rpms/sudo
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c10
rpms:c10s
rpms:c8s
rpms:c9s
rpms:c8-beta
rpms:imports/c9/sudo-1.9.5p2-10.el9_6.2
rpms:imports/c9-beta/sudo-1.9.5p2-13.el9
rpms:imports/c8/sudo-1.9.5p2-1.el8_10.2
rpms:imports/c10/sudo-1.9.15-8.p5.el10_0.2
rpms:imports/c10s/sudo-1.9.15-9.p5.el10
rpms:imports/c8/sudo-1.9.5p2-1.el8_10.1
rpms:imports/c9/sudo-1.9.5p2-10.el9_6.1
rpms:imports/c10/sudo-1.9.15-8.p5.el10_0
rpms:imports/c10s/sudo-1.9.15-8.p5.el10
rpms:imports/c10s/sudo-1.9.15-1.p5.el10
rpms:imports/c10s/sudo-1.9.15-7.p5.el10
rpms:imports/c10s/sudo-1.9.15-6.p5.el10
rpms:imports/c10s/sudo-1.9.15-4.p5.el10
rpms:imports/c9/sudo-1.9.5p2-10.el9_3
rpms:imports/c8/sudo-1.9.5p2-1.el8_9
rpms:imports/c8/sudo-1.8.29-10.el8
rpms:imports/c9/sudo-1.9.5p2-9.el9
rpms:imports/c9-beta/sudo-1.9.5p2-9.el9
rpms:imports/c8-beta/sudo-1.8.29-10.el8
rpms:imports/c8s/sudo-1.8.29-10.el8
rpms:imports/c8/sudo-1.8.29-8.el8_7.1
rpms:imports/c9/sudo-1.9.5p2-7.el9_1.1
rpms:imports/c8s/sudo-1.8.29-9.el8
rpms:imports/c9/sudo-1.9.5p2-7.el9
rpms:imports/c8/sudo-1.8.29-8.el8
rpms:imports/c8-beta/sudo-1.8.29-8.el8
rpms:imports/c8s/sudo-1.8.29-8.el8
rpms:imports/c9-beta/sudo-1.9.5p2-7.el9
rpms:imports/c8/sudo-1.8.29-7.el8_4.1
rpms:imports/c8s/sudo-1.8.29-7.el8_4.1
rpms:imports/c8-beta/sudo-1.8.29-7.el8
rpms:imports/c8-beta/sudo-1.8.29-6.el8
rpms:imports/c8-beta/sudo-1.8.29-2.el8
rpms:imports/c8-beta/sudo-1.8.25p1-5.el8
rpms:imports/c8s/sudo-1.8.29-7.el8
rpms:imports/c8s/sudo-1.8.29-6.el8
rpms:imports/c8s/sudo-1.8.29-5.el8
rpms:imports/c8/sudo-1.8.29-7.el8
rpms:imports/c8/sudo-1.8.29-6.el8_3.1
rpms:imports/c8/sudo-1.8.29-6.el8
rpms:imports/c8/sudo-1.8.29-5.el8
rpms:imports/c8/sudo-1.8.25p1-8.el8_1.1
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9
rpms:c9-beta
rpms:c8
rpms:c10
rpms:c10s
rpms:c8s
rpms:c9s
rpms:c8-beta
rpms:imports/c9/sudo-1.9.5p2-10.el9_6.2
rpms:imports/c9-beta/sudo-1.9.5p2-13.el9
rpms:imports/c8/sudo-1.9.5p2-1.el8_10.2
rpms:imports/c10/sudo-1.9.15-8.p5.el10_0.2
rpms:imports/c10s/sudo-1.9.15-9.p5.el10
rpms:imports/c8/sudo-1.9.5p2-1.el8_10.1
rpms:imports/c9/sudo-1.9.5p2-10.el9_6.1
rpms:imports/c10/sudo-1.9.15-8.p5.el10_0
rpms:imports/c10s/sudo-1.9.15-8.p5.el10
rpms:imports/c10s/sudo-1.9.15-1.p5.el10
rpms:imports/c10s/sudo-1.9.15-7.p5.el10
rpms:imports/c10s/sudo-1.9.15-6.p5.el10
rpms:imports/c10s/sudo-1.9.15-4.p5.el10
rpms:imports/c9/sudo-1.9.5p2-10.el9_3
rpms:imports/c8/sudo-1.9.5p2-1.el8_9
rpms:imports/c8/sudo-1.8.29-10.el8
rpms:imports/c9/sudo-1.9.5p2-9.el9
rpms:imports/c9-beta/sudo-1.9.5p2-9.el9
rpms:imports/c8-beta/sudo-1.8.29-10.el8
rpms:imports/c8s/sudo-1.8.29-10.el8
rpms:imports/c8/sudo-1.8.29-8.el8_7.1
rpms:imports/c9/sudo-1.9.5p2-7.el9_1.1
rpms:imports/c8s/sudo-1.8.29-9.el8
rpms:imports/c9/sudo-1.9.5p2-7.el9
rpms:imports/c8/sudo-1.8.29-8.el8
rpms:imports/c8-beta/sudo-1.8.29-8.el8
rpms:imports/c8s/sudo-1.8.29-8.el8
rpms:imports/c9-beta/sudo-1.9.5p2-7.el9
rpms:imports/c8/sudo-1.8.29-7.el8_4.1
rpms:imports/c8s/sudo-1.8.29-7.el8_4.1
rpms:imports/c8-beta/sudo-1.8.29-7.el8
rpms:imports/c8-beta/sudo-1.8.29-6.el8
rpms:imports/c8-beta/sudo-1.8.29-2.el8
rpms:imports/c8-beta/sudo-1.8.25p1-5.el8
rpms:imports/c8s/sudo-1.8.29-7.el8
rpms:imports/c8s/sudo-1.8.29-6.el8
rpms:imports/c8s/sudo-1.8.29-5.el8
rpms:imports/c8/sudo-1.8.29-7.el8
rpms:imports/c8/sudo-1.8.29-6.el8_3.1
rpms:imports/c8/sudo-1.8.29-6.el8
rpms:imports/c8/sudo-1.8.29-5.el8
rpms:imports/c8/sudo-1.8.25p1-8.el8_1.1

