Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2014-10-29 21:08:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2014-05-17 06:43:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new/sudo.changes 2014-10-29 21:08:50.000000000 +0100 @@ -1,0 +2,74 @@ +Sat Oct 11 02:09:17 UTC 2014 - [email protected] + +- refresh sudo-sudoers.patch +- update to 1.8.11p1 + * Fixed a compilation problem on some systems when the + --disable-shared-libutil configure option was specified. + * The user can no longer interrupt the sleep after an incorrect password on + PAM systems using pam_unix. Bug #666. + * Fixed a compilation problem on Linux systems that do not use PAM. Bug #667. + * "make install" will now work with the stock GNU autotools install-sh + script. Bug #669. + * Fixed a crash with "sudo -i" when the current working directory does not + exist. Bug #670. + * Fixed a potential crash in the debug subsystem when logging a message + larger that 1024 bytes. + * Fixed a "make check" failure for ttyname when stdin is closed and stdout + and stderr are redirected to a different tty. Bug #643. + * Added BASH_FUNC_* to environment blacklist to match newer-style bash + functions. + +- changes from 1.8.11 + * The sudoers plugin no longer uses setjmp/longjmp to recover from fatal + errors. All errors are now propagated to the caller via return codes. + * When running a command in the background, sudo will now forward SIGINFO to + the command (if supported). + * Sudo will now use the system versions of the sha2 functions from libc or + libmd if available. + * Visudo now works correctly on GNU Hurd. Bug #647. + * Fixed suspend and resume of curses programs on some system when the + command is not being run in a pseudo-terminal. Bug #649. + * Fixed a crash with LDAP-based sudoers on some systems when Kerberos was + enabled. + * Sudo now includes optional Solaris audit support. + * Catalan translation for sudoers from translationproject.org. + * Norwegian Bokmaal translation for sudo from translationproject.org. + * Greek translation for sudoers from translationproject.org + * The sudo source tree has been reorganized to more closely resemble that of + other gettext-enabled packages. + * Sudo and its associated programs now link against a shared version of + libsudo_util. The --disable-shared-libutil configure option may be used to + force static linking if the --enable-static-sudoers option is also + specified. + * The passwords in ldap.conf and ldap.secret may now be encoded in base64. + * Audit updates. SELinux role changes are now audited. For sudoedit, we now + audit the actual editor being run, instead of just the sudoedit command. + * Fixed bugs in the man page post-processing that could cause portions of the + manuals to be removed. + * Fixed a crash in the system_group plugin. Bug #653. + * Fixed sudoedit on platforms without a native version of the getprogname() + function. Bug #654. + * Fixed compilation problems with some pre-C99 compilers. + * Fixed sudo's -C option which was broken in version 1.8.9. + * It is now possible to match an environment variable's value as well as its + name using env_keep and env_check. This can be used to preserve bash + functions which would otherwise be removed from the environment. + * New files created via sudoedit as a non-root user now have the proper + group id. Bug #656. + * Sudoedit now works correctly in conjunction with sudo's SELinux RBAC + support. Temporary files are now created with the proper security context. + * The sudo I/O logging plugin API has been updated. If a logging function + returns an error, the command will be terminated and all of the plugin's + logging functions will be disabled. If a logging function rejects the + command's output it will no longer be displayed to the user's terminal. + * Fixed a compilation error on systems that lack openpty(), _getpty() and + grantpt(). Bug #660. + * Fixed a hang when a sudoers source is listed more than once in a single + sudoers nsswitch.conf entry. + * On AIX, shell scripts without a #! magic number are now passed to + /usr/bin/sh, not /usr/bin/bsh. This is consistent with what the execvp() + function on AIX does and matches historic sudo behavior. Bug #661. + * Fixed a cross-compilation problem building mksiglist and mksigname. + Bug #662. + +------------------------------------------------------------------- Old: ---- sudo-1.8.10p3.tar.gz New: ---- sudo-1.8.11p1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.qaxOMH/_old 2014-10-29 21:08:51.000000000 +0100 +++ /var/tmp/diff_new_pack.qaxOMH/_new 2014-10-29 21:08:51.000000000 +0100 @@ -17,7 +17,7 @@ Name: sudo -Version: 1.8.10p3 +Version: 1.8.11p1 Release: 0 Summary: Execute some commands as root License: ISC @@ -53,6 +53,7 @@ %package devel Summary: Header files needed for sudo plugin development Group: Development/Libraries/C and C++ +Requires: %{name} = %{version} %description devel These header files are needed for building of sudo plugins. @@ -103,7 +104,7 @@ make %{?_smp_mflags} %install -%make_install +%make_install install_uid=`id -u` install_gid=`id -g` install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sudo mv %{buildroot}%{_docdir}/%{name}/sudoers2ldif %{buildroot}%{_sbindir} @@ -115,7 +116,7 @@ rm -f %{buildroot}%{_docdir}/%{name}/sample.pam rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP -rm -f %{buildroot}%{_libexecdir}/%{name}/sudoers.la + %find_lang %{name} %find_lang sudoers cat sudoers.lang >> %{name}.lang @@ -140,7 +141,14 @@ %files -f %{name}.lang %defattr(-,root,root) %doc %{_docdir}/%{name} -%doc %{_mandir}/man?/* +%doc %{_mandir}/man5/sudoers.5* +%doc %{_mandir}/man5/sudo.conf.5* +%doc %{_mandir}/man5/sudoers.ldap.5* +%doc %{_mandir}/man8/sudo.8* +%doc %{_mandir}/man8/sudoedit.8* +%doc %{_mandir}/man8/sudoreplay.8* +%doc %{_mandir}/man8/visudo.8* + %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers %dir %{_sysconfdir}/sudoers.d %config %{_sysconfdir}/pam.d/sudo @@ -152,12 +160,22 @@ %{_bindir}/sudoreplay %{_sbindir}/visudo %attr(0755,root,root) %{_sbindir}/sudoers2ldif -%{_libexecdir}/sudo -%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/sudo +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/sesh +%{_libexecdir}/%{name}/sudo_noexec.so +%{_libexecdir}/%{name}/sudoers.so +%{_libexecdir}/%{name}/group_file.so +%{_libexecdir}/%{name}/system_group.so +%{_libexecdir}/%{name}/libsudo_util.so.* +%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name} %files devel %defattr(-,root,root) +%doc plugins/sample/sample_plugin.c %{_includedir}/sudo_plugin.h +%{_mandir}/man8/sudo_plugin.8* +%attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so +%{_libexecdir}/%{name}/*.la %files test %defattr(-,root, root) ++++++ sudo-1.8.10p3.tar.gz -> sudo-1.8.11p1.tar.gz ++++++ ++++ 150900 lines of diff (skipped) ++++++ sudo-sudoers.patch ++++++ --- /var/tmp/diff_new_pack.qaxOMH/_old 2014-10-29 21:08:52.000000000 +0100 +++ /var/tmp/diff_new_pack.qaxOMH/_new 2014-10-29 21:08:52.000000000 +0100 @@ -1,8 +1,6 @@ -Index: sudo-1.8.9p3/plugins/sudoers/sudoers.in -=================================================================== ---- sudo-1.8.9p3.orig/plugins/sudoers/sudoers.in 2014-01-07 19:08:50.000000000 +0100 -+++ sudo-1.8.9p3/plugins/sudoers/sudoers.in 2014-01-14 12:06:45.178813991 +0100 -@@ -31,37 +31,38 @@ +--- plugins/sudoers/sudoers.in 2014-09-23 12:40:15.000000000 -0400 ++++ sudo-1.8.11p1/plugins/sudoers/sudoers.in 2014-10-10 20:52:15.870635442 -0400 +@@ -32,37 +32,36 @@ ## ## Defaults specification ## @@ -29,6 +27,7 @@ -## Uncomment to enable special input methods. Care should be taken as -## this may allow users to subvert the command being run via sudo. -# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +-## +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home @@ -36,36 +35,34 @@ +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" +Defaults env_reset +## Change env_reset to !env_reset in previous line to keep all environment variables -+## Following list will no longer be necessary after this change -+ -+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" ++## Following list will no longer be nevessary after this change ++Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +## Comment out the preceding line and uncomment the following one if you need -+## to use special input methods. This may allow users to compromise the root ++## to use special input methods. This may allow users to compromise the root +## account if they are allowed to run commands without authentication. -+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ++#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" + +## Do not insult users when they enter an incorrect password. +Defaults !insults + - ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output - # Defaults!/sbin/reboot !log_output + # Defaults!REBOOT !log_output +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +Defaults targetpw # ask for the password of the target user i.e. root -+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! ++ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + ## ## Runas alias specification ## -@@ -77,14 +78,6 @@ root ALL=(ALL) ALL +@@ -78,14 +77,6 @@ ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL @@ -80,11 +77,9 @@ ## Read drop-in files from @sysconfdir@/sudoers.d ## (the '#' here does not indicate a comment) #includedir @sysconfdir@/sudoers.d -Index: sudo-1.8.9p3/doc/sudoers.mdoc.in -=================================================================== ---- sudo-1.8.9p3.orig/doc/sudoers.mdoc.in 2014-01-07 19:08:50.000000000 +0100 -+++ sudo-1.8.9p3/doc/sudoers.mdoc.in 2014-01-14 11:46:33.718336561 +0100 -@@ -1609,7 +1609,7 @@ is present in the +--- doc/sudoers.mdoc.in 2014-09-23 12:40:15.000000000 -0400 ++++ sudo-1.8.11p1/doc/sudoers.mdoc.in 2014-10-10 20:56:18.439618855 -0400 +@@ -1661,7 +1661,7 @@ .Em env_keep list. This flag is @@ -93,7 +88,7 @@ by default. .It authenticate If set, users must authenticate themselves via a password (or other -@@ -1910,7 +1910,7 @@ If set, +@@ -1975,7 +1975,7 @@ .Nm sudo will insult users when they enter an incorrect password. This flag is @@ -102,7 +97,7 @@ by default. .It log_host If set, the host name will be logged in the (non-syslog) -@@ -2363,7 +2363,7 @@ database as an argument to the +@@ -2436,7 +2436,7 @@ .Fl u option. This flag is -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
