| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
security/sssd is marked as deprecated, add a note on option description
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
| |
security/sssd-devel was renamed to security/sssd2
PR: 277077
|
| |
|
|
|
|
|
|
|
|
|
| |
sudo already allows for the use of security/sssd (SSSD)
This patch allows for selecting security/sssd-devel (SSSD_DEVEL)
instead.
Also updates security/sssd-devel, elminating a circular dependency.
PR: 276598 272571
|
| |
|
|
|
|
|
|
|
|
| |
I made a mistake and changed these ports to HAS_CONFIGURE when working
on MANPREFIX sanitization. Restore proper macro usage and set
GNU_CONFIGURE_MANPREFIX properly to keep manpages installed under
${PREFIX}/share.
Reported by: danfe
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.15p5 and 1.9.15p4:
* Fixed evaluation of the "lecture", "listpw", "verifypw", and
"fdexec" sudoers Defaults settings when used without an explicit
value. Previously, if specified without a value they were
evaluated as boolean "false", even when the negation operator
('!') was not present.
* Fixed a bug introduced in sudo 1.9.14 that prevented LDAP
netgroup queries using the NETGROUP_BASE setting from being
performed.
* Sudo will now transparently rename a user's lecture file from
the older name-based path to the newer user-ID-based path.
GitHub issue #342.
* Fixed a bug introduced in sudo 1.9.15 that could cause a memory
allocation failure if sysconf(_SC_LOGIN_NAME_MAX) fails. Bug #1066.
PR: 276032
Approved by: garga (maintainer)
MFH: 2024Q1
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.15p4 and 1.9.15p3:
* Fixed a bug introduced in sudo 1.9.15 that could prevent a user's
privileges from being listed by "sudo -l" if the sudoers entry
in /etc/nsswitch.conf contains "[SUCCESS=return]". This did not
affect the ability to run commands via sudo. Bug #1063.
PR: 275788
Approved by: garga (maintainer)
MFH: 2023Q4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.15p3 and 1.9.15p2:
* Always disable core dumps when sudo sends itself a fatal signal.
Fixes a problem where sudo could potentially dump core dump when
it re-sends the fatal signal to itself. This is only an issue
if the command received a signal that would normally result in
a core dump but the command did not actually dump core.
* Fixed a bug matching a command with a relative path name when
the sudoers rule uses shell globbing rules for the path name.
Bug #1062.
* Permit visudo to be run even if the local host name is not set.
GitHub issue #332.
* Fixed an editing error introduced in sudo 1.9.15 that could
prevent sudoreplay from replaying sessions correctly.
GitHub issue #334.
* Fixed a bug introduced in sudo 1.9.15 where "sudo -l > /dev/null"
could hang on Linux systems. GitHub issue #335.
* Fixed a bug introduced in sudo 1.9.15 where Solaris privileges
specified in sudoers were not applied to the command being run.
PR: 275754
Approved by: garga (maintainer)
MFH: 2023Q4
|
| |
|
|
|
|
|
|
| |
* Fixed a bug on BSD systems where sudo would not restore the
terminal settings on exit if the terminal had parity enabled.
GitHub issue #326.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
| |
* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
sudoers from being able to read the ldap.conf file.
GitHub issue #325.
PR: 274960
Reported by: Daniel Porsch <daniel.porsch@loopia.se>
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
| |
While here:
- Prevent combination of SSSD and GSSAPI_HEIMDAL because sssd port
requires MIT kerberos and it will conflict with heimdal
- Removed SSSD_DEVEL option because sssd-devel port requires sudo and it
creates a circular dependency
- Fix OPIE on FreeBSD versions after it was removed from base
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since SSL support is being changed and sudo can be built without it, add
a new SSL option, on by default.
When option is enabled, use --enable-openssl=${OPENSSLBASE} to make sure
it consumes desired OpenSSL implementation. Also add pkgconfig
dependency because configure script rely on it to detect openssl
details.
PR: 274753
Reported by: tburns@hrsd.com
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.14p3 and 1.9.14p2:
* Fixed a crash with Python 3.12 when the sudo Python python is
unloaded. This only affects "make check" for the Python plugin.
* Adapted the sudo Python plugin test output to match Python 3.12.
PR: 272707
Approved by: garga (maintainer)
MFH: 2023Q3
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
| |
security/sudo already allows for the use of security/sssd (SSSD)
This patch allows for selecting security/sssd-devel (SSSD_DEVEL)
instead.
PR: 272488
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.14p1 and 1.9.14:
* Fixed an "invalid free" bug in sudo_logsrvd that was introduced
in version 1.9.14 which could cause sudo_logsrvd to crash.
* The sudoers plugin no longer tries to send the terminal name
to the log server when no terminal is present. This bug was
introduced in version 1.9.14.
PR: 272456
Approved by: garga (maintainer)
MFH: 2023Q3
|
| |
|
|
|
|
| |
I forgot to put the PR number in its placeholder.
This reverts commit af3f8976df6f16a1a2554537e9c35188db653d0f.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.14p1 and 1.9.14:
* Fixed an "invalid free" bug in sudo_logsrvd that was introduced
in version 1.9.14 which could cause sudo_logsrvd to crash.
* The sudoers plugin no longer tries to send the terminal name
to the log server when no terminal is present. This bug was
introduced in version 1.9.14.
PR: NNNNNN
Approved by: garga (maintainer)
MFH: 2023Q3
|
| |
|
|
|
|
| |
PR: 272255
Approved by: garga (maintainer)
MFH" 2023Q2
|
| |
|
|
|
|
|
| |
It doesn't understand sudo versioning scheme and keep giving false
alerts.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
| |
No functional changes intended
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
| |
PR 270002
Approved by: garga (maintainer - private email to myself, implicit)
message-id: 816dd4b5-0a0d-3dd2-4bcc-c9b3b1a4ddfd@FreeBSD.org
MFH: 2023Q1
ChangeLog: https://www.sudo.ws/releases/stable/#1.9.13p3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.13p2 and 1.9.13p1:
* Fixed the --enable-static-sudoers option, broken in sudo 1.9.13.
