Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2019-10-30 14:42:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.2990 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Wed Oct 30 14:42:14 2019 rev:104 rq:743446 version:1.8.28p1 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2019-08-27 15:20:48.368858384 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.2990/sudo.changes 2019-10-30 14:42:18.777830997 +0100 @@ -1,0 +2,66 @@ +Wed Oct 16 15:08:29 UTC 2019 - Vítězslav Čížek <vci...@suse.com> + +- Update to 1.8,28p1 + * The fix for Bug #869 caused "sudo -v" to prompt for a password + when "verifypw" is set to "all" (the default) and all of the + user's sudoers entries are marked with NOPASSWD. Bug #901. + +------------------------------------------------------------------- +Mon Oct 14 15:10:21 UTC 2019 - Vítězslav Čížek <vci...@suse.com> + +- Update to 1.8.28 + * Fixed CVE-2019-14287 (bsc#1153674), + a bug where a sudo user may be able to + run a command as root when the Runas specification explicitly + disallows root access as long as the ALL keyword is listed first. + * Sudo will now only set PAM_TTY to the empty string when no + terminal is present on Solaris and Linux. This workaround is + only needed on those systems which may have PAM modules that + misbehave when PAM_TTY is not set. + * The mailerflags sudoers option now has a default value even if + sendmail support was disabled at configure time. Fixes a crash + when the mailerpath sudoers option is set but mailerflags is not. + Bug #878. + * Sudo will now filter out last login messages on HP-UX unless it + a shell is being run via "sudo -s" or "sudo -i". Otherwise, + when trusted mode is enabled, these messages will be displayed + for each command. + * Sudo has a new -B command line option that will ring the terminal + bell when prompting for a password. + * Sudo no longer refuses to prompt for a password when it cannot + determine the user's terminal as long as it can open /dev/tty. + This allows sudo to function on systems where /proc is unavailable, + such as when running in a chroot environment. + * The "env_editor" sudoers flag is now on by default. This makes + source builds more consistent with the packages generated by + sudo's mkpkg script. + * Fixed a bad interaction with configure's --prefix and + --disable-shared options. Bug #886. + * More verbose error message when a password is required and no terminal + is present. Bug #828. + * Command tags, such as NOPASSWD, are honored when a user tries to run a + command that is allowed by sudoers but which does not actually + exist on the file system. Bug #888. + * I/O log timing files now store signal suspend and resume information + in the form of a signal name instead of a number. + * Fixed a bug introduced in 1.8.24 that prevented sudo from honoring + the value of "ipa_hostname" from sssd.conf, if specified, when + matching the host name. + * Fixed a bug introduced in 1.8.21 that prevented the core dump + resource limit set in the pam_limits module from taking effect. + Bug #894. + * Fixed parsing of double-quoted Defaults group and netgroup bindings. + * The user ID is now used when matching sudoUser attributes in LDAP. + Previously, the user name, group name and group IDs were used + when matching but not the user ID. + * Sudo now writes PAM messages to the user's terminal, if available, + instead of the standard output or standard error. This prevents + PAM output from being intermixed with that of the command when + output is sent to a file or pipe. Bug #895. + * Sudoedit now honors the umask and umask_override settings in sudoers. + Previously, the user's umask was used as-is. + * Fixed a bug where the terminal's file context was not restored + when using SELinux RBAC. Bug #898. +- refresh sudo-sudoers.patch + +------------------------------------------------------------------- Old: ---- sudo-1.8.27.tar.gz sudo-1.8.27.tar.gz.sig New: ---- sudo-1.8.28p1.tar.gz sudo-1.8.28p1.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.NQTadz/_old 2019-10-30 14:42:19.581831852 +0100 +++ /var/tmp/diff_new_pack.NQTadz/_new 2019-10-30 14:42:19.585831857 +0100 @@ -17,7 +17,7 @@ Name: sudo -Version: 1.8.27 +Version: 1.8.28p1 Release: 0 Summary: Execute some commands as root License: ISC @@ -173,9 +173,10 @@ %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/sesh %{_libexecdir}/%{name}/sudo_noexec.so -%{_libexecdir}/%{name}/sudoers.so -%{_libexecdir}/%{name}/group_file.so -%{_libexecdir}/%{name}/system_group.so +%dir %{_libexecdir}/%{name}/%{name} +%{_libexecdir}/%{name}/%{name}/sudoers.so +%{_libexecdir}/%{name}/%{name}/group_file.so +%{_libexecdir}/%{name}/%{name}/system_group.so %{_libexecdir}/%{name}/libsudo_util.so.* %attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name} %attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts @@ -187,6 +188,7 @@ %{_includedir}/sudo_plugin.h %{_mandir}/man8/sudo_plugin.8%{?ext_man} %attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so +%{_libexecdir}/%{name}/sudo/*.la %{_libexecdir}/%{name}/*.la %files test ++++++ sudo-sudoers.patch ++++++ --- /var/tmp/diff_new_pack.NQTadz/_old 2019-10-30 14:42:19.653831929 +0100 +++ /var/tmp/diff_new_pack.NQTadz/_new 2019-10-30 14:42:19.653831929 +0100 @@ -1,7 +1,7 @@ -Index: sudo-1.8.14p3/plugins/sudoers/sudoers.in +Index: sudo-1.8.28/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.8.14p3.orig/plugins/sudoers/sudoers.in -+++ sudo-1.8.14p3/plugins/sudoers/sudoers.in +--- sudo-1.8.28.orig/plugins/sudoers/sudoers.in 2019-10-14 17:00:02.176362373 +0200 ++++ sudo-1.8.28/plugins/sudoers/sudoers.in 2019-10-14 17:00:04.688378325 +0200 @@ -32,30 +32,23 @@ ## ## Defaults specification @@ -82,20 +82,20 @@ ## Read drop-in files from @sysconfdir@/sudoers.d ## (the '#' here does not indicate a comment) #includedir @sysconfdir@/sudoers.d -Index: sudo-1.8.14p3/doc/sudoers.mdoc.in +Index: sudo-1.8.28/doc/sudoers.mdoc.in =================================================================== ---- sudo-1.8.14p3.orig/doc/sudoers.mdoc.in -+++ sudo-1.8.14p3/doc/sudoers.mdoc.in -@@ -1711,7 +1711,7 @@ is present in the +--- sudo-1.8.28.orig/doc/sudoers.mdoc.in 2019-10-14 17:00:02.176362373 +0200 ++++ sudo-1.8.28/doc/sudoers.mdoc.in 2019-10-14 17:03:30.841685660 +0200 +@@ -1972,7 +1972,7 @@ is present in the .Em env_keep - list. + list, both of which are strongly discouraged. This flag is -.Em off +.Em on by default. .It authenticate If set, users must authenticate themselves via a password (or other -@@ -2027,7 +2027,7 @@ If set, +@@ -2364,7 +2364,7 @@ If set, .Nm sudo will insult users when they enter an incorrect password. This flag is @@ -104,7 +104,7 @@ by default. .It log_host If set, the host name will be logged in the (non-syslog) -@@ -2508,7 +2508,7 @@ database as an argument to the +@@ -2941,7 +2941,7 @@ database as an argument to the .Fl u option. This flag is