.gitignore

@@ -1 +1,29 @@
-SOURCES/sudo-1.9.5p2.tar.gz
+/sudo-1.8.16.tar.gz
+/sudo-1.8.17p1.tar.gz
+/sudo-1.8.18b2.tar.gz
+/sudo-1.8.18rc2.tar.gz
+/sudo-1.8.18rc4.tar.gz
+/sudo-1.8.18.tar.gz
+/sudo-90e4538c001fbe1b791a11d6a2c37607472fafe5.tar.gz
+/sudo-738c3cbf3e8400bf4a5aeab8966427ff6d630cd2.tar.gz
+/sudo-1.8.19p2.tar.gz
+/sudo-1.8.20b1.tar.gz
+/sudo-1.8.20p1.tar.gz
+/sudo-1.8.20p2.tar.gz
+/sudo-1.8.21p2.tar.gz
+/sudo-1.8.22b1.tar.gz
+/sudo-1.8.23b3.tar.gz
+/sudo-1.8.23.tar.gz
+/sudo-1.8.25.tar.gz
+/sudo-1.8.25p1.tar.gz
+/sudo-1.8.27.tar.gz
+/sudo-1.8.28.tar.gz
+/sudo-1.8.28p1.tar.gz
+/sudo-1.8.29.tar.gz
+/sudo-1.9.0b1.tar.gz
+/sudo-1.9.0b4.tar.gz
+/sudo-1.9.1.tar.gz
+/sudo-1.9.2.tar.gz
+/sudo-1.9.3p1.tar.gz
+/sudo-1.9.5p1.tar.gz
+/sudo-1.9.5p2.tar.gz

.sudo.metadata

@@ -1 +1 @@
-08bde247a1e08bc881eec43e09733f7ca06408f5 SOURCES/sudo-1.9.5p2.tar.gz
+08bde247a1e08bc881eec43e09733f7ca06408f5 sudo-1.9.5p2.tar.gz

SOURCES/sudo.conf

@@ -1,57 +0,0 @@
-#
-# Default /etc/sudo.conf file
-#
-# Format:
-#   Plugin plugin_name plugin_path plugin_options ...
-#   Path askpass /path/to/askpass
-#   Path noexec /path/to/sudo_noexec.so
-#   Debug sudo /var/log/sudo_debug all@warn
-#   Set disable_coredump true
-#
-# Sudo plugins:
-#
-# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-#   that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-# The sudoers plugin is used by default if no Plugin lines are present.
-Plugin sudoers_policy sudoers.so
-Plugin sudoers_io sudoers.so
-
-#
-# Sudo askpass:
-#
-# An askpass helper program may be specified to provide a graphical
-# password prompt for "sudo -A" support.  Sudo does not ship with its
-# own passpass program but can use the OpenSSH askpass.
-#
-# Use the OpenSSH askpass
-#Path askpass /usr/X11R6/bin/ssh-askpass
-#
-# Use the Gnome OpenSSH askpass
-#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
-
-#
-# Sudo noexec:
-#
-# Path to a shared library containing dummy versions of the execv(),
-# execve() and fexecve() library functions that just return an error.
-# This is used to implement the "noexec" functionality on systems that
-# support C<LD_PRELOAD> or its equivalent.
-# The compiled-in value is usually sufficient and should only be changed
-# if you rename or move the sudo_noexec.so file.
-#
-#Path noexec /usr/libexec/sudo_noexec.so
-
-#
-# Core dumps:
-#
-# By default, sudo disables core dumps while it is executing (they
-# are re-enabled for the command that is run).
-# To aid in debugging sudo problems, you may wish to enable core
-# dumps by setting "disable_coredump" to false.
-#
-# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable
-#
-Set disable_coredump false

