Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sudo for openSUSE:Factory checked in
at 2022-02-03 23:15:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sudo (Old)
and /work/SRC/openSUSE:Factory/.sudo.new.1898 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo"
Thu Feb 3 23:15:48 2022 rev:127 rq:950730 version:1.9.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2021-12-08
22:08:32.562850950 +0100
+++ /work/SRC/openSUSE:Factory/.sudo.new.1898/sudo.changes 2022-02-03
23:16:05.232776293 +0100
@@ -1,0 +2,95 @@
+Tue Feb 1 02:27:04 UTC 2022 - Simon Lees <simonf.l...@suse.com>
+
+- Update to 1.9.9
+ * Sudo can now be built with OpenSSL 3.0 without generating
+ warnings about deprecated OpenSSL APIs.
+ * A digest can now be specified along with the ALL command in
+ the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
+ this in the sudoers file but did not include corresponding
+ changes for the other back-ends.
+ * visudo now only warns about an undefined alias or a cycle in
+ an alias once for each alias.
+ * The sudoRole cn was truncated by a single character in warning
+ messages. GitHub issue #115.
+ * The cvtsudoers utility has new --group-file and --passwd-file
+ options to use a custom passwd or group file when the
+ --match-local option is also used.
+ * The cvtsudoers utility can now filter or match based on a command.
+ * The cvtsudoers utility can now produce output in csv
+ (comma-separated value) format. This can be used to help generate
+ entitlement reports.
+ * Fixed a bug in sudo_logsrvd that could result in the connection
+ being dropped for very long command lines.
+ * Fixed a bug where sudo_logsrvd would not accept a restore point
+ of zero.
+ * Fixed a bug in visudo where the value of the editor setting was
+ not used if it did not match the user???s EDITOR environment
+ variable. This was only a problem if the env_editor setting was
+ not enabled. Bug #1000.
+ * Sudo now builds with the -fcf-protection compiler option and the
+ -z now linker option if supported.
+ * The output of sudoreplay -l now more closely matches the
+ traditional sudo log format.
+ * The sudo_sendlog utility will now use the full contents of the
+ log.json file, if present. This makes it possible to send
+ sudo-format I/O logs that use the newer log.json format to
+ sudo_logsrvd without losing any information.
+ * Fixed compilation of the arc4random_buf() replacement on systems
+ with arc4random() but no arc4random_buf(). Bug #1008.
+ * Sudo now uses its own getentropy() by default on Linux. The GNU
+ libc version of getentropy() will fail on older kernels that
+ don???t support the getrandom() system call.
+ * It is now possible to build sudo with WolfSSL???s OpenSSL
+ compatibility layer by using the --enable-wolfssl configure
+ option.
+ * Fixed a bug related to Daylight Saving Time when parsing
+ timestamps in Generalized Time format. This affected the NOTBEFORE
+ and NOTAFTER options in sudoers. Bug #1006.
+ * Added the -O and -P options to visudo, which can be used to check
+ or set the owner and permissions. This can be used in conjunction
+ with the -c option to check that the sudoers file ownership and
+ permissions are correct. Bug #1007.
+ * It is now possible to set resource limits in the sudoers file
+ itself. The special values default and ???user??? refer to the
+ default system limit and invoking user limit respectively. The
+ core dump size limit is now set to 0 by default unless overridden
+ by the sudoers file.
+ * The cvtsudoers utility can now merge multiple sudoers sources into
+ a single, combined sudoers file. If there are conflicting entries,
+ cvtsudoers will attempt to resolve them but manual intervention
+ may be required. The merging of sudoers rules is currently fairly
+ simplistic but will be improved in a future release.
+ * Sudo was parsing but not applying the ???deref??? and ???tls_reqcert???
+ ldap.conf settings. This meant the options were effectively ignored
+ which broke dereferencing of aliases in LDAP. Bug #1013.
+ * Clarified in the sudo man page that the security policy may
+ override the user???s PATH environment variable. Bug #1014.
+ * When sudo is run in non-interactive mode (with the -n option), it
+ will now attempt PAM authentication and only exit with an error if
+ user interaction is required. This allows PAM modules that don???t
+ interact with the user to succeed. Previously, sudo would not
+ attempt authentication if the -n option was specified. Bug #956
+ and GitHub issue #83.
+ * Fixed a regression introduced in version 1.9.1 when sudo is built
+ with the --with-fqdn configure option. The local host name was
+ being resolved before the sudoers file was processed, making it
+ impossible to disable DNS lookups by negating the fqdn sudoers
+ option. Bug #1016.
+ * Added support for negated sudoUser attributes in the LDAP and SSSD
+ sudoers back ends. A matching sudoUser that is negated will cause
+ the sudoRole containing it to be ignored.
+ * Fixed a bug where the stack resource limit could be set to a value
+ smaller than that of the invoking user and not be reset before the
+ command was run. Bug #1016.
+- sudo no longer ships schema for LDAP.
+- sudo-feature-negated-LDAP-users.patch dropped, included upstream
+- refreshed sudo-sudoers.patch
+
+-------------------------------------------------------------------
+Thu Jan 27 03:00:26 UTC 2022 - Simon Lees <sfl...@suse.de>
+
+- Add support in the LDAP filter for negated users, patch taken
+ from upstream (jsc#20068)
+ * Adds sudo-feature-negated-LDAP-users.patch
+
+-------------------------------------------------------------------
Old:
----
sudo-1.9.8p2.tar.gz
sudo-1.9.8p2.tar.gz.sig
New:
----
sudo-1.9.9.tar.gz
sudo-1.9.9.tar.gz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.69yk0L/_old 2022-02-03 23:16:05.916771624 +0100
+++ /var/tmp/diff_new_pack.69yk0L/_new 2022-02-03 23:16:05.920771597 +0100
@@ -1,7 +1,7 @@
#
# spec file for package sudo
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
%define use_usretc 1
%endif
Name: sudo
-Version: 1.9.8p2
+Version: 1.9.9
Release: 0
Summary: Execute some commands as root
License: ISC
@@ -88,8 +88,7 @@
Tests for fate#313276
%prep
-%setup -q
-%patch0 -p1
+%autosetup -p1
%build
%ifarch s390 s390x %{sparc}
@@ -140,7 +139,6 @@
rm -f %{buildroot}%{_bindir}/sudoedit
ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
-install -m 644 doc/schema.OpenLDAP
%{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema
install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
@@ -154,9 +152,10 @@
install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
-install -d %{buildroot}%{_docdir}/%{name}-test
-install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE
%{buildroot}%{_docdir}/%{name}-test/LICENSE
-rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE
+
+install -d %{buildroot}%{_licensedir}/%{name}
+install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE.md
%{buildroot}%{_licensedir}/%{name}/LICENSE.md
+rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md
%if %{defined use_usretc}
%pre
@@ -185,7 +184,7 @@
%verify_permissions -e %{_bindir}/sudo
%files -f %{name}.lang
-%license doc/LICENSE
+%license doc/LICENSE.md
%doc %{_docdir}/%{name}
%{_mandir}/man1/cvtsudoers.1%{?ext_man}
%{_mandir}/man5/sudoers.5%{?ext_man}
@@ -213,9 +212,6 @@
%config(noreplace) %{_sysconfdir}/pam.d/sudo-i
%endif
%attr(4755,root,root) %{_bindir}/sudo
-%dir %{_sysconfdir}/openldap
-%dir %{_sysconfdir}/openldap/schema
-%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
%{_bindir}/sudoedit
%{_bindir}/sudoreplay
%{_bindir}/cvtsudoers
@@ -252,6 +248,5 @@
%files test
%{_localstatedir}/lib/tests
-%{_docdir}/%{name}-test/
%changelog
++++++ sudo-1.9.8p2.tar.gz -> sudo-1.9.9.tar.gz ++++++
++++ 181902 lines of diff (skipped)
++++++ sudo-sudoers.patch ++++++
--- /var/tmp/diff_new_pack.69yk0L/_old 2022-02-03 23:16:06.608766900 +0100
+++ /var/tmp/diff_new_pack.69yk0L/_new 2022-02-03 23:16:06.612766873 +0100
@@ -1,7 +1,7 @@
-Index: sudo-1.8.31/plugins/sudoers/sudoers.in
+Index: sudo-1.9.9/plugins/sudoers/sudoers.in
===================================================================
---- sudo-1.8.31.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.8.31/plugins/sudoers/sudoers.in
+--- sudo-1.9.9.orig/plugins/sudoers/sudoers.in
++++ sudo-1.9.9/plugins/sudoers/sudoers.in
@@ -32,30 +32,23 @@
##
## Defaults specification
@@ -67,49 +67,18 @@
##
## Runas alias specification
##
-@@ -84,13 +84,5 @@
+@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL
## Same thing without a password
- # %wheel ALL=(ALL) NOPASSWD: ALL
+ # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
-## Uncomment to allow members of group sudo to execute any command
--# %sudo ALL=(ALL) ALL
+-# %sudo ALL=(ALL:ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw # Ask for the password of the target user
--# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults
targetpw'
+-# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults
targetpw'
-
## Read drop-in files from @sysconfdir@/sudoers.d
@includedir @sysconfdir@/sudoers.d
-Index: sudo-1.8.31/doc/sudoers.mdoc.in
-===================================================================
---- sudo-1.8.31.orig/doc/sudoers.mdoc.in
-+++ sudo-1.8.31/doc/sudoers.mdoc.in
-@@ -1985,7 +1985,7 @@ is present in the
- .Em env_keep
- list, both of which are strongly discouraged.
- This flag is
--.Em off
-+.Em on
- by default.
- .It authenticate
- If set, users must authenticate themselves via a password (or other
-@@ -2376,7 +2376,7 @@ If set,
- .Nm sudo
- will insult users when they enter an incorrect password.
- This flag is
--.Em @insults@
-+.Em off
- by default.
- .It log_allowed
- If set,
-@@ -3009,7 +3009,7 @@ database as an argument to the
- .Fl u
- option.
- This flag is
--.Em off
-+.Em on
- by default.
- .It tty_tickets
- If set, users must authenticate on a per-tty basis.
