Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2017-06-04 01:48:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Sun Jun 4 01:48:57 2017 rev:87 rq:500408 version:1.8.20p2 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2017-05-31 21:26:19.337799096 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new/sudo.changes 2017-06-04 01:49:11.146421860 +0200 @@ -1,0 +2,87 @@ +Thu Jun 1 07:04:16 UTC 2017 - mich...@stroeder.com + +- update to 1.8.20p2 which obsoletes patches: + * sudo-1.8.19p2-CVE-2017-1000367.patch + * sudo-1.8.19p2-decrement_env_len.patch + * sudo-1.8.19p2-dont_overwrite_ret_val.patch + +Major changes between sudo 1.8.20p2 and 1.8.20p1: + + * Fixed a bug parsing /proc/pid/stat on Linux when the process + name contains newlines. This is not exploitable due to the /dev + traversal changes in sudo 1.8.20p1. + +Major changes between sudo 1.8.20p1 and 1.8.20: + + * Fixed "make check" when using OpenSSL or GNU crypt. + Bug #787. + * Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux + when the process name contains spaces. Since the user has control + over the command name, this could potentially be used by a user + with sudo access to overwrite an arbitrary file on systems with + SELinux enabled. Also stop performing a breadth-first traversal + of /dev when looking for the device; only a hard-coded list of + directories are checked, + +Major changes between sudo 1.8.20 and 1.8.19p2: + + * Added support for SASL_MECH in ldap.conf. Bug #764 + * Added support for digest matching when the command is a glob-style + pattern or a directory. Previously, only explicit path matches + supported digest checks. + * New "fdexec" Defaults option to control whether a command + is executed by path or by open file descriptor. + * The embedded copy of zlib has been upgraded to version 1.2.11. + * Fixed a bug that prevented sudoers include files with a relative + path starting with the letter 'i' from being opened. Bug #776. + * Added support for command timeouts in sudoers. The command will + be terminated if the timeout expires. + * The SELinux role and type are now displayed in the "sudo -l" + output for the LDAP and SSSD backends, just as they are in the + sudoers backend. + * A new command line option, -T, can be used to specify a command + timeout as long as the user-specified timeout is not longer than + the timeout specified in sudoers. This option may only be + used when the "user_command_timeouts" flag is enabled in sudoers. + * Added NOTBEFORE and NOTAFTER command options to the sudoers + backend similar to what is already available in the LDAP backend. + * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU + crypt instead of the SHA2 implementation bundled with sudo. + * Fixed a compilation error on systems without the stdbool.h header + file. Bug #778. + * Fixed a compilation error in the standalone Kerberos V authentication + module. Bug #777. + * Added the iolog_flush flag to sudoers which causes I/O log data + to be written immediately to disk instead of being buffered. + * I/O log files are now created with group ID 0 by default unless + the "iolog_user" or "iolog_group" options are set in sudoers. + * It is now possible to store I/O log files on an NFS-mounted + file system where uid 0 is remapped to an unprivileged user. + The "iolog_user" option must be set to a non-root user and the + top-level I/O log directory must exist and be owned by that user. + * Added the restricted_env_file setting to sudoers which is similar + to env_file but its contents are subject to the same restrictions + as variables in the invoking user's environment. + * Fixed a use after free bug in the SSSD backend when the fqdn + sudoOption is enabled and no hostname value is present in + /etc/sssd/sssd.conf. + * Fixed a typo that resulted in a compilation error on systems + where the killpg() function is not found by configure. + + * Fixed a compilation error with the included version of zlib + when sudo was built outside the source tree. + * Fixed the exit value of sudo when the command is terminated by + a signal other than SIGINT. This was broken in sudo 1.8.15 by + the fix for Bug #722. Bug #784. + * Fixed a regression introduced in sudo 1.8.18 where the "lecture" + option could not be used in a positive boolean context, only + a negative one. + * Fixed an issue where sudo would consume stdin if it was not + connected to a tty even if log_input is not enabled in sudoers. + Bug #786. + * Clarify in the sudoers manual that the #includedir directive + diverts control to the files in the specified directory and, + when parsing of those files is complete, returns control to the + original file. Bug #775. + +------------------------------------------------------------------- Old: ---- sudo-1.8.19p2-CVE-2017-1000367.patch sudo-1.8.19p2-decrement_env_len.patch sudo-1.8.19p2-dont_overwrite_ret_val.patch sudo-1.8.19p2.tar.gz sudo-1.8.19p2.tar.gz.sig New: ---- sudo-1.8.20p2.tar.gz sudo-1.8.20p2.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.DMkLKx/_old 2017-06-04 01:49:12.630212215 +0200 +++ /var/tmp/diff_new_pack.DMkLKx/_new 2017-06-04 01:49:12.630212215 +0200 @@ -17,7 +17,7 @@ Name: sudo -Version: 1.8.19p2 +Version: 1.8.20p2 Release: 0 Summary: Execute some commands as root License: ISC @@ -33,9 +33,6 @@ Patch0: sudoers2ldif-env.patch # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch1: sudo-sudoers.patch -Patch2: sudo-1.8.19p2-decrement_env_len.patch -Patch3: sudo-1.8.19p2-dont_overwrite_ret_val.patch -Patch4: sudo-1.8.19p2-CVE-2017-1000367.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -77,9 +74,6 @@ %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 %build %ifarch s390 s390x %sparc @@ -162,6 +156,7 @@ %{_mandir}/man8/visudo.8* %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers +%config %attr(0440,root,root) /etc/sudoers.dist %dir %{_sysconfdir}/sudoers.d %config %{_sysconfdir}/pam.d/sudo %attr(4755,root,root) %{_bindir}/sudo ++++++ sudo-1.8.19p2.tar.gz -> sudo-1.8.20p2.tar.gz ++++++ ++++ 72705 lines of diff (skipped)