** Description changed: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. + + ------ Justification of patches removed from debian/patches/series ------ + * typo-in-classic-insults.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * paths-in-samples.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * Whitelist-DPKG_COLORS-environment-variable.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * CVE-2021-23239.patch + * This exact patch is NOT present in upstream version 1.9.5p2-2 + * The patch is made to address a vulnerability wherein users + were able to gain information about what directories existed + that they should not have had access to. + * Upstream version 1.9.5p2-2 addresses this vulnerability using + the function sudo_edit_parent_valid in the file src/sudo_edit.c + * Since the vulnerability is addressed in upstream version + 1.9.5p2-2 it can safely be dropped + * CVE-2021-3156-1.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-2.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-3.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-4.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-5.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * ineffective_no_root_mailer.patch + * This exact patch is present in upstream version 1.9.5p2-2 + under the name fix-no-root-mailer.diff + + Changes: + * Merge from Debian unstable. (LP: #1915307) + Remaining changes: + - debian/rules: + + use dh-autoreconf + - debian/rules: stop shipping init scripts, as they are no longer + necessary. + - debian/rules: + + compile with --without-lecture --with-tty-tickets --enable-admin-flag + + install man/man8/sudo_root.8 in both flavours + + install apport hooks + - debian/sudo-ldap.dirs, debian/sudo.dirs: + + add usr/share/apport/package-hooks + - debian/sudo.pam: + + Use pam_env to read /etc/environment and /etc/default/locale + environment files. Reading ~/.pam_environment is not permitted due + to security reasons. + - debian/sudoers: + + also grant admin group sudo access + + include /snap/bin in the secure_path + + sudo (1.9.5p2-2) unstable; urgency=medium + + * patch from upstream repo to fix NO_ROOT_MAILER + + sudo (1.9.5p2-1) unstable; urgency=high + + * new upstream version, addresses CVE-2021-3156 + + sudo (1.9.5p1-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Heap-based buffer overflow (CVE-2021-3156) + - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit + - Add sudoedit flag checks in plugin that are consistent with front-end + - Fix potential buffer overflow when unescaping backslashes in user_args + - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL + - Don't assume that argv is allocated as a single flat buffer + + sudo (1.9.5p1-1) unstable; urgency=medium + + * new upstream version, closes: #980028 + + sudo (1.9.5-1) unstable; urgency=medium + + * new upstream version + + sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium + + * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option + - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER + in plugins/sudoers/logging.c, plugins/sudoers/policy.c. + - No CVE number + + sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium + + * SECURITY UPDATE: dir existence issue via sudoedit race + - debian/patches/CVE-2021-23239.patch: fix potential directory existing + info leak in sudoedit in src/sudo_edit.c. + - CVE-2021-23239 + * SECURITY UPDATE: heap-based buffer overflow + - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to + MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. + - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in + plugin in plugins/sudoers/policy.c. + - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow + when unescaping backslashes in plugins/sudoers/sudoers.c. + - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when + converting a v1 timestamp to TS_LOCKEXCL in + plugins/sudoers/timestamp.c. + - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is + allocated as a single flat buffer in src/parse_args.c. + - CVE-2021-3156
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
