Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2025-07-02 12:07:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.7067 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Wed Jul 2 12:07:22 2025 rev:154 rq:1289367 version:1.9.17p1 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2025-04-20 20:10:20.703100416 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.7067/sudo.changes 2025-07-02 12:07:31.241753064 +0200 @@ -1,0 +2,56 @@ +Mon Jun 30 19:28:17 UTC 2025 - Simon Lees <sfl...@suse.de> + +- Update to 1.9.17p1 + * Fix a possible local privilege escalation via the --host option + [bsc#1245274, CVE-2025-32462] + * Fix a possible local privilege Escalation via chroot option + [bsc#1245275, CVE-2025-32463] +- Update to 1.9.17 + * Sudo now uses the NODEV macro consistently. Bug #1074. + Fixed a bug where the ALL command in a sudoers rule would + override a previous NOSETENV tag. Command tags are inherited from + previous Cmnds in a Cmnd_Spec_List. There is a special case for + the SETENV tag with the ALL command, where SETENV is implied if + no explicit SETENV or NOSETENV tag is specified. This special + case did not take into account that a NOSETENV tag that was inherited + should override this behavior. + * If sudo is run via ssh without a terminal and a password is required, + it now suggest using ssh’s -t option. + * Fixed the display of timeout values in the sudo -V output on systems + without a C99-compliant snprintf() function. + * Quieted a number of minor Coverity warnings. + * Fixed a problem running sudo from a serial console on Linux when the + command is run in a pseudo-terminal (the default). + * Fixed a crash in sudo which could occur if there was a fatal error + after the user was validated but before the command was actually run. + * Fixed a number of man page style warnings. The “lint” make target in + the docs directory will now run groff with warnings enabled if it is + available. Bug #1075. + * The ignore_dot sudoers setting is now on by default. There is now a + --disable-ignore-dot configure option to disable it. The + --with-ignore-dot configure option has been deprecated. + * Fixed a problem with the pwfeedback option where an initial backspace + would reduce the maximum length allowed for the password. + GitHub issue #439. + * Fixed minor grammar and spelling problems in the man pages. + * Fixed a bug where a user could avoid entering a password for sudo -l + command if they specified their own user or group name via the -u or + -g options. + * Avoid potential password guessing based on timing attacks on the + strcmp() function on systems without PAM or a crypt() function where + plaintext passwords are stored in the shadow password file. + * Fixed a potential information leak where sudo -l command could be used + to determine whether an executable exists in a directory that they do + not have search access to. + * Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once again. + A long time ago sudo changed from using TCSAFLUSH to TCSADRAIN due + to some systems having bugs related to TCSAFLUSH. That should no longer + be a concern. Using TCSAFLUSH ensures that password input that has been + received by the kernel, but not yet read by sudo, will be discarded and + not echoed. + * Added the SUDO_TTY environment variable if the user has a terminal. + This can be used to find the user’s original tty device when sudo runs + the command in its own pseudo-terminal. GitHub issue #447. + * New Cantonese translation for sudo. + +------------------------------------------------------------------- Old: ---- sudo-1.9.16p2.tar.gz sudo-1.9.16p2.tar.gz.sig New: ---- sudo-1.9.17p1.tar.gz sudo-1.9.17p1.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.SNgZQ0/_old 2025-07-02 12:07:33.889863710 +0200 +++ /var/tmp/diff_new_pack.SNgZQ0/_new 2025-07-02 12:07:33.913864713 +0200 @@ -25,7 +25,7 @@ %endif Name: sudo -Version: 1.9.16p2 +Version: 1.9.17p1 Release: 0 Summary: Execute some commands as root License: ISC ++++++ sudo-1.9.16p2.tar.gz -> sudo-1.9.17p1.tar.gz ++++++ ++++ 157442 lines of diff (skipped) ++++++ sudo-sudoers.patch ++++++ --- /var/tmp/diff_new_pack.SNgZQ0/_old 2025-07-02 12:07:35.721940259 +0200 +++ /var/tmp/diff_new_pack.SNgZQ0/_new 2025-07-02 12:07:35.725940427 +0200 @@ -1,7 +1,7 @@ -Index: sudo-1.9.16p2/plugins/sudoers/sudoers.in +Index: sudo-1.9.17p1/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.9.16p2.orig/plugins/sudoers/sudoers.in -+++ sudo-1.9.16p2/plugins/sudoers/sudoers.in +--- sudo-1.9.17p1.orig/plugins/sudoers/sudoers.in ++++ sudo-1.9.17p1/plugins/sudoers/sudoers.in @@ -50,29 +50,23 @@ Defaults!@visudo@ env_keep += "SUDO_EDIT ## arbitrary commands under sudo. @secure_path_config@Defaults secure_path="@secure_path@" @@ -75,7 +75,7 @@ # %wheel ALL=(ALL:ALL) NOPASSWD: ALL -## Uncomment to allow members of group sudo to execute any command --# %sudo ALL=(ALL:ALL) ALL +-# %sudo ALL=(ALL:ALL) ALL - -## Uncomment to allow any user to run sudo if they know the password -## of the user they are running the command as (root by default).