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -0,0 +1 @@
+SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27

sudo-conf.patch

@@ -0,0 +1,25 @@
+diff -up ./examples/sudo.conf.in.fix ./examples/sudo.conf.in
+--- ./examples/sudo.conf.in.fix	2021-07-09 16:29:45.854347994 +0200
++++ ./examples/sudo.conf.in	2021-07-09 16:31:01.144410540 +0200
+@@ -11,9 +11,9 @@
+ # The plugin_options are optional.
+ #
+ # The sudoers plugin is used by default if no Plugin lines are present.
+-#Plugin sudoers_policy sudoers.so
+-#Plugin sudoers_io sudoers.so
+-#Plugin sudoers_audit sudoers.so
++Plugin sudoers_policy sudoers.so
++Plugin sudoers_io sudoers.so
++Plugin sudoers_audit sudoers.so
+ 
+ #
+ # Sudo askpass:
+@@ -78,7 +78,7 @@
+ # To aid in debugging sudo problems, you may wish to enable core
+ # dumps by setting "disable_coredump" to false.
+ #
+-#Set disable_coredump false
++Set disable_coredump false
+ 
+ #
+ # User groups:

sudo.rpmlintrc

@@ -0,0 +1,16 @@
+# Sudo allows restricted root access for specified users. In other words,
+# it is a special package, which requires special permissions on on some
+# of the installed files.
+addFilter("missing-call-to-setgroups-before-setuid (/usr/bin/sudo|/usr/bin/sudoreplay|/usr/sbin/sudo_logsrvd|/usr/sbin/sudo_sendlog|/usr/libexec/sudo/sudoers.so|)$")
+
+addFilter("non-readable (/etc/sudo.conf|/etc/sudo_logsrvd.conf|/etc/sudoers|/usr/bin/sudoreplay) .*$")
+
+addFilter("non-standard-dir-perm (/etc/sudoers.d|/var/db/sudo|/var/db/sudo/lectured) .*$")
+
+addFilter("setuid-binary /usr/bin/sudo .*$")
+
+addFilter("non-standard-executable-perm (/usr/bin/sudo|/usr/bin/sudoreplay) .*$")
+
+addFilter("wrong-file-end-of-line-encoding /usr/share/doc/sudo/schema.ActiveDirectory$")
+
+addFilter("non-standard-dir-in-var db$")

sudo.spec

@@ -1,36 +1,31 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.9.5p2
-Release: 1%{?dist}
+Release: 10%{?dist}
 License: ISC
-Group: Applications/System
-URL: https://www.sudo.ws/
+URL: https://www.sudo.ws
 
-Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
+Source0: %{url}/dist/%{name}-%{version}.tar.gz
 Source1: sudoers
 Source2: sudo-ldap.conf
-Source3: sudo.conf
 
-Requires: /etc/pam.d/system-auth
-Requires: /usr/bin/vi
-Requires(post): /bin/chmod
+Requires: pam
+Requires(post): coreutils
 
-BuildRequires: /usr/sbin/sendmail
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: bison
-BuildRequires: flex
-BuildRequires: gettext
-BuildRequires: groff
-BuildRequires: libtool
-BuildRequires: audit-libs-devel
-BuildRequires: libcap-devel
-BuildRequires: libgcrypt-devel
-BuildRequires: libselinux-devel
-BuildRequires: openldap-devel
+BuildRequires: make
 BuildRequires: pam-devel
+BuildRequires: groff
+BuildRequires: openldap-devel
+BuildRequires: flex
+BuildRequires: bison
+BuildRequires: automake autoconf libtool
+BuildRequires: audit-libs-devel libcap-devel
+BuildRequires: libselinux-devel
+BuildRequires: sendmail
+BuildRequires: gettext
 BuildRequires: zlib-devel
 
+Patch1: sudo-conf.patch
 Patch2: sudo-1.9.5-undefined-symbol.patch
 Patch3: sudo-1.9.5-selinux-t.patch
 Patch4: sudo-1.9.5-sesh-bad-condition.patch
@@ -66,16 +61,25 @@ on many different machines.
 
 %package        devel
 Summary:        Development files for %{name}
-Group:          Development/Libraries
 Requires:       %{name} = %{version}-%{release}
 
 %description    devel
 The %{name}-devel package contains header files developing sudo
 plugins that use %{name}.
 
