- update to 1.8.5
Some of the changes:
* /etc/environment is no longer read directly on Linux systems when
PAM is used. Sudo now merges the PAM environment into the user's
environment which is typically set by the pam_env module.
* The plugin API has been extended
* The policy plugin's init_session function is now called by the
parent sudo process, not the child process that executes the command
This allows the PAM session to be open and closed in the same process,
which some PAM modules require.
* A new group provider plugin, system_group, is included
* Fixed a potential security issue in the matching of hosts against
an IPv4 network specified in sudoers.The flaw may allow a user who
is authorized to run commands on hosts belonging to one IPv4
network to run commands on a different host (CVE-2012-2337) (forwarded request 121223 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/121250
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=47
- update to 1.8.5
Some of the changes:
* /etc/environment is no longer read directly on Linux systems when
PAM is used. Sudo now merges the PAM environment into the user's
environment which is typically set by the pam_env module.
* The plugin API has been extended
* The policy plugin's init_session function is now called by the
parent sudo process, not the child process that executes the command
This allows the PAM session to be open and closed in the same process,
which some PAM modules require.
* A new group provider plugin, system_group, is included
* Fixed a potential security issue in the matching of hosts against
an IPv4 network specified in sudoers.The flaw may allow a user who
is authorized to run commands on hosts belonging to one IPv4
network to run commands on a different host (CVE-2012-2337)
OBS-URL: https://build.opensuse.org/request/show/121223
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=41
- update to 1.8.4p2
Some of the changes:
* The -D flag in sudo has been replaced with a more general
debugging framework that is configured in sudo.conf.
* Fixed a crash with sudo -i when a runas group was specified
without a runas user.
* New Serbian and Spanish translations for sudo from translationproject.org.
LDAP-based sudoers may now access by group ID in addition to group name.
* visudo will now fix the mode on the sudoers file even if no
changes are made unless the -f option is specified.
* On systems that use login.conf, sudo -i now sets environment
variables based on login.conf
* values in the LDAP search expression are now escaped as per RFC 4515
* The deprecated "noexec_file" sudoers option is no longer supported.
* Fixed a race condition when I/O logging is not enabled that could
result in tty-generated signals (e.g. control-C) being received
by the command twice.
* visudo -c will now list any include files that were checked in
addition to the main sudoers file when everything parses OK.
* Users that only have read-only access to the sudoers file may
now run visudo -c. Previously, write permissions were required
even though no writing is down in check-only mode.
OBS-URL: https://build.opensuse.org/request/show/108650
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=46
- update to 1.8.4p2
Some of the changes:
* The -D flag in sudo has been replaced with a more general
debugging framework that is configured in sudo.conf.
* Fixed a crash with sudo -i when a runas group was specified
without a runas user.
* New Serbian and Spanish translations for sudo from translationproject.org.
LDAP-based sudoers may now access by group ID in addition to group name.
* visudo will now fix the mode on the sudoers file even if no
changes are made unless the -f option is specified.
* On systems that use login.conf, sudo -i now sets environment
variables based on login.conf
* values in the LDAP search expression are now escaped as per RFC 4515
* The deprecated "noexec_file" sudoers option is no longer supported.
* Fixed a race condition when I/O logging is not enabled that could
result in tty-generated signals (e.g. control-C) being received
by the command twice.
* visudo -c will now list any include files that were checked in
addition to the main sudoers file when everything parses OK.
* Users that only have read-only access to the sudoers file may
now run visudo -c. Previously, write permissions were required
even though no writing is down in check-only mode.
OBS-URL: https://build.opensuse.org/request/show/108646
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=39
- update to sudo-1.8.3
- Fixed expansion of strftime() escape sequences
in the log_dir sudoers setting.
- Esperanto, Italian and Japanese
translations from translationproject.org.
- Added --enable-werror configure option for gcc's
-Werror flag. - Visudo no longer
assumes all editors support the +linenumber command line argument.
It now uses a whitelist of editors known to support the option.
- Fixed matching of network addresses when a netmask is specified but
the address is not the first one in the CIDR block.
- The configure script now check whether or not errno.h declares the
errno variable. Previously, sudo would always declare errno itself
for older systems that don't declare it in errno.h.
- The NOPASSWD tag is now honored for denied commands too,
which matches historic sudo behavior (prior to sudo 1.7.0).
- Sudo now honors the DEREF
setting in ldap.conf which controls how alias dereferencing is done
during an LDAP search.
- A symbol conflict with the
pam_ssh_agent_auth PAM module that would cause a crash been
resolved.
- The inability to load a group provider plugin is no
longer a fatal error.
- A potential crash in the utmp handling
code has been fixed.
- Two PAM session issues have been resolved.
In previous versions of sudo, the PAM session was opened as one
user and closed as another. Additionally, if no authentication was
performed, the PAM session would never be closed.
OBS-URL: https://build.opensuse.org/request/show/89911
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=41
- update to sudo-1.8.3
- Fixed expansion of strftime() escape sequences
in the log_dir sudoers setting.
- Esperanto, Italian and Japanese
translations from translationproject.org.
- Added --enable-werror configure option for gcc's
-Werror flag. - Visudo no longer
assumes all editors support the +linenumber command line argument.
It now uses a whitelist of editors known to support the option.
- Fixed matching of network addresses when a netmask is specified but
the address is not the first one in the CIDR block.
- The configure script now check whether or not errno.h declares the
errno variable. Previously, sudo would always declare errno itself
for older systems that don't declare it in errno.h.
- The NOPASSWD tag is now honored for denied commands too,
which matches historic sudo behavior (prior to sudo 1.7.0).
- Sudo now honors the DEREF
setting in ldap.conf which controls how alias dereferencing is done
during an LDAP search.
- A symbol conflict with the
pam_ssh_agent_auth PAM module that would cause a crash been
resolved.
- The inability to load a group provider plugin is no
longer a fatal error.
- A potential crash in the utmp handling
code has been fixed.
- Two PAM session issues have been resolved.
In previous versions of sudo, the PAM session was opened as one
user and closed as another. Additionally, if no authentication was
performed, the PAM session would never be closed.
OBS-URL: https://build.opensuse.org/request/show/89134
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=27
- updated to sudo-1.8.2
* Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
language support (NLS). This can be disabled by passing configure
the --disable-nls option. Sudo will use gettext(), if available,
to display translated messages. All translations are coordinated
via The Translation Project, http://translationproject.org/.
* Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
RTLD_LOCAL. This fixes missing symbol problems in PAM modules
on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
* I/O logging is now supported for commands run in background mode
(using sudo's -b flag).
* Group ownership of the sudoers file is now only enforced when
the file mode on sudoers allows group readability or writability.
* Visudo now checks the contents of an alias and warns about cycles
when the alias is expanded.
* If the user specifes a group via sudo's -g option that matches
the target user's group in the password database, it is now
allowed even if no groups are present in the Runas_Spec.
* The sudo Makefiles now have more complete dependencies which are
automatically generated instead of being maintained manually.
* The "use_pty" sudoers option is now correctly passed back to the
sudo front end. This was missing in previous versions of sudo
1.8 which prevented "use_pty" from being honored.
* "sudo -i command" now works correctly with the bash version
2.0 and higher. Previously, the .bash_profile would not be
sourced prior to running the command unless bash was built with
NON_INTERACTIVE_LOGIN_SHELLS defined.
* When matching groups in the sudoers file, sudo will now match
based on the name of the group instead of the group ID. This can
substantially reduce the number of group lookups for sudoers
OBS-URL: https://build.opensuse.org/request/show/87713
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=39
* Fixed the expansion of the %h escape in #include file names
introduced in sudo 1.7.1.
* Fixed a a bug where the negation operator in a Cmnd_List
was not being honored.
* No longer produce a parse error when #includedir references
a directory that contains no valid filenames.
* The sudo.man.pl and sudoers.man.pl files are now included
in the distribution for people who wish to regenerate the man pages.
* Fixed the emulation of krb5_get_init_creds_opt_alloc() for MIT kerberos.
* When authenticating via PAM, set PAM_RUSER and PAM_RHOST early
so they can be used during authentication.
* Fix printing of entries with multiple host entries on
a single line.
* Fix use after free when sending error messages via email.
* Use setrlimit64(), if available, instead of setrlimit()
when setting AIX resource limits since rlim_t is 32bits.
* Fix size arg when realloc()ing include stack.
* Avoid a duplicate fclose() of the sudoers file.
* Fix a bug that could allow users with permission to run sudoedit
to run arbitrary commands.
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=7