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

5 changed files with 236 additions and 288 deletions
Show Stats Expand all files Collapse all files

25
SOURCES/sudo-conf.patch Normal file
View File

@ -0,0 +1,25 @@
diff -up ./examples/sudo.conf.in.fix ./examples/sudo.conf.in
--- ./examples/sudo.conf.in.fix 2021-07-09 16:29:45.854347994 +0200
+++ ./examples/sudo.conf.in 2021-07-09 16:31:01.144410540 +0200
@@ -11,9 +11,9 @@
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
-#Plugin sudoers_policy sudoers.so
-#Plugin sudoers_io sudoers.so
-#Plugin sudoers_audit sudoers.so
+Plugin sudoers_policy sudoers.so
+Plugin sudoers_io sudoers.so
+Plugin sudoers_audit sudoers.so
#
# Sudo askpass:
@@ -78,7 +78,7 @@
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
-#Set disable_coredump false
+Set disable_coredump false
#
# User groups:

78
SOURCES/sudo-reintroduce-cmnd_no_wait.patch
View File

@ -1,78 +0,0 @@
From 59cd3a7330a402b289641f7d605ce3ae6671a64f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Wed, 16 Jul 2025 17:02:45 +0200
Subject: [PATCH] Reintroduce cmnd_no_wait
---
plugins/sudoers/def_data.c | 4 ++++
plugins/sudoers/def_data.h | 2 ++
plugins/sudoers/def_data.in | 3 +++
plugins/sudoers/sudoers.c | 13 +++++++++++++
4 files changed, 22 insertions(+)
diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
index 56cd224..19188a6 100644
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -573,6 +573,10 @@ struct sudo_defs_types sudo_defs_table[] = {
"selinux", T_FLAG,
N_("Enable SELinux RBAC support"),
NULL,
+ }, {
+ "cmnd_no_wait", T_FLAG,
+ N_("Don't fork and wait for the command to finish, just exec it"),
+ NULL,
}, {
NULL, 0, NULL
}
diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
index 5c712b8..86b0886 100644
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@@ -264,6 +264,8 @@
#define def_log_format (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple)
#define I_SELINUX 131
#define def_selinux (sudo_defs_table[I_SELINUX].sd_un.flag)
+#define I_CMND_NO_WAIT 132
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
enum def_tuple {
never,
diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
index e8162e8..b0027c4 100644
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@@ -412,3 +412,6 @@ log_format
selinux
T_FLAG
"Enable SELinux RBAC support"
+cmnd_no_wait
+ T_FLAG
+ "Don't fork and wait for the command to finish, just exec it"
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 80a7089..4a972df 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -221,6 +221,19 @@ sudoers_init(void *info, char * const envp[])
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
ret = true;
+ /*
+ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation
+ * and I/O logging. This will cause sudo to execute the given command
+ * directly instead of forking a separate process for it.
+ */
+ if (def_cmnd_no_wait) {
+ def_pam_setcred = false;
+ def_pam_session = false;
+ def_use_pty = false;
+ def_log_input = false;
+ def_log_output = false;
+ }
+
cleanup:
if (!restore_perms())
ret = -1;
--
2.50.1

12
SOURCES/sudo-separator.patch
View File

@ -1,8 +1,7 @@
diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
index 0febe66..d9f0400 100644
--- a/lib/eventlog/eventlog.c
+++ b/lib/eventlog/eventlog.c
@@ -176,6 +176,7 @@ new_logline(int event_type, int flags, struct eventlog_args *args,
diff -up ./lib/eventlog/eventlog.c.separator ./lib/eventlog/eventlog.c
--- ./lib/eventlog/eventlog.c.separator 2025-03-31 17:03:34.700244658 +0200
+++ ./lib/eventlog/eventlog.c 2025-03-31 17:04:39.943669191 +0200
@@ -176,6 +176,7 @@ new_logline(int event_type, int flags, s
sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
evlog->env_add[i]);
}
@ -10,6 +9,3 @@ index 0febe66..d9f0400 100644
}
if (evlog->command != NULL) {
sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK,
--
2.50.1

57
SOURCES/sudo.conf
View File

@ -1,57 +0,0 @@
#
# Default /etc/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# Sudo plugins:
#
# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
# The sudoers plugin is used by default if no Plugin lines are present.
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
#
# Sudo askpass:
#
# An askpass helper program may be specified to provide a graphical
# password prompt for "sudo -A" support. Sudo does not ship with its
# own passpass program but can use the OpenSSH askpass.
#
# Use the OpenSSH askpass
#Path askpass /usr/X11R6/bin/ssh-askpass
#
# Use the Gnome OpenSSH askpass
#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
#
# Sudo noexec:
#
# Path to a shared library containing dummy versions of the execv(),
# execve() and fexecve() library functions that just return an error.
# This is used to implement the "noexec" functionality on systems that
# support C<LD_PRELOAD> or its equivalent.
# The compiled-in value is usually sufficient and should only be changed
# if you rename or move the sudo_noexec.so file.
#
#Path noexec /usr/libexec/sudo_noexec.so
#
# Core dumps:
#
# By default, sudo disables core dumps while it is executing (they
# are re-enabled for the command that is run).
# To aid in debugging sudo problems, you may wish to enable core
# dumps by setting "disable_coredump" to false.
#
# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable
#
Set disable_coredump false