GitHub issue #245.
* Fixed a potential double-free bug when matching a sudoers rule
that contains a per-command chroot directive (CHROOT=dir). This
bug was introduced in sudo 1.9.8.
PR: 269854
Approved by: garga
MFH: 2023Q1
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.13 and 1.9.12p2:
* Fixed a bug running relative commands via sudo when "log_subcmds"
is enabled. GitHub issue #194.
* Fixed a signal handling bug when running sudo commands in a shell
script. Signals were not being forwarded to the command when
the sudo process was not run in its own process group.
* Fixed a bug in cvtsudoers' LDIF parsing when the file ends without
a newline and a backslash is the last character of the file.
* Fixed a potential use-after-free bug with cvtsudoers filtering.
GitHub issue #198.
* Added a reminder to the default lecture that the password will
not echo. This line is only displayed when the pwfeedback option
is disabled. GitHub issue #195.
* Fixed potential memory leaks in error paths. GitHub issues #199,
#202.
* Fixed potential NULL dereferences on memory allocation failure.
GitHub issues #204, #211.
* Sudo now uses C23-style attributes in function prototypes instead
of gcc-style attributes if supported.
* Added a new "list" pseudo-command in sudoers to allow a user to
list another user's privileges. Previously, only root or a user
with the ability to run any command as either root or the target
user on the current host could use the -U option. This also
includes a fix to the log entry when a user lacks permission to
run "sudo -U otheruser -l command". Previously, the logs would
indicate that the user tried to run the actual command, now the
log entry includes the list operation.
* JSON logging now escapes control characters if they happen to
appear in the command or environment.
* New Albanian translation from translationproject.org.
* Regular expressions in sudoers or logsrvd.conf may no longer
contain consecutive repetition operators. This is implementation-
specific behavior according to POSIX, but some implementations
will allocate excessive amounts of memory. This mainly affects
the fuzzers.
* Sudo now builds AIX-style shared libraries and dynamic shared
objects by default instead of svr4-style. This means that the
default sudo plugins are now .a (archive) files that contain a
.so shared object file instead of bare .so files. This was done
to improve compatibility with the AIX Freeware ecosystem,
specifically, the AIX Freeware build of OpenSSL. Sudo will still
load svr4-style .so plugins and if a .so file is requested,
either via sudo.conf or the sudoers file, and only the .a file
is present, sudo will convert the path from plugin.so to
plugin.a(plugin.so) when loading it. This ensures compatibility
with existing configurations. To restore the old, pre-1.9.13
behavior, run configure using the --with-aix-soname=svr4 option.
* Sudo no longer checks the ownership and mode of the plugins that
it loads. Plugins are configured via either the sudo.conf or
sudoers file which are trusted configuration files. These checks
suffered from time-of-check vs. time-of-use race conditions and
complicate loading plugins that are not simple paths. Ownership
and mode checks are still performed when loading the sudo.conf
and sudoers files, which do not suffer from race conditions.
The sudo.conf "developer_mode" setting is no longer used.
* Control characters in sudo log messages and "sudoreplay -l"
output are now escaped in octal format. Space characters in the
command path are also escaped. Command line arguments that
contain spaces are surrounded by single quotes and any literal
single quote or backslash characters are escaped with a backslash.
This makes it possible to distinguish multiple command line
arguments from a single argument that contains spaces.
* Improved support for DragonFly BSD which uses a different struct
procinfo than either FreeBSD or 4.4BSD.
* Fixed a compilation error on Linux arm systems running older
kernels that may not define EM_ARM in linux/elf-em.h.
GitHub issue #232.
* Fixed a compilation error when LDFLAGS contains -Wl,--no-undefined.
Sudo will now link using -Wl,--no-undefined by default if possible.
GitHub issue #234.
* Fixed a bug executing a command with a very long argument vector
when "log_subcmds" or "intercept" is enabled on a system where
"intercept_type" is set to "trace". GitHub issue #194.
* When sudo is configured to run a command in a pseudo-terminal
but the standard input is not connected to a terminal, the command
will now be run as a background process. This works around a
problem running sudo commands in the background from a shell
script where changing the terminal to raw mode could interfere
with the interactive shell that ran the script.
GitHub issue #237.
* A missing include file in sudoers is no longer a fatal error
unless the error_recovery plugin argument has been set to false.
PR: 269563
Submitted by: cy
Reported by: cy
Approved by: garga
MFH: 2023Q1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Convert the USE_LDAP=yes to USES=ldap and adds the following features:
- Adds the argument USES=ldap:server to add openldap2{4|5|6}-server as
RUN_DEPENDS
- Adds the argument USES=ldap<version> and replaces WANT_OPENLDAP_VER
- Adds OPENLDAP versions in bsd.default-versions.mk
- Adds USE_OPENLDAP/WANT_OPENLDAP_VER in Mk/bsd.sanity.mk
- Changes consumers to use the features
Reviewed by: delphij
Approved by: portmgr
Differential Revision: https://reviews.freebsd.org/D38233
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.12p2 and 1.9.12p1:
* Fixed a compilation error on Linux/aarch64. GitHub issue #197.
* Fixed a potential crash introduced in the fix for GitHub issue #134.
If a user's sudoers entry did not have any RunAs user's set,
running "sudo -U otheruser -l" would dereference a NULL pointer.
* Fixed a bug introduced in sudo 1.9.12 that could prevent sudo
from creating a I/O files when the "iolog_file" sudoers setting
contains six or more Xs.
* Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit)
that coud allow a malicious user with sudoedit privileges to
edit arbitrary files.
PR: 269030
Submitted by: cy
Reported by: cy
Approved by: garga
MFH: 2023Q1
Security: CVE-2023-22809
|
| |
|
|
|
|
|
|
|
|
|
| |
This release includes fixes to minor bugs, including a fix for
CVE-2022-43995, a non-exploitable potential out-of-bounds write on
systems that do not use PAM, AIX authentication or BSD authentication.
PR: 267617
Approved by: garga (Maintainer)
MFH: 2022Q4
Security: CVE-2022-43995
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
| |
Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.
This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.
Approved by: portmgr (tcberner)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.
Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.
There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.
This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.
There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.
The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.
Approved by: portmgr (tcberner)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A big Thank You to the original contributors of these ports:
* <ports@c0decafe.net>
* Aaron Dalton <aaron@FreeBSD.org>
* Adam Weinberger <adamw@FreeBSD.org>
* Ade Lovett <ade@FreeBSD.org>
* Aldis Berjoza <aldis@bsdroot.lv>
* Alex Dupre <ale@FreeBSD.org>
* Alex Kapranoff <kappa@rambler-co.ru>
* Alex Samorukov <samm@freebsd.org>
* Alexander Botero-Lowry <alex@foxybanana.com>
* Alexander Kriventsov <avk@vl.ru>
* Alexander Leidinger <netchild@FreeBSD.org>
* Alexander Logvinov <ports@logvinov.com>
* Alexander Y. Grigoryev <alexander.4mail@gmail.com>
* Alexey Dokuchaev <danfe@FreeBSD.org>
* Alfred Perlstein
* Alfred Perlstein <alfred@FreeBSD.org>
* Anders Nordby <anders@FreeBSD.org>
* Anders Nordby <anders@fix.no>
* Andreas Klemm <andreas@klemm.gtn.com>
* Andrew Lewis <freeghb@gmail.com>
* Andrew Pantyukhin <infofarmer@FreeBSD.org>
* Andrew St. Jean <andrew@arda.homeunix.net>
* Anes Mukhametov <anes@anes.su>
* Antoine Brodin <antoine@FreeBSD.org>
* Anton Berezin <tobez@FreeBSD.org>
* Antonio Carlos Venancio Junior (<antonio@inf.ufsc.br>)
* Antonio Carlos Venancio Junior <antonio@inf.ufsc.br>
* Ashish SHUKLA <ashish@FreeBSD.org>
* Attila Nagy <bra@fsn.hu>
* Autrijus Tang <autrijus@autrijus.org>
* Axel Rau <axel.rau@chaos1.de>
* Babak Farrokhi <farrokhi@FreeBSD.org>
* Ben Woods <woodsb02@FreeBSD.org>
* Bernard Spil <brnrd@FreeBSD.org>
* Bernard Spil <brnrd@freebsd.org>
* Blaz Zupan <blaz@si.FreeBSD.org>
* Bob Hockney <zeus@ix.netcom.com>
* Boris Kochergin <spawk@acm.poly.edu>
* Brendan Molloy <brendan+freebsd@bbqsrc.net>
* Bruce M Simpson
* Bruce M Simpson <bms@FreeBSD.org>
* Bruce M. Simpson <bms@FreeBSD.org>
* Carlo Strub
* Carlo Strub <cs@FreeBSD.org>
* Carlos J Puga Medina <cpm@FreeBSD.org>
* Carlos J Puga Medina <cpm@fbsd.es>
* Charlie Root <se@FreeBSD.org>
* Cheng-Lung Sung <clsung@FreeBSD.org>
* Cheng-Lung Sung <clsung@dragon2.net>
* Chie Taguchi <taguchi.ch@gmail.com>
* Chris Cowart <ccowart@rescomp.berkeley.edu>
* Chris D. Faulhaber <jedgar@FreeBSD.org>
* Christer Edwards <christer.edwards@gmail.com>
* Christian Lackas
* Christopher Hall <hsw@bitmark.com>
* Clement Laforet <sheepkiller@cultdeadsheep.org>
* Clive Lin <clive@CirX.ORG>
* Colin Percival
* Cory McIntire (loon@noncensored.com)
* Craig Leres <leres@FreeBSD.org>
* Cristiano Deana <cris@gufi.org>
* Cy Schubert (Cy.Schubert@uumail.gov.bc.ca)
* Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
* Cy Schubert <cy@FreeBSD.org>
* Damian Gerow <dgerow@afflictions.org>
* Damien Bobillot
* Dan Langille
* Dan Langille <dan@freebsddiary.org>
* Dan Langille <dvl@FreeBSD.org>
* Dan Langille <dvl@freebsd.org>
* Dan Langille <dvl@sourcefire.com>
* Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* Daniel Roethlisberger <daniel@roe.ch>
* Danilo Egea Gondolfo <danilo@FreeBSD.org>
* Danton Dorati <urisso@bsd.com.br>
* Dave McKay <dave@mu.org>
* David E. Thiel <lx@FreeBSD.org>
* David O'Brien (obrien@NUXI.com)
* David O'Brien <obrien@FreeBSD.org>
* David Thiel <lx@redundancy.redundancy.org>
* Dean Hollister <dean@odyssey.apana.org.au>
* Denis Shaposhnikov <dsh@vlink.ru>
* Dereckson <dereckson@gmail.com>
* Dirk Froemberg <dirk@FreeBSD.org>
* Ditesh Shashikant Gathani <ditesh@gathani.org>
* Dom Mitchell <dom@happygiraffe.net>
* Dominic Marks <dominic.marks@btinternet.com>
* Don Croyle <croyle@gelemna.org>
* Douglas Thrift <douglas@douglasthrift.net>
* Edson Brandi <ebrandi@fugspbr.org>
* Edwin Groothuis <edwin@mavetju.org>
* Ekkehard 'Ekki' Gehm <gehm@physik.tu-berlin.de>
* Emanuel Haupt <ehaupt@FreeBSD.org>
* Emanuel Haupt <ehaupt@critical.ch>
* Eric Crist <ecrist@secure-computing.net>
* Erwin Lansing <erwin@FreeBSD.org>
* Eugene Grosbein <eugen@FreeBSD.org>
* Fabian Keil <fk@fabiankeil.de>
* Felix Palmen <felix@palmen-it.de>
* Florent Thoumie <flz@xbsd.org>