+%package        python-plugin
+Summary:        Python plugin for %{name}
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  python3-devel
+
+
+%description    python-plugin
+%{name}-python-plugin allows using sudo plugins written in Python.
+
 %prep
 %setup -q
 
+%patch -P 1 -p1 -b .sudo-conf
 %patch -P 2 -p1 -b .undefined
 %patch -P 3 -p1 -b .selinux-t
 %patch -P 4 -p1 -b .bad-cond
@@ -95,9 +99,9 @@ plugins that use %{name}.
 %patch -P 17 -p1 -b .cve-escape-9
 
 %patch -P 18 -p1 -b .linker
-
 %patch -P 19 -p1 -b .rowhammer
 
+
 %build
 # Remove bundled copy of zlib
 rm -rf zlib/
@@ -132,8 +136,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \
         --with-selinux \
         --with-passprompt="[sudo] password for %p: " \
+        --enable-python \
         --with-linux-audit \
-        --disable-python \
         --with-sssd
 #       --without-kerb5 \
 #       --without-kerb4
@@ -149,14 +153,13 @@ rm -rf $RPM_BUILD_ROOT
 sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP
 
 make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
+
 chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
 install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
-install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo.conf
-
 
 # create sudo-ldap.conf man
 echo ".so man5/sudoers.ldap.5" > sudo-ldap.conf.5
@@ -167,7 +170,7 @@ rm -f sudo-ldap.conf.5.gz
 # we are not building sendlog so we don't need this
 rm -rf $RPM_BUILD_ROOT/%{_mandir}/man8/sudo_sendlog.8
 
-# Add sudo to protected packages
+# add sudo to protected packages
 install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/
 touch sudo.conf
 echo sudo > sudo.conf
@@ -182,7 +185,7 @@ rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
 # Remove examples; Examples can be found in man pages too.
 rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
 
-# Remove all .la files
+#Remove all .la files
 find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 
 # Remove sudoers.dist
@@ -195,6 +198,7 @@ cat sudo.lang sudoers.lang > sudo_all.lang
 rm sudo.lang sudoers.lang
 
 mkdir -p $RPM_BUILD_ROOT/etc/pam.d
+
 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
 #%%PAM-1.0
 auth       include      system-auth
@@ -212,10 +216,6 @@ session    optional     pam_keyinit.so force revoke
 session    include      sudo
 EOF
 
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
 %files -f sudo_all.lang
 %defattr(-,root,root)
 %attr(0440,root,root) %config(noreplace) /etc/sudoers
@@ -225,7 +225,7 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) /etc/pam.d/sudo
 %config(noreplace) /etc/pam.d/sudo-i
 %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
-%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
+%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
 %dir /var/db/sudo
 %dir /var/db/sudo/lectured
 %attr(4111,root,root) %{_bindir}/sudo
@@ -260,136 +260,205 @@ rm -rf $RPM_BUILD_ROOT
 %license doc/LICENSE
 %exclude %{_pkgdocdir}/ChangeLog
 
-
 # Make sure permissions are ok even if we're updating
 %post
 /bin/chmod 0440 /etc/sudoers || :
 
+
 %files devel
-%defattr(-,root,root,-)
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
 
+%files python-plugin
+%{_mandir}/man8/sudo_plugin_python.8.gz
+%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
+
 %changelog
-* Mon Jan 22 2024 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-1
-RHEL 8.9.0.Z ERRATUM
-- Rebase to 1.9.5p2
-- CVE-2023-28486 sudo: Sudo does not escape control characters in log messages
-Resolves: RHEL-21825
+* Mon Jan 22 2024 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-10
+RHEL 9.3.0.Z ERRATUM
 - CVE-2023-28487 sudo: Sudo does not escape control characters in sudoreplay output
-Resolves: RHEL-21831
+Resolves: RHEL-21834
+- CVE-2023-28486 sudo: Sudo does not escape control characters in log messages
+Resolves: RHEL-21828
 - CVE-2023-42465 sudo: Targeted Corruption of Register and Stack Variables
-Resolves: RHEL-21820
+Resolves: RHEL-21821
 
-* Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.8.29.9
-RHEL 8.8.0 ERRATUM
+
+* Thu Jan 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-9
+RHEL 9.2.0 ERRATUM
 - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
-Resolves: rhbz#2161221
+Resolves: rhbz#2161225
+
+* Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-8
+RHEL 9.2.0 ERRATUM
 - sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384)
-Resolves: rhbz#2114576
+Resolves: rhbz#2115789
 