350
SPECS/sudo.spec
View File

@ -1,36 +1,31 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.9.5p2
Release: 1%{?dist}.2
Release: 13%{?dist}
License: ISC
Group: Applications/System
URL: https://www.sudo.ws/
URL: https://www.sudo.ws
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source0: %{url}/dist/%{name}-%{version}.tar.gz
Source1: sudoers
Source2: sudo-ldap.conf
Source3: sudo.conf
Requires: /etc/pam.d/system-auth
Requires: /usr/bin/vi
Requires(post): /bin/chmod
Requires: pam
Requires(post): coreutils
BuildRequires: /usr/sbin/sendmail
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
BuildRequires: flex
BuildRequires: gettext
BuildRequires: groff
BuildRequires: libtool
BuildRequires: audit-libs-devel
BuildRequires: libcap-devel
BuildRequires: libgcrypt-devel
BuildRequires: libselinux-devel
BuildRequires: openldap-devel
BuildRequires: make
BuildRequires: pam-devel
BuildRequires: groff
BuildRequires: openldap-devel
BuildRequires: flex
BuildRequires: bison
BuildRequires: automake autoconf libtool
BuildRequires: audit-libs-devel libcap-devel
BuildRequires: libselinux-devel
BuildRequires: sendmail
BuildRequires: gettext
BuildRequires: zlib-devel
Patch1: sudo-conf.patch
Patch2: sudo-1.9.5-undefined-symbol.patch
Patch3: sudo-1.9.5-selinux-t.patch
Patch4: sudo-1.9.5-sesh-bad-condition.patch
@ -52,10 +47,8 @@ Patch17: sudo-1.9.13-CVE-2023-28486-7-9.patch
Patch18: linker.patch
Patch19: sudo-1.9.15-CVE-2023-42465.patch
Patch20: sudo-1.9.17-CVE-2025-32462.patch
Patch21: sudo-reintroduce-cmnd_no_wait.patch
Patch22: sudo-separator.patch
Patch20: sudo-separator.patch
Patch21: sudo-1.9.17-CVE-2025-32462.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@ -70,16 +63,25 @@ on many different machines.
%package devel
Summary: Development files for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
The %{name}-devel package contains header files developing sudo
plugins that use %{name}.
%package python-plugin
Summary: Python plugin for %{name}
Requires: %{name} = %{version}-%{release}
BuildRequires: python3-devel
%description python-plugin
%{name}-python-plugin allows using sudo plugins written in Python.
%prep
%setup -q
%patch -P 1 -p1 -b .sudo-conf
%patch -P 2 -p1 -b .undefined
%patch -P 3 -p1 -b .selinux-t
%patch -P 4 -p1 -b .bad-cond
@ -100,9 +102,9 @@ plugins that use %{name}.
%patch -P 18 -p1 -b .linker
%patch -P 19 -p1 -b .rowhammer
%patch -P 20 -p1 -b .cve-host
%patch -P 21 -p1 -b .cmnd_no_wait
%patch -P 22 -p1 -b .separator
%patch -P 20 -p1 -b .separator
%patch -P 21 -p1 -b .cve-host
%build
# Remove bundled copy of zlib
@ -138,8 +140,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
--with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \
--with-selinux \
--with-passprompt="[sudo] password for %p: " \
--enable-python \
--with-linux-audit \
--disable-python \
--with-sssd
# --without-kerb5 \
# --without-kerb4
@ -155,14 +157,13 @@ rm -rf $RPM_BUILD_ROOT
sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP
make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo.conf
# create sudo-ldap.conf man
echo ".so man5/sudoers.ldap.5" > sudo-ldap.conf.5
@ -173,7 +174,7 @@ rm -f sudo-ldap.conf.5.gz
# we are not building sendlog so we don't need this
rm -rf $RPM_BUILD_ROOT/%{_mandir}/man8/sudo_sendlog.8
# Add sudo to protected packages
# add sudo to protected packages
install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/
touch sudo.conf
echo sudo > sudo.conf
@ -201,6 +202,7 @@ cat sudo.lang sudoers.lang > sudo_all.lang
rm sudo.lang sudoers.lang
mkdir -p $RPM_BUILD_ROOT/etc/pam.d
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
#%%PAM-1.0
auth include system-auth
@ -218,10 +220,6 @@ session optional pam_keyinit.so force revoke
session include sudo
EOF
%clean
rm -rf $RPM_BUILD_ROOT
%files -f sudo_all.lang
%defattr(-,root,root)
%attr(0440,root,root) %config(noreplace) /etc/sudoers
@ -231,7 +229,7 @@ rm -rf $RPM_BUILD_ROOT
%config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
%dir /var/db/sudo
%dir /var/db/sudo/lectured
%attr(4111,root,root) %{_bindir}/sudo
@ -266,148 +264,212 @@ rm -rf $RPM_BUILD_ROOT
%license doc/LICENSE
%exclude %{_pkgdocdir}/ChangeLog
# Make sure permissions are ok even if we're updating
%post
/bin/chmod 0440 /etc/sudoers || :
%files devel
%defattr(-,root,root,-)
%doc plugins/sample/sample_plugin.c
%{_includedir}/sudo_plugin.h
%{_mandir}/man8/sudo_plugin.8*
%files python-plugin
%{_mandir}/man8/sudo_plugin_python.8.gz
%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
%changelog
* Wed Jul 16 2025 Alejandro López <allopez@redhat.com> - 1.9.5p2-10.2
RHEL 8.10.0.Z ERRATUM
- Reintroduce cmnd_no_wait
Resolves: RHEL-51956
- Missing separator in the log
Resolves: RHEL-71913
* Wed Jun 25 2025 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-10.1
RHEL 8.10.0.Z ERRATUM
* Fri Apr 25 2025 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-13
RHEL: 9.7.0 ERRATUM
- sudo missing spacing and separator in log when using "--preserve-env=list"
Resolves: RHEL-71916
- CVE-2025-32462 sudo: LPE via host option
Resolves: RHEL-100014
Resolves: RHEL-100020
* Mon Jan 22 2024 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-1
RHEL 8.9.0.Z ERRATUM
- Rebase to 1.9.5p2
- CVE-2023-28486 sudo: Sudo does not escape control characters in log messages
Resolves: RHEL-21825
* Mon Jan 22 2024 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-10
RHEL 9.3.0.Z ERRATUM
- CVE-2023-28487 sudo: Sudo does not escape control characters in sudoreplay output
Resolves: RHEL-21831
Resolves: RHEL-21834
- CVE-2023-28486 sudo: Sudo does not escape control characters in log messages
Resolves: RHEL-21828
- CVE-2023-42465 sudo: Targeted Corruption of Register and Stack Variables
Resolves: RHEL-21820
Resolves: RHEL-21821
* Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.8.29.9
RHEL 8.8.0 ERRATUM
* Thu Jan 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-9
RHEL 9.2.0 ERRATUM
- CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
Resolves: rhbz#2161221
Resolves: rhbz#2161225
* Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-8
RHEL 9.2.0 ERRATUM
- sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384)
Resolves: rhbz#2114576
Resolves: rhbz#2115789
* Mon Dec 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-8
RHEL 8.6.0 ERRATUM
- sudoedit does not work with selinux args
Resolves: rhbz#2029551
- Make sure SIGCHLD is not ignored when sudo is executed
Resolves: rhbz#1999751
- [RFE] pass KRB5CCNAME to pam_authenticate environment if available
Resolves: rhbz#1917379
* Fri Aug 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-7
- utmp resource leak in sudo
Resolves: rhbz#1986572
Resolves: rhbz#1986579
- sudo does not list /etc/dnf/protected.d/sudo.conf in the rpm config files listing
Resolves: rhbz#1997030
- sudo uses Recommends for sudo-python-plugin(x86-64) = 1.9.5p2-2.el9 and vim-minimal
Resolves: rhbz#1947908
- review of important potential issues detected by static analyzers in sudo-1.9.5p2-2.el9
Resolves: rhbz#1938879
* Tue Feb 02 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-7
- RHEL 8.4 ERRATUM
- CVE-2021-3156
Resolves: rhbz#1917734
- CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
Resolves: rhzb#1916434
- CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
Resolves: rhbz#1917038
- updated upstream url
Resolves: rhbz#1923825
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Apr 28 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-6
- RHEL 8.3 ERRATUM
- sudo allows privilege escalation with expire password
Resolves: rhbz#1815164
* Fri Jul 09 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-5
RHEL 9 BETA
- sync with rhel8 spec
Resolves: rhbz#1908882
Resolves: rhbz#1942383
Resolves: rhbz#1946707
Resolves: rhbz#1946709
Resolves: rhbz#1981278
* Wed Feb 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-5
- RHEL 8.2 ERRATUM
- CVE-2019-18634
Resolves: rhbz#1798093
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Jan 14 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-4
- RHEL 8.2 ERRATUM
- CVE-2019-19232
Resolves: rhbz#1786987
Resolves: rhbz#1796518
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Oct 30 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-2
- RHEL 8.2 ERRATUM
* Tue Feb 09 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.9.5p2-2
- change ldap.conf to sudo-ldap.conf
Resolves: rhbz#1908882
- remove /usr/local/* from secure_path
Resolves: rhbz#1908923
- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
Resolves: rhbz#1916655
- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
Resolves: rhbz#1917039
- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
Resolves: rhbz#1917735
* Tue Jan 26 2021 Matthew Miller <mattdm@fedoraproject.org> - 1.9.5p2-1
- rebase to 1.9.5p2
Resolves: rhbz#1920611
- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
Resolves: rhbz#1920618
* Mon Jan 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p1-1
- rebase to 1.9.5p1
Resolves: rhbz#1902758
- fixed double free in sss_to_sudoers
Resolves: rhbz#1885874
- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
Resolves: rhbz#1915055
- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
Resolves: rhbz#1915054
* Wed Jan 13 2021 Jonathan Lebon <jonathan@jlebon.com> - 1.9.3p1-2
- split out Python modules into separate subpackage
Resolves: rhbz#1909299
* Mon Oct 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.3p1-1
- rebase to 1.9.3p1
- enable python modules
Resolves: rhbz#1881112
* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1
- rebase to 1.9.2
Resolves: rhbz#1859577
- added logsrvd subpackage
- added openssl-devel buildrequires
Resolves: rhbz#1860653
- fixed sudo runstatedir path
- it was generated as /sudo instead of /run/sudo
Resolves: rhbz#1868215
- added /var/lib/snapd/snap/bin to secure_path variable
Resolves: rhbz#1691996
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 08 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.1-1
- rebase to 1.9.1
Resolves: rhbz#1848788
- fix rpmlint errors
Resolves: rhbz#1817139
* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
- update to latest development version 1.9.0b4
Resolves: rhbz#1816593
- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
Resolves: rhbz#1773148
* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
- update to latest development version 1.9.0b1
- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages
Resolves: rhbz#1787823
- Stack based buffer overflow in when pwfeedback is enabled
Resolves: rhbz#1796945
- fixes: CVE-2019-18634
- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
Resolves: rhbz#1786709
- fixes CVE-2019-19234
- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
Resolves: rhbz#1786705
- fixes CVE-2019-19232
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-1
- rebase to 1.8.29
Resolves: rhbz#1733961
Resolves: rhbz#1651662
Resolves: rhbz#1766233
* Fri Oct 25 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
- RHEL 8.2 ERRATUM
* Tue Oct 22 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
- rebase to 1.8.28p1
Resolves: rhbz#1733961
- fixed man page for always_set_home
Resolves: rhbz#1576880
- sudo does not work with notbefore/after
Resolves: rhbz#1679508
- NOTBEFORE showing value of sudoNotAfter Ldap attribute
Resolves: rhbz#1715516
- CVE-2019-14287 sudo
- Privilege escalation via 'Runas' specification with 'ALL' keyword
Resolves: rhbz#1760697
Resolves: rhbz#1762350
* Fri Aug 16 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-7
- RHEL 8.1 ERRATUM
- sudo ipa_hostname not honored
Resolves: rhbz#1738662
* Tue Oct 15 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28-1
- rebase to 1.8.28
Resolves: rhbz#1761533
- set always_set_home by default
Resolves: rhbz#1728687
- Sync sudoers options from rhel8 to fedora
Resolves: rhbz#1761781
- CVE-2019-14287
Resolves: rhbz#1761584
* Mon Aug 12 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-6
- RHEL 8.1 ERRATUM
- Fixed The LDAP backend which is not properly parsing sudoOptions,
resulting in selinux roles not being applied
Resolves: rhbz#1738326
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.27-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue May 28 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-5
- RHEL 8.1 ERRATUM
- Fixed problem with sudo-1.8.23 and 'who am i'
Resolves: rhbz#1673886
- Backporting sudo bug with expired passwords
Resolves: rhbz#1676819
* Sun Mar 31 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.27-2
- resolves rhbz#1676925
- Removed PS1, PS2 from sudoers
* Tue Dec 11 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-4
- Fix most of the man page scans problems
- Resolves: rhbz#1613327
* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> 1.8.27-1
- rebase sudo to 1.8.27
* Fri Oct 12 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-3
- bump release for new build
Resolves: rhbz#1625683
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.25p1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Oct 11 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-2
- Depend explicitly on /usr/sbin/sendmail instead of sendmail (rhel-7 sync)
- Simplified pam configuration file by removing duplicate pam stack entries
Resolves: rhbz#1633144
* Mon Oct 01 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25p1-1
- rebase sudo to 1.8.25p1
* Wed Sep 26 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-1
- rebase to the new upstream version 1.8.25p1
- sync patches with rhel-7.6
- sync sudoers with rhel-7.6
resolves: rhbz#1633144
* Mon Sep 10 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25-1
- rebase sudo to latest stawble version
- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo (1626968)
* Mon Sep 10 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.23-2
- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo
resolves: rhbz#1626972
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.23-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu May 17 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-1
- Packaging update for RHEL 8.0 (sync with latest RHEL 7 state)
* Tue Jul 03 2018 Matthew Miller <mattdm@fedoraproject.org> - 1.8.23-2
- remove defattr, as default is now sane
* Wed May 09 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-1
- update to 1.8.23
* Wed Apr 18 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-0.1.b3
- update to 1.8.23b3
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.22-0.2.b1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild