Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2023-07-25 11:22:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.1467 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Tue Jul 25 11:22:45 2023 rev:147 rq:1100258 version:1.9.14p1 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2023-04-08 17:39:26.662177032 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.1467/sudo.changes 2023-07-25 11:22:46.707520961 +0200 @@ -1,0 +2,83 @@ +Wed Jul 12 09:27:18 UTC 2023 - Paolo Stivanin <[email protected]> + +- Update to 1.9.14p1: + * Fixed an invalid free bug in sudo_logsrvd that was introduced + in version 1.9.14 which could cause sudo_logsrvd to crash. + * The sudoers plugin no longer tries to send the terminal name + to the log server when no terminal is present. This bug was + introduced in version 1.9.14. + * Fixed a bug where if the "intercept" or "log_subcmds" sudoers + option was enabled and a sub-command was run where the first + entry of the argument vector didn't match the command being run. + This resulted in commands like "sudo su -" being killed due to + the mismatch. Bug #1050. + * The sudoers plugin now canonicalizes command path names before + matching (where possible). This fixes a bug where sudo could + execute the wrong path if there are multiple symbolic links with + the same target and the same base name in sudoers that a user is + allowed to run. GitHub issue #228. + * Improved command matching when a chroot is specified in sudoers. + The sudoers plugin will now change the root directory id needed + before performing command matching. Previously, the root directory + was simply prepended to the path that was being processed. + * When NETGROUP_BASE is set in the ldap.conf file, sudo will now + perform its own netgroup lookups of the host name instead of + using the system innetgr(3) function. This guarantees that user + and host netgroup lookups are performed using the same LDAP + server (or servers). + * Fixed a bug introduced in sudo 1.9.13 that resulted in a missing + " ; " separator between environment variables and the command + in log entries. + * The visudo utility now displays a warning when it ignores a file + in an include dir such as /etc/sudoers.d. + * When running a command in a pseudo-terminal, sudo will initialize + the terminal settings even if it is the background process. + Previously, sudo only initialized the pseudo-terminal when running + in the foreground. This fixes an issue where a program that + checks the window size would read the wrong value when sudo was + running in the background. + * Fixed a bug where only the first two digits of the TSID field + being was logged. Bug #1046. + * The "log_pty" sudoers option is now enabled by default. To + restore the historic behavior where a command is run in the + user's terminal, add "Defaults !use_pty" to the sudoers file. + GitHub issue #258. + * Sudo's "-b" option now works when the command is run in a + pseudo-terminal. + * When disabling core dumps, sudo now only modifies the soft limit + and leaves the hard limit as-is. This avoids problems on Linux + when sudo does not have CAP_SYS_RESOURCE, which may be the case + when run inside a container. GitHub issue #42. + * Sudo configuration file paths have been converted to colon-separated + lists of paths. This makes it possible to have configuration + files on a read-only file system while still allowing for local + modifications in a different (writable) directory. The new + --enable-adminconf configure option can be used to specify a + directory that is searched for configuration files in preference + to the sysconfdir (which is usually /etc). + * The "intercept_verify" sudoers option is now only applied when + the "intercept" option is set in sudoers. Previously, it was + also applied when "log_subcmds" was enabled. + * The NETGROUP_QUERY ldap.conf parameter can now be disabled for + LDAP servers that do not support querying the nisNetgroup object + by its nisNetgroupTriple attribute, while still allowing sudo to + query the LDAP server directly to determine netgroup membership. + * Fixed a long-standing bug where a sudoers rule without an explicit + runas list allowed the user to run a command as root and any + group instead of just one of the groups that root is a member + of. For example, a rule such as "myuser ALL = ALL" would permit + "sudo -u root -g othergroup" even if root did not belong to + "othergroup". + * Fixed a bug where a sudoers rule with an explicit runas list + allowed a user to run sudo commands as themselves. For example, + a rule such as "myuser ALL = (root) ALL", "myuser" should only + allow commands to be run as root (optionally using one of root's + groups). However, the rule also allowed the user to run + "sudo -u myuser -g myuser command". + * Fixed a bug that prevented the user from specifying a group on + the command line via "sudo -g" if the rule's Runas_Spec contained + a Runas_Alias. + * Sudo now requires a C compiler that conforms to ISO C99 or higher + to build. + +------------------------------------------------------------------- Old: ---- sudo-1.9.13p3.tar.gz sudo-1.9.13p3.tar.gz.sig New: ---- sudo-1.9.14p1.tar.gz sudo-1.9.14p1.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.IQL64I/_old 2023-07-25 11:22:48.195529639 +0200 +++ /var/tmp/diff_new_pack.IQL64I/_new 2023-07-25 11:22:48.199529662 +0200 @@ -17,7 +17,7 @@ Name: sudo -Version: 1.9.13p3 +Version: 1.9.14p1 Release: 0 Summary: Execute some commands as root License: ISC ++++++ sudo-1.9.13p3.tar.gz -> sudo-1.9.14p1.tar.gz ++++++ ++++ 79728 lines of diff (skipped) ++++++ sudo-sudoers.patch ++++++ --- /var/tmp/diff_new_pack.IQL64I/_old 2023-07-25 11:22:48.971534165 +0200 +++ /var/tmp/diff_new_pack.IQL64I/_new 2023-07-25 11:22:48.975534188 +0200 @@ -1,7 +1,7 @@ -diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in -index 5efda5d..e757da4 100644 ---- a/plugins/sudoers/sudoers.in -+++ b/plugins/sudoers/sudoers.in +Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in +=================================================================== +--- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in ++++ sudo-1.9.14p1/plugins/sudoers/sudoers.in @@ -32,32 +32,23 @@ ## ## Defaults specification @@ -50,9 +50,9 @@ +## Use this PATH instead of the user's to find commands. +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" ## - ## Uncomment to send mail if the user does not enter the correct password. - # Defaults mail_badpass -@@ -68,10 +59,16 @@ + ## Uncomment to restore the historic behavior where a command is run in + ## the user's own terminal. +@@ -72,10 +63,16 @@ ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output @@ -70,7 +70,7 @@ ## ## Runas alias specification ## -@@ -87,13 +84,5 @@ root ALL=(ALL:ALL) ALL +@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
