Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2020-02-15 22:23:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Sat Feb 15 22:23:40 2020 rev:106 rq:772143 version:1.8.31 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2019-12-18 14:45:36.101864060 +0100 +++ /work/SRC/openSUSE:Factory/.sudo.new.26092/sudo.changes 2020-02-15 22:23:42.279254068 +0100 @@ -1,0 +2,76 @@ +Thu Feb 6 19:21:23 UTC 2020 - Kristyna Streitova <kstreit...@suse.com> + +- Update to 1.8.31 + Major changes between version 1.8.31 and 1.8.30: + * This version fixes a potential security issue that can lead to + a buffer overflow if the pwfeedback option is enabled in + sudoers [CVE-2019-18634] [bsc#1162202] + * The sudoedit_checkdir option now treats a user-owned directory + as writable, even if it does not have the write bit set at the + time of check. Symbolic links will no longer be followed by + sudoedit in any user-owned directory. Bug #912. + * Fixed a crash introduced in sudo 1.8.30 when suspending sudo + at the password prompt. Bug #914. + * Fixed compilation on systems where the mmap MAP_ANON flag is + not available. Bug #915. + Major changes between version 1.8.30 and 1.8.29: + * Sudo now closes file descriptors before changing uids. This + prevents a non-root process from interfering with sudo's ability + to close file descriptors on systems that support the prlimit(2) + system call. + * Sudo now treats an attempt to run sudo sudoedit as simply + sudoedit If the sudoers file contains a fully-qualified path + to sudoedit, sudo will now treat it simply as sudoedit + (with no path). Visudo will will now treat a fully-qualified + path to sudoedit as an error. Bug #871. + * Fixed a bug introduced in sudo 1.8.28 where sudo would warn + about a missing /etc/environment file on AIX and Linux when + PAM is not enabled. Bug #907. + * Fixed a bug on Linux introduced in sudo 1.8.29 that prevented + the askpass program from running due to an unlimited stack size + resource limit. Bug #908. + * If a group provider plugin has optional arguments, the argument + list passed to the plugin is now NULL terminated as per the + documentation. + * The user's time stamp file is now only updated if both authentication + and approval phases succeed. This is consistent with the behavior + of sudo prior to version 1.8.23. Bug #910. + * The new allow_unknown_runas_id sudoers setting can be used to + enable or disable the use of unknown user or group IDs. + Previously, sudo would always allow unknown user or group IDs if + the sudoers entry permitted it, including via the ALL alias. + As of sudo 1.8.30, the admin must explicitly enable support for + unknown IDs. + * The new runas_check_shell sudoers setting can be used to require + that the runas user have a shell listed in the /etc/shells file. + On many systems, users such as bin, do not have a valid shell and + this flag can be used to prevent commands from being run as + those users. + * Fixed a problem restoring the SELinux tty context during reboot + if mctransd is killed before sudo finishes. GitHub Issue #17. + * Fixed an intermittent warning on NetBSD when sudo restores the + initial stack size limit. + Major changes between version 1.8.29 and 1.8.28p1: + * The cvtsudoers command will now reject non-LDIF input when + converting from LDIF format to sudoers or JSON formats. + * The new log_allowed and log_denied sudoers settings make it + possible to disable logging and auditing of allowed and/or + denied commands. + * The umask is now handled differently on systems with PAM or + login.conf. If the umask is explicitly set in sudoers, that + value is used regardless of what PAM or login.conf may specify. + However, if the umask is not explicitly set in sudoers, PAM or + login.conf may now override the default sudoers umask. Bug #900. + * For make install, the sudoers file is no longer checked for syntax + errors when DESTDIR is set. The default sudoers file includes the + contents of /etc/sudoers.d which may not be readable as non-root. + Bug #902. + * Sudo now sets most resource limits to their maximum value to avoid + problems caused by insufficient resources, such as an inability to + allocate memory or open files and pipes. Fixed a regression introduced + in sudo 1.8.28 where sudo would refuse to run if the parent process was + not associated with a session. This was due to sudo passing a session + ID of -1 to the plugin. +- refresh sudo-sudoers.patch + +------------------------------------------------------------------- Old: ---- sudo-1.8.28p1.tar.gz sudo-1.8.28p1.tar.gz.sig New: ---- sudo-1.8.31.tar.gz sudo-1.8.31.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.rjHWjA/_old 2020-02-15 22:23:42.887254397 +0100 +++ /var/tmp/diff_new_pack.rjHWjA/_new 2020-02-15 22:23:42.891254399 +0100 @@ -1,7 +1,7 @@ # # spec file for package sudo # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %endif Name: sudo -Version: 1.8.28p1 +Version: 1.8.31 Release: 0 Summary: Execute some commands as root License: ISC ++++++ sudo-1.8.28p1.tar.gz -> sudo-1.8.31.tar.gz ++++++ ++++ 63563 lines of diff (skipped) ++++++ sudo-sudoers.patch ++++++ --- /var/tmp/diff_new_pack.rjHWjA/_old 2020-02-15 22:23:43.467254710 +0100 +++ /var/tmp/diff_new_pack.rjHWjA/_new 2020-02-15 22:23:43.467254710 +0100 @@ -1,7 +1,7 @@ -Index: sudo-1.8.28/plugins/sudoers/sudoers.in +Index: sudo-1.8.31/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.8.28.orig/plugins/sudoers/sudoers.in 2019-10-14 17:00:02.176362373 +0200 -+++ sudo-1.8.28/plugins/sudoers/sudoers.in 2019-10-14 17:00:04.688378325 +0200 +--- sudo-1.8.31.orig/plugins/sudoers/sudoers.in ++++ sudo-1.8.31/plugins/sudoers/sudoers.in @@ -32,30 +32,23 @@ ## ## Defaults specification @@ -82,11 +82,11 @@ ## Read drop-in files from @sysconfdir@/sudoers.d ## (the '#' here does not indicate a comment) #includedir @sysconfdir@/sudoers.d -Index: sudo-1.8.28/doc/sudoers.mdoc.in +Index: sudo-1.8.31/doc/sudoers.mdoc.in =================================================================== ---- sudo-1.8.28.orig/doc/sudoers.mdoc.in 2019-10-14 17:00:02.176362373 +0200 -+++ sudo-1.8.28/doc/sudoers.mdoc.in 2019-10-14 17:03:30.841685660 +0200 -@@ -1972,7 +1972,7 @@ is present in the +--- sudo-1.8.31.orig/doc/sudoers.mdoc.in ++++ sudo-1.8.31/doc/sudoers.mdoc.in +@@ -1985,7 +1985,7 @@ is present in the .Em env_keep list, both of which are strongly discouraged. This flag is @@ -95,16 +95,16 @@ by default. .It authenticate If set, users must authenticate themselves via a password (or other -@@ -2364,7 +2364,7 @@ If set, +@@ -2376,7 +2376,7 @@ If set, .Nm sudo will insult users when they enter an incorrect password. This flag is -.Em @insults@ +.Em off by default. - .It log_host - If set, the host name will be logged in the (non-syslog) -@@ -2941,7 +2941,7 @@ database as an argument to the + .It log_allowed + If set, +@@ -3009,7 +3009,7 @@ database as an argument to the .Fl u option. This flag is