* Foxfair Hu <foxfair@FreeBSD.org>
* Frank Laszlo <laszlof@vonostingroup.com>
* Frank Wall <fw@moov.de>
* Franz Bettag <franz@bett.ag>
* Gabor Kovesdan
* Gabor Kovesdan <gabor@FreeBSD.org>
* Gabriel M. Dutra <0xdutra@gmail.com>
* Gary Hayers <Gary@Hayers.net>
* Gasol Wu <gasol.wu@gmail.com>
* Gea-Suan Lin <gslin@gslin.org>
* George Reid <greid@ukug.uk.freebsd.org>
* George Reid <services@nevernet.net>
* Greg Larkin <glarkin@FreeBSD.org>
* Greg V <greg@unrelenting.technology>
* Gregory Neil Shapiro <gshapiro@FreeBSD.org>
* Grzegorz Blach <gblach@FreeBSD.org>
* Guangyuan Yang <ygy@FreeBSD.org>
* Hakisho Nukama <nukama@gmail.com>
* Hammurabi Mendes <hmendes@brturbo.com>
* Henk van Oers <hvo.pm@xs4all.nl>
* Horia Racoviceanu <horia@racoviceanu.com>
* Hung-Yi Chen <gaod@hychen.org>
* Jaap Akkerhuis <jaap@NLnetLabs.nl>
* Jaap Boender <jaapb@kerguelen.org>
* Jacek Serwatynski <tutus@trynet.eu.org>
* James FitzGibbon <jfitz@FreeBSD.org>
* James Thomason <james@divide.org>
* Jan-Peter Koopmann <Jan-Peter.Koopmann@seceidos.de>
* Janky Jay <ek@purplehat.org>
* Janos Mohacsi
* Janos Mohacsi <janos.mohacsi@bsd.hu>
* Jean-Yves Lefort <jylefort@brutele.be>
* Jim Geovedi <jim@corebsd.or.id>
* Jim Ohlstein <jim@ohlste.in>
* Joe Clarke <marcus@marcuscom.com>
* Joe Marcus Clarke <marcus@FreeBSD.org>
* Johann Visagie <johann@egenetics.com>
* Johann Visagie <wjv@FreeBSD.org>
* John Ferrell <jdferrell3@yahoo.com>
* John Hixson <jhixson@gmail.com>
* John Polstra <jdp@polstra.com>
* John W. O'Brien <john@saltant.com>
* John-Mark Gurney <jmg@FreeBSD.org>
* Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
* Joseph Benden <joe@thrallingpenguin.com>
* Joshua D. Abraham <jabra@ccs.neu.edu>
* Jov <amutu@amutu.com>
* Jui-Nan Lin <jnlin@freebsd.cs.nctu.edu.tw>
* Ka Ho Ng <khng300@gmail.com>
* Kay Lehmann <kay_lehmann@web.de>
* Keith J. Jones <kjones@antihackertoolkit.com>
* Kevin Zheng <kevinz5000@gmail.com>
* Kimura Fuyuki <fuyuki@hadaly.org>
* Kimura Fuyuki <fuyuki@mj.0038.net>
* Klayton Monroe <klm@uidzero.org>
* Konstantin Menshikov <kostjnspb@yandex.ru>
* Koop Mast <kwm@FreeBSD.org>
* Kris Kennaway <kris@FreeBSD.org>
* Kubilay Kocak <koobs@FreeBSD.org>
* Kurt Jaeger <fbsd-ports@opsec.eu>
* LEVAI Daniel <leva@ecentrum.hu>
* Lars Engels <lme@FreeBSD.org>
* Lars Thegler <lth@FreeBSD.org>
* Laurent LEVIER <llevier@argosnet.com>
* Luiz Eduardo R. Cordeiro
* Lukas Slebodnik <lukas.slebodnik@intrak.sk>
* Lukasz Komsta
* Mageirias Anastasios <anastmag@gmail.com>
* Marcel Prisi <marcel.prisi@virtua.ch>
* Marcello Coutinho
* Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
* Mark Felder <feld@FreeBSD.org>
* Mark Hannon <markhannon@optusnet.com.au>
* Mark Murray <markm@FreeBSD.org>
* Mark Pulford <mark@kyne.com.au>
* Marko Njezic <sf@maxempire.com>
* Martin Matuska <martin@tradex.sk>
* Martin Matuska <mm@FreeBSD.org>
* Martin Mersberger
* Martin Wilke <miwi@FreeBSD.org>
* Martti Kuparinen <martti.kuparinen@ericsson.com>
* Mateusz Piotrowski <0mp@FreeBSD.org>
* Matt <matt@xtaz.net>
* Matt Behrens <matt@zigg.com>
* Matthias Andree <mandree@FreeBSD.org>
* Matthias Fechner <mfechner@FreeBSD.org>
* Matthieu BOUTHORS <matthieu@labs.fr>
* Maxim Sobolev <sobomax@FreeBSD.org>
* Meno Abels <meno.abels@adviser.com>
* Michael Haro <mharo@FreeBSD.org>
* Michael Johnson <ahze@FreeBSD.org>
* Michael Nottebrock <lofi@FreeBSD.org>
* Michael Reifenberger <mr@FreeBSD.org>
* Michael Schout <mschout@gkg.net>
* Michal Bielicki <m.bielicki@llizardfs.com>
* Michiel van Baak <michiel@vanbaak.eu
* Mij <mij@bitchx.it>
* Mike Heffner <mheffner@vt.edu>
* Mikhail T. <m.tsatsenko@gmail.com>
* Mikhail Teterin <mi@aldan.algebra.com>
* Milan Obuch
* Mosconi <mosconi.rmg@gmail.com>
* Muhammad Moinur Rahman <5u623l20@gmail.com>
* Mustafa Arif <ma499@doc.ic.ac.uk>
* Neil Booth
* Neil Booth <kyuupichan@gmail.com>
* Nick Barkas <snb@threerings.net>
* Nicola Vitale <nivit@FreeBSD.org>
* Niels Heinen
* Nikola Kolev <koue@chaosophia.net>
* Nobutaka Mantani <nobutaka@FreeBSD.org>
* Oliver Lehmann
* Oliver Lehmann <oliver@FreeBSD.org>
* Olivier Duchateau
* Olivier Duchateau <duchateau.olivier@gmail.com>
* Olli Hauer
* Patrick Li <pat@databits.net>
* Paul Chvostek <paul@it.ca>
* Paul Schmehl <pauls@utdallas.edu>
* Pavel I Volkov <pavelivolkov@googlemail.com>
* Pete Fritchman <petef@databits.net>
* Peter Ankerstal <peter@pean.org>
* Peter Haight <peterh@sapros.com>
* Peter Johnson <johnson.peter@gmail.com>
* Peter Pentchev <roam@FreeBSD.org>
* Petr Rehor <rx@rx.cz>
* Philippe Audeoud <jadawin@tuxaco.net>
* Philippe Rocques <phil@teaser.fr>
* Piotr Kubaj <pkubaj@FreeBSD.org>
* Piotr Kubaj <pkubaj@anongoth.pl>
* Po-Chuan Hsieh <sunpoet@FreeBSD.org>
* RaRa Rasputin <rasputin@submonkey.net>
* Radim Kolar
* Ralf Meister
* Remington Lang <MrL0Lz@gmail.com>
* Renaud Chaput <renchap@cocoa-x.com>
* Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl>
* Roland van Laar <roland@micite.net>
* Romain Tartiere <romain@blogreen.org>
* Roman Bogorodskiy
* Roman Bogorodskiy <novel@FreeBSD.org>
* Roman Shterenzon <roman@xpert.com>
* Rong-En Fan <rafan@FreeBSD.org>
* Ryan Steinmetz <zi@FreeBSD.org>
* Sahil Tandon <sahil@tandon.net>
* Sascha Holzleiter <sascha@root-login.org>
* SeaD
* Seamus Venasse <svenasse@polaris.ca>
* Sean Greven <sean.greven@gmail.com>
* Sebastian Schuetz <sschuetz@fhm.edu>
* Sergei Kolobov <sergei@FreeBSD.org>
* Sergei Kolobov <sergei@kolobov.com>
* Sergei Vyshenski
* Sergei Vyshenski <svysh.fbsd@gmail.com>
* Sergey Skvortsov <skv@protey.ru>
* Seth Kingsley <sethk@meowfishies.com>
* Shaun Amott <shaun@inerd.com>
* Simeon Simeonov <sgs@pichove.org>
* Simon Dick <simond@irrelevant.org>
* Sofian Brabez <sbrabez@gmail.com>
* Stanislav Sedov <ssedov@mbsd.msk.ru>
* Stefan Esser <se@FreeBSD.org>
* Stefan Grundmann
* Stefan Walter <sw@gegenunendlich.de>
* Stephon Chen <stephon@gmail.com>
* Steve Wills <steve@mouf.net>
* Steve Wills <swills@FreeBSD.org>
* Steven Kreuzer
* Steven Kreuzer <skreuzer@exit2shell.com>
* Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org>
* TAKAHASHI Kaoru <kaoru@kaisei.org>
* TAKATSU Tomonari <tota@FreeBSD.org>
* Tatsuki Makino <tatsuki_makino@hotmail.com>
* Thibault Payet <monwarez@mailoo.org>
* Thierry Thomas (<thierry@pompo.net>)
* Thierry Thomas <thierry@pompo.net>
* Thomas Hurst <tom@hur.st>
* Thomas Quinot <thomas@cuivre.fr.eu.org>
* Thomas Zander <riggs@FreeBSD.org>
* Thomas von Dein <freebsd@daemon.de>
* Tilman Linneweh <arved@FreeBSD.org>
* Tim Bishop <tim@bishnet.net>
* Tom Judge <tom@tomjudge.com>
* Tomoyuki Sakurai <cherry@trombik.org>
* Toni Viemerö <toni.viemero@iki.fi>
* Tony Maher
* Torsten Zuhlsdorff <ports@toco-domains.de>
* Travis Campbell <hcoyote@ghostar.org>
* Tsung-Han Yeh <snowfly@yuntech.edu.tw>
* Ulf Lilleengen
* Vaida Bogdan <vaida.bogdan@gmail.com>
* Valentin Zahariev <curly@e-card.bg>
* Valerio Daelli <valerio.daelli@gmail.com>
* Veniamin Gvozdikov <vg@FreeBSD.org>
* Victor Popov
* Victor Popov <v.a.popov@gmail.com>
* Vsevolod Stakhov
* Vsevolod Stakhov <vsevolod@FreeBSD.org>
* Wen Heping <wen@FreeBSD.org>
* Wen Heping <wenheping@gmail.com>
* Yarodin <yarodin@gmail.com>
* Yen-Ming Lee <leeym@FreeBSD.org>
* Yen-Ming Lee <leeym@cae.ce.ntu.edu.tw>
* Yen-Ming Lee <leeym@leeym.com>
* Ying-Chieh Liao <ijliao@FreeBSD.org>
* Yonatan <Yonatan@Xpert.com>
* Yonatan <onatan@gmail.com>
* Yoshisato YANAGISAWA
* Yuri Victorovich
* Yuri Victorovich <yuri@rawbw.com>
* Zach Thompson <hideo@lastamericanempire.com>
* Zane C. Bowers <vvelox@vvelox.net>
* Zeus Panchenko <zeus@gnu.org.ua>
* ache
* adamw
* ajk@iu.edu
* alex@FreeBSD.org
* allan@saddi.com
* alm
* andrej@ebert.su
* andrew@scoop.co.nz
* andy@fud.org.nz
* antoine@FreeBSD.org
* arved
* barner
* brix@FreeBSD.org
* buganini@gmail.com
* chinsan
* chris@still.whet.org
* clement
* clsung
* crow
* cy@FreeBSD.org
* dominik karczmarski <dominik@karczmarski.com>
* dwcjr@inethouston.net
* eivind
* erich@rrnet.com
* erwin@FreeBSD.org
* girgen@FreeBSD.org
* glen.j.barber@gmail.com
* hbo@egbok.com
* ijliao
* jesper
* jfitz
* johans
* joris
* kftseng@iyard.org
* kris@FreeBSD.org
* lx
* markm
* mharo@FreeBSD.org
* michaelnottebrock@gmx.net
* mnag@FreeBSD.org
* mp39590@gmail.com
* nbm
* nectar@FreeBSD.org
* nork@FreeBSD.org
* nork@cityfujisawa.ne.jp
* nsayer@FreeBSD.org
* nsayer@quack.kfu.com
* ntarmos@cs.uoi.gr
* oly
* onatan@gmail.com
* pandzilla
* patrick@mindstep.com
* pauls
* perl@FreeBSD.org
* petef@FreeBSD.org
* peter.thoenen@yahoo.com
* ports@c0decafe.net
* ports@rbt.ca
* roam@FreeBSD.org
* rokaz
* sada@FreeBSD.org
* scrappy
* se
* shane@freebsdhackers.net aka modsix@gmail.com
* snb@threerings.net
* sumikawa
* sviat
* teramoto@comm.eng.osaka-u.ac.jp
* thierry@pompo.net
* tobez@FreeBSD.org
* torstenb@FreeBSD.org
* trasz <trasz@pin.if.uz.zgora.pl>
* trevor
* truckman
* vanhu
* vanilla@
* wen@FreeBSD.org
* will
With hat: portmgr
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.11p2 and 1.9.11p1:
* Fixed a compilation error on Linux/x86_64 with the x32 ABI.
* Fixed a regression introduced in 1.9.11p1 that caused a warning
when logging to sudo_logsrvd if the command returned no output.
PR: 264643
Approved by: garga (maintainer)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.11p1 and 1.9.11:
* Correctly handle EAGAIN in the I/O read/right events. This fixes
a hang seen on some systems when piping a large amount of data
through sudo, such as via rsync. Bug #963.
* Changes to avoid implementation or unspecified behavior when
bit shifting signed values in the protobuf library.
* Fixed a compilation error on Linux/aarch64.
* Fixed the configure check for seccomp(2) support on Linux.
* Corrected the EBNF specification for tags in the sudoers manual
page. GitHub issue #153.
Major changes between sudo 1.9.11 and 1.9.10:
* Fixed a crash in the Python module with Python 3.9.10 on some
systems. Additionally, "make check" now passes for Python 3.9.10.
* Error messages sent via email now include more details, including
the file name and the line number and column of the error.
Multiple errors are sent in a single message. Previously, only
the first error was included.
* Fixed logging of parse errors in JSON format. Previously,
the JSON logger would not write entries unless the command and
runuser were set. These may not be known at the time a parse
error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice
the value of LINE_MAX on systems that lack the getdelim() function.
* The tests run by "make check" now unset the LANGUAGE environment
variable. Otherwise, localization strings will not match if
LANGUAGE is set to a non-English locale. Bug #1025.
* The "starttime" test now passed when run under Debian faketime.
Bug #1026.
* The Kerberos authentication module now honors the custom password
prompt if one has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
in the header files (currently only GNU libc). This is required
to allow the use of 64-bit time values on some 32-bit systems.
* Sudo's "intercept" and "log_subcmds" options no longer force the
command to run in its own pseudo-terminal. It is now also
possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode
where the commit point messages sent by the server were incorrect
if the command was suspended or received a window size change
event.
* Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
configuration setting was used.
* The "intercept" and "log_subcmds" functionality can now use
ptrace(2) on Linux systems that support seccomp(2) filtering.
This has the advantage of working for both static and dynamic
binaries and can work with sudo's SELinux RBAC mode. The following
architectures are currently supported: i386, x86_64, aarch64,
arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
default is to use ptrace(2) where possible; the new "intercept_type"
sudoers setting can be used to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where
the execve(2) wrapper was using the current environment instead
of the passed environment pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now
specify an APPARMOR_PROFILE option to run a command confined by
the named AppArmor profile.
* Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
Non-paths were being treated as paths and an actual path was
treated as an error.
PR: 264554
Approved by: garga (maintainer)
|
| |
|
|
|
|
|
|
|
| |
This a followup to commit 3ee710e0b22309a7e87c71b87bf5510aa8678ed8
sudo-1.9.11 have moved plugins manpages from section 8 to section 5
Pointy hat to: cy
Approved by: portmgr blanket
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.11 and 1.9.10:
* Fixed a crash in the Python module with Python 3.9.10 on some
systems. Additionally, "make check" now passes for Python 3.9.10.
* Error messages sent via email now include more details, including
the file name and the line number and column of the error.
Multiple errors are sent in a single message. Previously, only
the first error was included.
* Fixed logging of parse errors in JSON format. Previously,
the JSON logger would not write entries unless the command and
runuser were set. These may not be known at the time a parse
error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice
the value of LINE_MAX on systems that lack the getdelim() function.
* The tests run by "make check" now unset the LANGUAGE environment
variable. Otherwise, localization strings will not match if
LANGUAGE is set to a non-English locale. Bug #1025.
* The "starttime" test now passed when run under Debian faketime.
Bug #1026.
* The Kerberos authentication module now honors the custom password
prompt if one has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
in the header files (currently only GNU libc). This is required
to allow the use of 64-bit time values on some 32-bit systems.
* Sudo's "intercept" and "log_subcmds" options no longer force the
command to run in its own pseudo-terminal. It is now also
possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode
where the commit point messages sent by the server were incorrect
if the command was suspended or received a window size change
event.
* Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
configuration setting was used.
* The "intercept" and "log_subcmds" functionality can now use
ptrace(2) on Linux systems that support seccomp(2) filtering.
This has the advantage of working for both static and dynamic
binaries and can work with sudo's SELinux RBAC mode. The following
architectures are currently supported: i386, x86_64, aarch64,
arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
default is to use ptrace(2) where possible; the new "intercept_type"
sudoers setting can be used to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where
the execve(2) wrapper was using the current environment instead
of the passed environment pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now
specify an APPARMOR_PROFILE option to run a command confined by
the named AppArmor profile.
* Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
Non-paths were being treated as paths and an actual path was
treated as an error.
PR: 264515
Approved by: garga (maintainer)
|
| |
|
|
|
| |
PR: 262331
Approved by: garga (maintainer)
|
| |
|
|
|
| |
PR: 261529
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.8p2 and 1.9.8p1:
* Fixed a potential out-of-bounds read with "sudo -i" when the
target user's shell is bash. This is a regression introduced
in sudo 1.9.8. Bug #998.
* sudo_logsrvd now only sends a log ID for first command of a session.
There is no need to send the log ID for each sub-command.
* Fixed a few minor memory leaks in intercept mode.
* Fixed a problem with sudo_logsrvd in relay mode if "store_first"
was enabled when handling sub-commands. A new zero-length journal
file was created for each sub-command instead of simply using
the existing journal file.
PR: 258666
Submitted by: cy
Reported by: cy
Approved by: garga (maintainer)
MFH: 2021Q3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sudo version 1.9.8 patchelevel 1 is now available which fixes a few
regressions introduced in sudo 1.9.8.
Source:
https://www.sudo.ws/dist/sudo-1.9.8p1.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.8p1.tar.gz
SHA256 checksum:
0939ee24df7095a92e0ca4aa3bd53b2a10965a7b921d51a26ab70cdd24388d69
MD5 checksum:
ae9c8b32268f27d05bcdcb8f0c04d461
Binary packages:
https://www.sudo.ws/download.html#binary
https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_8
For a list of download mirror sites, see:
https://www.sudo.ws/download_mirrors.html
Sudo web site:
https://www.sudo.ws/
Sudo web site mirrors:
https://www.sudo.ws/mirrors.html
Major changes between sudo 1.9.8p1 and 1.9.8:
* Fixed support for passing a prompt (sudo -p) or a login class
(sudo -c) on the command line. This is a regression introduced
in sudo 1.9.8. Bug #993.
* Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
This is a regression introduced in sudo 1.9.8. Bug #994.
* Fixed a compilation error when the --enable-static-sudoers configure
option was specified. This is a regression introduced in sudo
1.9.8 caused by a symbol clash with the intercept and log server
protobuf functions.
PR: 258537
Submitted by: cy
Reported by: Adrian Waters <draenan _ gmail_com>
Approved by: garga (maintainer)
MFH: 2021Q3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.8 and 1.9.7p2:
* It is now possible to transparently intercepting sub-commands
executed by the original command run via sudo. Intercept support
is implemented using LD_PRELOAD (or the equivalent supported by
the system) and so has some limitations. The two main limitations
are that only dynamic executables are supported and only the
execl, execle, execlp, execv, execve, execvp, and execvpe library
functions are currently intercepted. Its main use case is to
support restricting privileged shells run via sudo.
To support this, there is a new "intercept" Defaults setting and
an INTERCEPT command tag that can be used in sudoers. For example:
Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
Defaults!SHELLS intercept
would cause sudo to run the listed shells in intercept mode.
This can also be set on a per-rule basis. For example:
Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
chuck ALL = INTERCEPT: SHELLS
would only apply intercept mode to user "chuck" when running one
of the listed shells.
In intercept mode, sudo will not prompt for a password before
running a sub-command and will not allow a set-user-ID or
set-group-ID program to be run by default. The new
intercept_authenticate and intercept_allow_setid sudoers settings
can be used to change this behavior.
* The new "log_subcmds" sudoers setting can be used to log additional
commands run in a privileged shell. It uses the same mechanism as
the intercept support described above and has the same limitations.
* Support for logging sudo_logsrvd errors via syslog or to a file.
Previously, most sudo_logsrvd errors were only visible in the
debug log.
* Better diagnostics when there is a TLS certificate validation error.
* Using the "+=" or "-=" operators in a Defaults setting that takes
a string, not a list, now produces a warning from sudo and a
syntax error from inside visudo.
* Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
had no effect when creating I/O log parent directories if the I/O log
file name ended with the string "XXXXXX".
* Fixed a bug in the sudoers custom prompt code where the size
parameter that was passed to the strlcpy() function was incorrect.
No overflow was possible since the correct amount of memory was
already pre-allocated.
* The mksigname and mksiglist helper programs are now built with
the host compiler, not the target compiler, when cross-compiling.
Bug #989.
* Fixed compilation error when the --enable-static-sudoers configure
option was specified. This was due to a typo introduced in sudo
1.9.7. GitHub PR #113.
Submitted by: cy
PR: 258479
Approved by: garga (maintainer)
MFH: 2021Q3
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major changes between sudo 1.9.7p1 and 1.9.7
* Fixed an SELinux sudoedit bug when the edited temporary file
could not be opened. The sesh helper would still be run even
when there are no temporary files available to install.
* Fixed a compilation problem on FreeBSD.
* The sudo_noexec.so file is now built as a module on all systems
other than macOS. This makes it possible to use other libtool
implementations such as slibtool. On macOS shared libraries and
modules are not interchangeable and the version of libtool shipped
with sudo must be used.
* Fixed a few bugs in the getgrouplist() emulation on Solaris when
reading from the local group file.
* Fixed a bug in sudo_logsrvd that prevented periodic relay server
connection retries from occurring in "store_first" mode.
* Disabled the nss_search()-based getgrouplist() emulation on HP-UX
due to a crash when the group source is set to "compat" in
/etc/nsswitch.conf. This is probably due to a mismatch between
include/compat/nss_dbdefs.h and what HP-UX uses internally. On
HP-UX we now just cycle through groups the slow way using
getgrent(). Bug #978.
PR: 256561
Submitted by: cy
Reported by: cy
Approved by: garga (maintainer)
MFH: 2020Q2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Among other changes this release fixes -fcommon errors. A complete list
of changes can be found at https://www.sudo.ws/stable.html/
PR: 255812
Submitted by: Yasuhiro Kimura <yasu@utahime.org> (mostly)
Reported by: Yasuhiro Kimura <yasu@utahime.org>
Tested by: cy
Approved by: garga (maintainer)
MFH: 2021Q2
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
PR: 254260
Submitted by: Yasuhiro Kimura <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC ("Netgate")
Notes:
svn path=/head/; revision=568647
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(text/plain)
Sudo version 1.9.5p2 is now available which fixes CVE-2021-3156
(aka Baron Samedit), a severe security vulnerability in sudo versions
1.8.2 through 1.9.5p1. For more details, see:
https://www.sudo.ws/alerts/unescape_overflow.html
https://www.openwall.com/lists/oss-security/2021/01/26/3
Source:
https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.tar.gz
SHA256 539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978
MD5 e6bc4c18c06346e6b3431637a2b5f3d5
Patch:
https://www.sudo.ws/dist/sudo-1.9.5p2.patch.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.patch.gz
SHA256 0dd80809c4061670a0b393445b2807be452caf5d5988f279e736040cef1c14dc
MD5 2816f5fa537c61fb913046ef20b88e3b
Binary packages:
https://www.sudo.ws/download.html#binary
https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2
For a list of download mirror sites, see:
https://www.sudo.ws/download_mirrors.html
Sudo web site:
https://www.sudo.ws/
Sudo web site mirrors:
https://www.sudo.ws/mirrors.html
Major changes between sudo 1.9.5p2 and 1.9.5p1
* Fixed sudo's setprogname(3) emulation on systems that don't
provide it.
* Fixed a problem with the sudoers log server client where a partial
write to the server could result the sudo process consuming large
amounts of CPU time due to a cycle in the buffer queue. Bug #954.
* Added a missing dependency on libsudo_util in libsudo_eventlog.
Fixes a link error when building sudo statically.
* The user's KRB5CCNAME environment variable is now preserved when
performing PAM authentication. This fixes GSSAPI authentication
when the user has a non-default ccache.
* When invoked as sudoedit, the same set of command line options
are now accepted as for "sudo -e". The -H and -P options are
now rejected for sudoedit and "sudo -e" which matches the sudo
1.7 behavior. This is part of the fix for CVE-2021-3156.
* Fixed a potential buffer overflow when unescaping backslashes
in the command's arguments. Normally, sudo escapes special
characters when running a command via a shell (sudo -s or sudo
-i). However, it was also possible to run sudoedit with the -s
or -i flags in which case no escaping had actually been done,
making a buffer overflow possible. This fixes CVE-2021-3156.
Major changes between sudo 1.9.5p1 and 1.9.5
* Fixed a regression introduced in sudo 1.9.5 where the editor run
by sudoedit was set-user-ID root unless SELinux RBAC was in use.
The editor is now run with the user's real and effective user-IDs.
Major changes between sudo 1.9.5 and 1.9.4p2
* Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
unknown user. This is related to but distinct from Bug #948.
* If the "lecture_file" setting is enabled in sudoers, it must now
refer to a regular file or a symbolic link to a regular file.
* Fixed a potential use-after-free bug in sudo_logsrvd when the
server shuts down if there are existing connections from clients
that are only logging events and not session I/O data.
* Fixed a buffer size mismatch when serializing the list of IP
addresses for configured network interfaces. This bug is not
actually exploitable since the allocated buffer is large enough
to hold the list of addresses.
* If sudo is executed with a name other than "sudo" or "sudoedit",
it will now fall back to "sudo" as the program name. This affects
warning, help and usage messages as well as the matching of Debug
lines in the /etc/sudo.conf file. Previously, it was possible
for the invoking user to manipulate the program name by setting
argv[0] to an arbitrary value when executing sudo.
* Sudo now checks for failure when setting the close-on-exec flag
on open file descriptors. This should never fail but, if it
were to, there is the possibility of a file descriptor leak to
a child process (such as the command sudo runs).
* Fixed CVE-2021-23239, a potential information leak in sudoedit
that could be used to test for the existence of directories not
normally accessible to the user in certain circumstances. When
creating a new file, sudoedit checks to make sure the parent
directory of the new file exists before running the editor.
However, a race condition exists if the invoking user can replace
(or create) the parent directory. If a symbolic link is created
in place of the parent directory, sudoedit will run the editor
as long as the target of the link exists. If the target of the
link does not exist, an error message will be displayed. The
race condition can be used to test for the existence of an
arbitrary directory. However, it _cannot_ be used to write to
an arbitrary location.
* Fixed CVE-2021-23240, a flaw in the temporary file handling of
sudoedit's SELinux RBAC support. On systems where SELinux is
enabled, a user with sudoedit permissions may be able to set the
owner of an arbitrary file to the user-ID of the target user.
On Linux kernels that support "protected symlinks", setting
/proc/sys/fs/protected_symlinks to 1 will prevent the bug from
being exploited. For more information see
https://www.sudo.ws/alerts/sudoedit_selinux.html.
* Added writability checks for sudoedit when SELinux RBAC is in use.
This makes sudoedit behavior consistent regardless of whether
or not SELinux RBAC is in use. Previously, the "sudoedit_checkdir"
setting had no effect for RBAC entries.
* A new sudoers option "selinux" can be used to disable sudo's
SELinux RBAC support.
* Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
Added suppression annotations for PVS Studio false positives.
PR: 253034
Submitted by: cy
Reported by: cy
Reviewed by: emaste
Approved by: emaste
MFH: 2020Q1
Security: CVE-2021-3156, CVE-2021-3156
Differential Revision: https://reviews.freebsd.org/D28363
Notes:
svn path=/head/; revision=562997
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This version fixes a regression introduced by 1.9.5
Changelog: https://www.sudo.ws/stable.html#1.9.5p1
PR: 252598
Submitted by: cy
MFH: 2021Q1
Sponsored by: Rubicon Communications, LLC (Netgate)
Notes:
svn path=/head/; revision=561323
|
