework that is configured in sudo.conf.
* Fixed a crash with sudo -i when a runas group was specified
without a runas user.
* New Serbian and Spanish translations for sudo from translationproject.org.
LDAP-based sudoers may now access by group ID in addition to group name.
* visudo will now fix the mode on the sudoers file even if no
changes are made unless the -f option is specified.
* On systems that use login.conf, sudo -i now sets environment
variables based on login.conf
* values in the LDAP search expression are now escaped as per RFC 4515
* The deprecated "noexec_file" sudoers option is no longer supported.
* Fixed a race condition when I/O logging is not enabled that could
result in tty-generated signals (e.g. control-C) being received
by the command twice.
* visudo -c will now list any include files that were checked in
addition to the main sudoers file when everything parses OK.
* Users that only have read-only access to the sudoers file may
now run visudo -c. Previously, write permissions were required
even though no writing is down in check-only mode.
OBS-URL: https://build.opensuse.org/request/show/108646
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=39
- update to sudo-1.8.3
- Fixed expansion of strftime() escape sequences
in the log_dir sudoers setting.
- Esperanto, Italian and Japanese
translations from translationproject.org.
- Added --enable-werror configure option for gcc's
-Werror flag. - Visudo no longer
assumes all editors support the +linenumber command line argument.
It now uses a whitelist of editors known to support the option.
- Fixed matching of network addresses when a netmask is specified but
the address is not the first one in the CIDR block.
- The configure script now check whether or not errno.h declares the
errno variable. Previously, sudo would always declare errno itself
for older systems that don't declare it in errno.h.
- The NOPASSWD tag is now honored for denied commands too,
which matches historic sudo behavior (prior to sudo 1.7.0).
- Sudo now honors the DEREF
setting in ldap.conf which controls how alias dereferencing is done
during an LDAP search.
- A symbol conflict with the
pam_ssh_agent_auth PAM module that would cause a crash been
resolved.
- The inability to load a group provider plugin is no
longer a fatal error.
- A potential crash in the utmp handling
code has been fixed.
- Two PAM session issues have been resolved.
In previous versions of sudo, the PAM session was opened as one
user and closed as another. Additionally, if no authentication was
performed, the PAM session would never be closed.
OBS-URL: https://build.opensuse.org/request/show/89134
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=27
* Fixed the expansion of the %h escape in #include file names
introduced in sudo 1.7.1.
* Fixed a a bug where the negation operator in a Cmnd_List
was not being honored.
* No longer produce a parse error when #includedir references
a directory that contains no valid filenames.
* The sudo.man.pl and sudoers.man.pl files are now included
in the distribution for people who wish to regenerate the man pages.
* Fixed the emulation of krb5_get_init_creds_opt_alloc() for MIT kerberos.
* When authenticating via PAM, set PAM_RUSER and PAM_RHOST early
so they can be used during authentication.
* Fix printing of entries with multiple host entries on
a single line.
* Fix use after free when sending error messages via email.
* Use setrlimit64(), if available, instead of setrlimit()
when setting AIX resource limits since rlim_t is 32bits.
* Fix size arg when realloc()ing include stack.
* Avoid a duplicate fclose() of the sudoers file.
* Fix a bug that could allow users with permission to run sudoedit
to run arbitrary commands.
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=7