-* Mon Dec 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-8
-RHEL 8.6.0 ERRATUM
-- sudoedit does not work with selinux args
-Resolves: rhbz#2029551
-- Make sure SIGCHLD is not ignored when sudo is executed
-Resolves: rhbz#1999751
-- [RFE] pass KRB5CCNAME to pam_authenticate environment if available
-Resolves: rhbz#1917379
+* Fri Aug 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-7
 - utmp resource leak in sudo
-Resolves: rhbz#1986572
+Resolves: rhbz#1986579
+- sudo does not list /etc/dnf/protected.d/sudo.conf in the rpm config files listing
+Resolves: rhbz#1997030
+- sudo uses Recommends for sudo-python-plugin(x86-64) = 1.9.5p2-2.el9 and vim-minimal
+Resolves: rhbz#1947908
+- review of important potential issues detected by static analyzers in sudo-1.9.5p2-2.el9
+Resolves: rhbz#1938879
 
-* Tue Feb 02 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-7
-- RHEL 8.4 ERRATUM
-- CVE-2021-3156
-Resolves: rhbz#1917734
-- CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
-Resolves: rhzb#1916434
-- CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
-Resolves: rhbz#1917038
-- updated upstream url
-Resolves: rhbz#1923825
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-6
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Apr 28 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-6
-- RHEL 8.3 ERRATUM
-- sudo allows privilege escalation with expire password
-Resolves: rhbz#1815164
+* Fri Jul 09 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-5
+RHEL 9 BETA
+- sync with rhel8 spec
+Resolves: rhbz#1908882
+Resolves: rhbz#1942383
+Resolves: rhbz#1946707
+Resolves: rhbz#1946709
+Resolves: rhbz#1981278
 
-* Wed Feb 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-5
-- RHEL 8.2 ERRATUM
-- CVE-2019-18634
-Resolves: rhbz#1798093
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-4
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
 
-* Tue Jan 14 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-4
-- RHEL 8.2 ERRATUM
-- CVE-2019-19232
-Resolves: rhbz#1786987
-Resolves: rhbz#1796518
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Wed Oct 30 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-2
-- RHEL 8.2 ERRATUM
+* Tue Feb 09 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.9.5p2-2
+- change ldap.conf to sudo-ldap.conf
+Resolves: rhbz#1908882
+- remove /usr/local/* from secure_path
+Resolves: rhbz#1908923
+- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
+Resolves: rhbz#1916655
+- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
+Resolves: rhbz#1917039
+- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
+Resolves: rhbz#1917735
+
+* Tue Jan 26 2021 Matthew Miller <mattdm@fedoraproject.org> - 1.9.5p2-1
+- rebase to 1.9.5p2
+Resolves: rhbz#1920611
+- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
+Resolves: rhbz#1920618
+
+* Mon Jan 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p1-1
+- rebase to 1.9.5p1
+Resolves: rhbz#1902758
+- fixed double free in sss_to_sudoers
+Resolves: rhbz#1885874
+- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
+Resolves: rhbz#1915055
+- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
+Resolves: rhbz#1915054
+
+* Wed Jan 13 2021 Jonathan Lebon <jonathan@jlebon.com> - 1.9.3p1-2
+- split out Python modules into separate subpackage
+Resolves: rhbz#1909299
+
+* Mon Oct 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.3p1-1
+- rebase to 1.9.3p1
+- enable python modules
+Resolves: rhbz#1881112
+
+* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1
+- rebase to 1.9.2
+Resolves: rhbz#1859577
+- added logsrvd subpackage
+- added openssl-devel buildrequires
+Resolves: rhbz#1860653
+- fixed sudo runstatedir path
+- it was generated as /sudo instead of /run/sudo
+Resolves: rhbz#1868215
+- added /var/lib/snapd/snap/bin to secure_path variable
+Resolves: rhbz#1691996
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 08 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.1-1
+- rebase to 1.9.1
+Resolves: rhbz#1848788
+- fix rpmlint errors
+Resolves: rhbz#1817139
+
+* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
+- update to latest development version 1.9.0b4
+Resolves: rhbz#1816593
+- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
+Resolves: rhbz#1773148
+
+* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
+- update to latest development version 1.9.0b1
+- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages
+Resolves: rhbz#1787823
+- Stack based buffer overflow in when pwfeedback is enabled
+Resolves: rhbz#1796945
+- fixes: CVE-2019-18634
+- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
+Resolves: rhbz#1786709
+- fixes CVE-2019-19234
+- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
+Resolves: rhbz#1786705
+- fixes CVE-2019-19232
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-1
 - rebase to 1.8.29
-Resolves: rhbz#1733961
-Resolves: rhbz#1651662
+Resolves: rhbz#1766233
 
