Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2025-04-16 20:38:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Wed Apr 16 20:38:12 2025 rev:153 rq:1269784 version:1.9.16p2 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2024-08-05 17:21:56.236751540 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.30101/sudo.changes 2025-04-20 20:10:20.703100416 +0200 @@ -1,0 +2,82 @@ +Wed Apr 16 07:05:52 UTC 2025 - Simon Lees <[email protected]> + +- Update to 1.9.16p2: +* Sudo now passes the terminal device number to the policy plugin + even if it cannot resolve it to a path name. This allows sudo to + run without warnings in a chroot jail when the terminal device + files are not present. GitHub issue #421. +* On Linux systems, sudo will now attempt to use the symbolic links + in /proc/self/fd/{0,1,2} when resolving the terminal device number. + This can allow sudo to map a terminal device to its path name even + when /dev/pts is not mounted in a chroot jail. +* Fixed compilation errors with gcc and clang in C23 mode. C23 no + longer supports functions with unspecified arguments. GitHub issue + #420. +* Fixed the test for cross-compiling when checking for C99 snprintf(). + The changes made to the test in sudo 1.9.16 resulted in a different + problem. GitHub issue #386. +* Fixed the date used by the exit record in sudo-format log files. + This was a regression introduced in sudo 1.9.16 and only affected + file-based logs, not syslog. GitHub issue #405. +* Fixed the root cause of the âunable to find terminal name for deviceâ + message when running sudo on AIX when no terminal is present. In + sudo 1.9.16 this was turned from a debug message into a warning. + GitHub issue #408. +* When a duplicate alias is found in the sudoers file, the warning + message now includes the file and line number of the previous + definition. +* Added support for the --with-secure-path-value=no configure option + to allow packagers to ship the default sudoers file with the secure + path line commented out. +* Sudo no longer sends mail when a user runs sudo -nv or sudo -nl, + even if mail_badpass or mail_always are set. Sudo already avoids + logging to a file or syslog in this case. Bug #1072. +* Added the cmddenial_message sudoers option to provide additional + information to the user when a command is denied by the sudoers + policy. The default message is still displayed. +* The time stamp used for file-based logs is now more consistent + with the time stamp produced by syslog. GitHub issue #327. +* Sudo will now warn the user if it can detect the userâs terminal but + cannot determine the path to the terminal device. The sudoers time + stamp file will now use the terminal device number directly. + GitHub issue #329. +* The embedded copy of zlib has been updated to version 1.3.1. +* Improved error handling if generating the list of signals and signal + names fails at build time. +* Fixed a compilation issue on Linux systems without process_vm_readv(). +* Fixed cross-compilation with WolfSSL. +* Added a json_compact value for the sudoers log_format option which can + be used when logging to a file. The existing json value has been aliased + to json_pretty. In a future release, json will be an alias for + json_compact. GitHub issue #357. +* A new pam_silent sudoers option has been added which may be negated to + avoid suppressing output from PAM authentication modules. GitHub issue #216. +* Fixed several cvtsudoers JSON output problems. GitHub issues #369, #370, + #371, #373, #381. +* When sudo runs a command in a pseudo-terminal and the userâs terminal is + revoked, the pseudo-terminalâs foreground process group will now receive + SIGHUP before the terminal is revoked. This emulates the behavior of the + session leader exiting and is consistent with what happens when, + for example, an ssh session is closed. GitHub issue #367. +* Fixed make test with Python 3.12. GitHub issue #374. +* In schema.ActiveDirectory, fixed the quoting in the example command. + GitHub issue #376. +* Paths specified via a Chdir_Spec or Chroot_Spec in sudoers may now + be double-quoted. +* Sudo insults are now included by default, but disabled unless the + --with-insults configure option is specified or the insults sudoers + option is enabled. +* The default sudoers file now enables the secure_path option by + default and preserves the EDITOR, VISUAL, and SUDO_EDITOR environment + variables when running visudo. The new --with-secure-path-value + configure option can be used to set the value of secure_path in + the default sudoers file. GitHub issue #387. +* A sudoers schema for IBM Directory Server (aka IBM Tivoli Directory + Server, IBM Security Directory Server, and IBM Security Verify + Directory) is now included. +* When cross-compiling sudo, the configure script now assumes that + the snprintf() function is C99-compliant if the C compiler + supports the C99 standard. Previously, configure would use sudoâs + own snprintf() when cross-compiling. GitHub issue #386. + +------------------------------------------------------------------- Old: ---- sudo-1.9.15p5.tar.gz sudo-1.9.15p5.tar.gz.sig New: ---- sudo-1.9.16p2.tar.gz sudo-1.9.16p2.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.yFbvQ9/_old 2025-04-20 20:10:21.391129189 +0200 +++ /var/tmp/diff_new_pack.yFbvQ9/_new 2025-04-20 20:10:21.391129189 +0200 @@ -1,7 +1,7 @@ # # spec file for package sudo # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ %endif Name: sudo -Version: 1.9.15p5 +Version: 1.9.16p2 Release: 0 Summary: Execute some commands as root License: ISC ++++++ sudo-1.9.15p5.tar.gz -> sudo-1.9.16p2.tar.gz ++++++ ++++ 83012 lines of diff (skipped) ++++++ sudo-sudoers.patch ++++++ --- /var/tmp/diff_new_pack.yFbvQ9/_old 2025-04-20 20:10:22.195162813 +0200 +++ /var/tmp/diff_new_pack.yFbvQ9/_new 2025-04-20 20:10:22.199162980 +0200 @@ -1,10 +1,10 @@ -Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in +Index: sudo-1.9.16p2/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in -+++ sudo-1.9.15p2/plugins/sudoers/sudoers.in -@@ -41,32 +41,23 @@ - ## - ## Defaults specification +--- sudo-1.9.16p2.orig/plugins/sudoers/sudoers.in ++++ sudo-1.9.16p2/plugins/sudoers/sudoers.in +@@ -50,29 +50,23 @@ Defaults!@visudo@ env_keep += "SUDO_EDIT + ## arbitrary commands under sudo. + @secure_path_config@Defaults secure_path="@secure_path@" ## -## You may wish to keep some of the following environment variables -## when running commands via sudo. @@ -29,9 +29,6 @@ -## Uncomment to enable special input methods. Care should be taken as -## this may allow users to subvert the command being run via sudo. -# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" --## --## Uncomment to use a hard-coded PATH instead of the user's to find commands --# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home @@ -50,9 +47,9 @@ +## Use this PATH instead of the user's to find commands. +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" ## - ## Uncomment to restore the historic behavior where a command is run in - ## the user's own terminal. -@@ -81,7 +72,6 @@ + ## Uncomment to disable "use_pty" when running commands as root. + ## Commands run as non-root users will run in a pseudo-terminal, +@@ -94,7 +88,6 @@ Defaults!@visudo@ env_keep += "SUDO_EDIT ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output @@ -60,9 +57,9 @@ # Defaults!REBOOT !log_output # Defaults maxseq = 1000 ## -@@ -95,6 +85,12 @@ - ## slower by these options and also can clutter up the logs. - # Defaults!PKGMAN !intercept, !log_subcmds +@@ -112,6 +105,12 @@ Defaults!@visudo@ env_keep += "SUDO_EDIT + ## modules such as pam_faillock will not be printed. + # Defaults !pam_silent +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly @@ -73,7 +70,7 @@ ## ## Runas alias specification ## -@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL +@@ -127,13 +126,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