-* Fri Oct 25 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
-- RHEL 8.2 ERRATUM
+* Tue Oct 22 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
 - rebase to 1.8.28p1
-Resolves: rhbz#1733961
-- fixed man page for always_set_home
-Resolves: rhbz#1576880
-- sudo does not work with notbefore/after
-Resolves: rhbz#1679508
-- NOTBEFORE showing value of sudoNotAfter Ldap attribute
-Resolves: rhbz#1715516
-- CVE-2019-14287 sudo
-- Privilege escalation via 'Runas' specification with 'ALL' keyword
-Resolves: rhbz#1760697
+Resolves: rhbz#1762350
 
-* Fri Aug 16 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-7
-- RHEL 8.1 ERRATUM
-- sudo ipa_hostname not honored
-Resolves: rhbz#1738662
+* Tue Oct 15 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28-1
+- rebase to 1.8.28
+Resolves: rhbz#1761533
+- set always_set_home by default
+Resolves: rhbz#1728687
+- Sync sudoers options from rhel8 to fedora
+Resolves: rhbz#1761781
+- CVE-2019-14287
+Resolves: rhbz#1761584
 
-* Mon Aug 12 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-6
-- RHEL 8.1 ERRATUM
-- Fixed The LDAP backend which is not properly parsing sudoOptions,
-  resulting in selinux roles not being applied
-Resolves: rhbz#1738326
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.27-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Tue May 28 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-5
-- RHEL 8.1 ERRATUM
-- Fixed problem with sudo-1.8.23 and 'who am i'
-Resolves: rhbz#1673886
-- Backporting sudo bug with expired passwords
-Resolves: rhbz#1676819
+* Sun Mar 31 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.27-2
+- resolves rhbz#1676925
+- Removed PS1, PS2 from sudoers
 
-* Tue Dec 11 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-4
-- Fix most of the man page scans problems
-- Resolves: rhbz#1613327
+* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> 1.8.27-1
+- rebase sudo to 1.8.27
 
-* Fri Oct 12 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-3
-- bump release for new build
-Resolves: rhbz#1625683
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.25p1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
-* Thu Oct 11 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-2
-- Depend explicitly on /usr/sbin/sendmail instead of sendmail (rhel-7 sync)
-- Simplified pam configuration file by removing duplicate pam stack entries
-Resolves: rhbz#1633144
+* Mon Oct 01 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25p1-1
+- rebase sudo to 1.8.25p1
 
-* Wed Sep 26 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-1
-- rebase to the new upstream version 1.8.25p1
-- sync patches with rhel-7.6
-- sync sudoers with rhel-7.6
-  resolves: rhbz#1633144
+* Mon Sep 10 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25-1
+- rebase sudo to latest stawble version
+- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo (1626968)
 
-* Mon Sep 10 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.23-2
-- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo
-  resolves: rhbz#1626972
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.23-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
-* Thu May 17 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-1
-- Packaging update for RHEL 8.0 (sync with latest RHEL 7 state)
+* Tue Jul 03 2018 Matthew Miller <mattdm@fedoraproject.org> - 1.8.23-2
+- remove defattr, as default is now sane
+
+* Wed May 09 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-1
+- update to 1.8.23
+
+* Wed Apr 18 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-0.1.b3
+- update to 1.8.23b3
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.22-0.2.b1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild