Merge ~danilogondolfo/ubuntu/+source/sudo:merge-lp2020470-mantic into ubuntu/+source/sudo:debian/sid
- Git
- lp:~danilogondolfo/ubuntu/+source/sudo
- merge-lp2020470-mantic
- Merge into debian/sid
Status: | Needs review | ||||
---|---|---|---|---|---|
Proposed branch: | ~danilogondolfo/ubuntu/+source/sudo:merge-lp2020470-mantic | ||||
Merge into: | ubuntu/+source/sudo:debian/sid | ||||
Diff against target: |
1791 lines (+1386/-52) 10 files modified
debian/changelog (+1226/-0) debian/control (+2/-1) debian/etc/pam.d/sudo (+3/-0) debian/etc/pam.d/sudo-i (+3/-0) debian/etc/sudoers (+4/-1) debian/sudo-ldap.manpages (+1/-0) debian/sudo.manpages (+1/-0) debian/sudo_root.8 (+138/-0) debian/tests/control (+8/-4) dev/null (+0/-46) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Langasek (community) | Approve | ||
git-ubuntu import | Pending | ||
Review via email: mp+443422@code.launchpad.net |
Commit message
Description of the change
Danilo Egea Gondolfo (danilogondolfo) wrote : | # |
Thanks, William. I updated the changelog.
Steve Langasek (vorlon) wrote : | # |
This is already uploaded, adding my approval to take it off the sponsorship queue
Unmerged commits
- 55c13c9... by Danilo Egea Gondolfo
-
changelog
- e4f9adf... by Danilo Egea Gondolfo
-
- Drop patch for issue fixed upstream
+ debian/patches/ CVE-2023- 27320.patch - 36a84b8... by Danilo Egea Gondolfo
-
* SECURITY UPDATE: double free with per-command chroot sudoers rules
- debian/patches/ CVE-2023- 27320.patch: don't free user_cmnd twice in
MANIFEST, plugins/sudoers/ match_command. c,
plugins/sudoers/ regress/ fuzz/fuzz_ sudoers. c,
plugins/sudoers/ regress/ testsudoers/ test20. out.ok,
plugins/sudoers/ regress/ testsudoers/ test20. sh,
plugins/sudoers/ testsudoers. c,
plugins/sudoers/ visudo. c.
- CVE-2023-27320 - fd7981a... by Danilo Egea Gondolfo
-
- debian/control:
+ Drop Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
(for context see LP: 1915250) - 764701b... by Danilo Egea Gondolfo
-
- debian/
tests/control: 03-getroot-ldap:
+ allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE= yes) - 0d1e300... by Danilo Egea Gondolfo
-
- debian/etc/sudoers:
+ also grant admin group sudo access
+ include /snap/bin in the secure_path - 50b2a02... by Danilo Egea Gondolfo
-
- debian/
etc/pam. d/sudo[ -i]:
+ Use pam_env to read /etc/environment and /etc/default/locale
environment files. Reading ~/.pam_environment is not permitted due
to security reasons. - 52299da... by Danilo Egea Gondolfo
-
- debian/
sudo[-ldap] .init: delete init scripts, as they are no longer
necessary. - 2945051... by Danilo Egea Gondolfo
-
- debian/
sudo[-ldap] .manpages: install man/man8/ sudo_root. 8
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 5e9d940..b251a89 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,26 @@ |
6 | +sudo (1.9.13p3-1ubuntu1) mantic; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable. Remaining changes: |
9 | + - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8 |
10 | + - debian/sudo[-ldap].init: delete init scripts, as they are no longer |
11 | + necessary. |
12 | + - debian/etc/pam.d/sudo[-i]: |
13 | + + Use pam_env to read /etc/environment and /etc/default/locale |
14 | + environment files. Reading ~/.pam_environment is not permitted due |
15 | + to security reasons. |
16 | + - debian/etc/sudoers: |
17 | + + also grant admin group sudo access |
18 | + + include /snap/bin in the secure_path |
19 | + - debian/tests/control: 03-getroot-ldap: |
20 | + + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes) |
21 | + - debian/control: |
22 | + + Drop Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1) |
23 | + (for context see LP 1915250) |
24 | + * Dropped changes, now included in Debian: |
25 | + - debian/patches/CVE-2023-27320.patch |
26 | + |
27 | + -- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Tue, 23 May 2023 14:34:04 +0100 |
28 | + |
29 | sudo (1.9.13p3-1) unstable; urgency=medium |
30 | |
31 | * new upstream version: |
32 | @@ -13,6 +36,44 @@ sudo (1.9.13p3-1) unstable; urgency=medium |
33 | |
34 | -- Marc Haber <mh+debian-packages@zugschlus.de> Wed, 08 Mar 2023 21:17:05 +0100 |
35 | |
36 | +sudo (1.9.13p1-1ubuntu2) lunar; urgency=medium |
37 | + |
38 | + * SECURITY UPDATE: double free with per-command chroot sudoers rules |
39 | + - debian/patches/CVE-2023-27320.patch: don't free user_cmnd twice in |
40 | + MANIFEST, plugins/sudoers/match_command.c, |
41 | + plugins/sudoers/regress/fuzz/fuzz_sudoers.c, |
42 | + plugins/sudoers/regress/testsudoers/test20.out.ok, |
43 | + plugins/sudoers/regress/testsudoers/test20.sh, |
44 | + plugins/sudoers/testsudoers.c, |
45 | + plugins/sudoers/visudo.c. |
46 | + - CVE-2023-27320 |
47 | + |
48 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 01 Mar 2023 08:51:34 -0500 |
49 | + |
50 | +sudo (1.9.13p1-1ubuntu1) lunar; urgency=medium |
51 | + |
52 | + * Merge from Debian unstable. Remaining changes: |
53 | + - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8 |
54 | + - debian/sudo[-ldap].init: delete init scripts, as they are no longer |
55 | + necessary. |
56 | + - debian/etc/pam.d/sudo[-i]: |
57 | + + Use pam_env to read /etc/environment and /etc/default/locale |
58 | + environment files. Reading ~/.pam_environment is not permitted due |
59 | + to security reasons. |
60 | + - debian/etc/sudoers: |
61 | + + also grant admin group sudo access |
62 | + + include /snap/bin in the secure_path |
63 | + - debian/tests/control: 03-getroot-ldap: |
64 | + + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes) |
65 | + - debian/control: |
66 | + + Drop Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1) |
67 | + (for context see LP: 1915250) |
68 | + - Drop patches for issues fixed upstream |
69 | + + d/p/CVE-2023-22809.patch |
70 | + + d/p/Add-XDG_CURRENT_DESKTOP-to-initial_keepenv_table.patch |
71 | + |
72 | + -- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Mon, 20 Feb 2023 17:38:07 +0000 |
73 | + |
74 | sudo (1.9.13p1-1) unstable; urgency=medium |
75 | |
76 | * new upstream version 1.9.13p1 |
77 | @@ -52,12 +113,75 @@ sudo (1.9.12p1-1) unstable; urgency=low |
78 | |
79 | -- Marc Haber <mh+debian-packages@zugschlus.de> Sun, 15 Jan 2023 13:58:48 +0100 |
80 | |
81 | +sudo (1.9.11p3-1ubuntu3) lunar; urgency=medium |
82 | + |
83 | + * SECURITY UPDATE: arbitrary file overwrite via sudoedit |
84 | + - debian/patches/CVE-2023-22809.patch: do not permit editor arguments |
85 | + to include -- in plugins/sudoers/editor.c, plugins/sudoers/sudoers.c, |
86 | + plugins/sudoers/visudo.c. |
87 | + - CVE-2023-22809 |
88 | + |
89 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 18 Jan 2023 12:46:34 -0500 |
90 | + |
91 | +sudo (1.9.11p3-1ubuntu2) lunar; urgency=medium |
92 | + |
93 | + * No-change rebuild against libldap-2 |
94 | + |
95 | + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:57:01 +0000 |
96 | + |
97 | +sudo (1.9.11p3-1ubuntu1) kinetic; urgency=medium |
98 | + |
99 | + * Merge from Debian unstable. Remaining changes: |
100 | + - debian/control: |
101 | + + Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1) |
102 | + - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8 |
103 | + - debian/sudo[-ldap].init: delete init scripts, as they are no longer |
104 | + necessary. |
105 | + - debian/etc/pam.d/sudo[-i]: |
106 | + + Use pam_env to read /etc/environment and /etc/default/locale |
107 | + environment files. Reading ~/.pam_environment is not permitted due |
108 | + to security reasons. |
109 | + - debian/etc/sudoers: |
110 | + + also grant admin group sudo access |
111 | + + include /snap/bin in the secure_path |
112 | + - debian/tests/control: 03-getroot-ldap: |
113 | + + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes) |
114 | + - Add XDG_CURRENT_DESKTOP to initial_keepenv_table for Qt to determine the |
115 | + correct theme (LP: #1958055) |
116 | + |
117 | + -- Benjamin Drung <bdrung@ubuntu.com> Tue, 23 Aug 2022 10:06:34 +0200 |
118 | + |
119 | sudo (1.9.11p3-1) unstable; urgency=low |
120 | |
121 | * new upstream version 1.9.11p3 |
122 | |
123 | -- Marc Haber <mh+debian-packages@zugschlus.de> Wed, 23 Mar 2022 10:50:16 +0100 |
124 | |
125 | +sudo (1.9.10-3ubuntu1) kinetic; urgency=medium |
126 | + |
127 | + * Merge from Debian unstable. Remaining changes: |
128 | + - debian/control: |
129 | + + Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1) |
130 | + - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8 |
131 | + - debian/sudo[-ldap].init: delete init scripts, as they are no longer |
132 | + necessary. |
133 | + - debian/etc/pam.d/sudo[-i]: |
134 | + + Use pam_env to read /etc/environment and /etc/default/locale |
135 | + environment files. Reading ~/.pam_environment is not permitted due |
136 | + to security reasons. |
137 | + - debian/etc/sudoers: |
138 | + + also grant admin group sudo access |
139 | + + include /snap/bin in the secure_path |
140 | + - debian/tests/control: 03-getroot-ldap: |
141 | + + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes) |
142 | + * Dropped changes (applied in Debian): |
143 | + - debian/rules: |
144 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
145 | + * Add XDG_CURRENT_DESKTOP to initial_keepenv_table for Qt to determine the |
146 | + correct theme (LP: #1958055) |
147 | + |
148 | + -- Benjamin Drung <bdrung@ubuntu.com> Wed, 03 Aug 2022 10:45:04 +0200 |
149 | + |
150 | sudo (1.9.10-3) unstable; urgency=medium |
151 | |
152 | * some changes to 03-getroot-ldap autopkgtest to find out |
153 | @@ -104,6 +228,37 @@ sudo (1.9.10-1) experimental; urgency=medium |
154 | |
155 | -- Marc Haber <mh+debian-packages@zugschlus.de> Fri, 18 Mar 2022 14:31:30 +0100 |
156 | |
157 | +sudo (1.9.9-1ubuntu2) jammy; urgency=medium |
158 | + |
159 | + * d/t/control: skip 03-getroot-ldap autopkgtest on non-containers |
160 | + |
161 | + -- Lukas Märdian <slyon@ubuntu.com> Mon, 14 Feb 2022 12:48:05 +0100 |
162 | + |
163 | +sudo (1.9.9-1ubuntu1) jammy; urgency=medium |
164 | + |
165 | + * Merge from Debian unstable. Remaining changes: |
166 | + - debian/control: |
167 | + + Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1) |
168 | + - debian/rules: |
169 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
170 | + - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8 |
171 | + - debian/sudo[-ldap].init: delete init scripts, as they are no longer |
172 | + necessary. |
173 | + - debian/etc/pam.d/sudo[-i]: |
174 | + + Use pam_env to read /etc/environment and /etc/default/locale |
175 | + environment files. Reading ~/.pam_environment is not permitted due |
176 | + to security reasons. |
177 | + - debian/etc/sudoers: |
178 | + + also grant admin group sudo access |
179 | + + include /snap/bin in the secure_path |
180 | + - debian/tests/control: 03-getroot-ldap: |
181 | + + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes) |
182 | + * Dropped changes: |
183 | + - debian/rules: |
184 | + + use dh-autoreconf (converted to using dh) |
185 | + |
186 | + -- Lukas Märdian <slyon@ubuntu.com> Tue, 08 Feb 2022 12:01:45 +0100 |
187 | + |
188 | sudo (1.9.9-1) unstable; urgency=medium |
189 | |
190 | * new upstream version |
191 | @@ -253,6 +408,37 @@ sudo (1.9.5p2-3+exp1) experimental; urgency=medium |
192 | |
193 | -- Marc Haber <mh+debian-packages@zugschlus.de> Fri, 12 Mar 2021 20:48:13 +0100 |
194 | |
195 | +sudo (1.9.5p2-3ubuntu2) impish; urgency=medium |
196 | + |
197 | + * No-change rebuild due to OpenLDAP soname bump. |
198 | + |
199 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:32 -0400 |
200 | + |
201 | +sudo (1.9.5p2-3ubuntu1) impish; urgency=low |
202 | + |
203 | + * Merge from Debian unstable (LP: #1929110). Remaining changes: |
204 | + - debian/rules: |
205 | + + use dh-autoreconf |
206 | + - debian/rules: stop shipping init scripts, as they are no longer |
207 | + necessary. |
208 | + - debian/rules: |
209 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
210 | + + install man/man8/sudo_root.8 in both flavours |
211 | + - debian/sudo.pam: |
212 | + + Use pam_env to read /etc/environment and /etc/default/locale |
213 | + environment files. Reading ~/.pam_environment is not permitted due |
214 | + to security reasons. |
215 | + - debian/sudoers: |
216 | + + also grant admin group sudo access |
217 | + + include /snap/bin in the secure_path |
218 | + * Dropped changes, now included in Debian: |
219 | + - debian/rules: |
220 | + + install apport hooks |
221 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
222 | + + add usr/share/apport/package-hooks |
223 | + |
224 | + -- William 'jawn-smith' Wilson <william.wilson@canonical.com> Thu, 20 May 2021 15:43:31 +0000 |
225 | + |
226 | sudo (1.9.5p2-3) unstable; urgency=medium |
227 | |
228 | * new maintainer team and uploaders (Closes: #976244) |
229 | @@ -266,6 +452,49 @@ sudo (1.9.5p2-3) unstable; urgency=medium |
230 | |
231 | -- Marc Haber <mh+debian-packages@zugschlus.de> Sat, 27 Feb 2021 09:28:03 +0100 |
232 | |
233 | +sudo (1.9.5p2-2ubuntu3) hirsute; urgency=medium |
234 | + |
235 | + * No change rebuild with fixed ownership. |
236 | + |
237 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 18 Feb 2021 00:03:21 +0000 |
238 | + |
239 | +sudo (1.9.5p2-2ubuntu2) hirsute; urgency=medium |
240 | + |
241 | + * No change rebuild against new permissions ABI. LP: #1915250 |
242 | + |
243 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 16 Feb 2021 10:39:16 +0000 |
244 | + |
245 | +sudo (1.9.5p2-2ubuntu1) hirsute; urgency=low |
246 | + |
247 | + * Merge from Debian unstable. (LP: #1915307) |
248 | + * Remaining changes: |
249 | + - debian/rules: |
250 | + + use dh-autoreconf |
251 | + - debian/rules: stop shipping init scripts, as they are no longer |
252 | + necessary. |
253 | + - debian/rules: |
254 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
255 | + + install man/man8/sudo_root.8 in both flavours |
256 | + + install apport hooks |
257 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
258 | + + add usr/share/apport/package-hooks |
259 | + - debian/sudo.pam: |
260 | + + Use pam_env to read /etc/environment and /etc/default/locale |
261 | + environment files. Reading ~/.pam_environment is not permitted due |
262 | + to security reasons. |
263 | + - debian/sudoers: |
264 | + + also grant admin group sudo access |
265 | + + include /snap/bin in the secure_path |
266 | + * Dropped patches, no longer needed because they are integrated in Debian: |
267 | + - CVE-2021-23239.patch |
268 | + - CVE-2021-3156-1.patch |
269 | + - CVE-2021-3156-2.patch |
270 | + - CVE-2021-3156-3.patch |
271 | + - CVE-2021-3156-4.patch |
272 | + - CVE-2021-3156-5.patch |
273 | + |
274 | + -- William 'jawn-smith' Wilson <william.wilson@canonical.com> Wed, 10 Feb 2021 05:42:42 -0600 |
275 | + |
276 | sudo (1.9.5p2-2) unstable; urgency=medium |
277 | |
278 | * patch from upstream repo to fix NO_ROOT_MAILER |
279 | @@ -302,6 +531,60 @@ sudo (1.9.5-1) unstable; urgency=medium |
280 | |
281 | -- Bdale Garbee <bdale@gag.com> Mon, 11 Jan 2021 15:15:48 -0700 |
282 | |
283 | +sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium |
284 | + |
285 | + * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option |
286 | + - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER |
287 | + in plugins/sudoers/logging.c, plugins/sudoers/policy.c. |
288 | + - No CVE number |
289 | + |
290 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sat, 30 Jan 2021 14:35:13 -0500 |
291 | + |
292 | +sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium |
293 | + |
294 | + * SECURITY UPDATE: dir existence issue via sudoedit race |
295 | + - debian/patches/CVE-2021-23239.patch: fix potential directory existing |
296 | + info leak in sudoedit in src/sudo_edit.c. |
297 | + - CVE-2021-23239 |
298 | + * SECURITY UPDATE: heap-based buffer overflow |
299 | + - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to |
300 | + MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. |
301 | + - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in |
302 | + plugin in plugins/sudoers/policy.c. |
303 | + - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow |
304 | + when unescaping backslashes in plugins/sudoers/sudoers.c. |
305 | + - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when |
306 | + converting a v1 timestamp to TS_LOCKEXCL in |
307 | + plugins/sudoers/timestamp.c. |
308 | + - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is |
309 | + allocated as a single flat buffer in src/parse_args.c. |
310 | + - CVE-2021-3156 |
311 | + |
312 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Jan 2021 14:37:48 -0500 |
313 | + |
314 | +sudo (1.9.4p2-2ubuntu1) hirsute; urgency=low |
315 | + |
316 | + * Merge from Debian unstable. Remaining changes: |
317 | + - debian/rules: |
318 | + + use dh-autoreconf |
319 | + - debian/rules: stop shipping init scripts, as they are no longer |
320 | + necessary. |
321 | + - debian/rules: |
322 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
323 | + + install man/man8/sudo_root.8 in both flavours |
324 | + + install apport hooks |
325 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
326 | + + add usr/share/apport/package-hooks |
327 | + - debian/sudo.pam: |
328 | + + Use pam_env to read /etc/environment and /etc/default/locale |
329 | + environment files. Reading ~/.pam_environment is not permitted due |
330 | + to security reasons. |
331 | + - debian/sudoers: |
332 | + + also grant admin group sudo access |
333 | + + include /snap/bin in the secure_path |
334 | + |
335 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 06 Jan 2021 13:51:07 -0800 |
336 | + |
337 | sudo (1.9.4p2-2) unstable; urgency=medium |
338 | |
339 | * always use /bin/mv to ensure reproducible builds whether built on a |
340 | @@ -327,6 +610,29 @@ sudo (1.9.4-1) unstable; urgency=medium |
341 | |
342 | -- Bdale Garbee <bdale@gag.com> Tue, 01 Dec 2020 22:10:03 -0500 |
343 | |
344 | +sudo (1.9.3p1-1ubuntu1) hirsute; urgency=low |
345 | + |
346 | + * Merge from Debian unstable. Remaining changes: |
347 | + - debian/rules: |
348 | + + use dh-autoreconf |
349 | + - debian/rules: stop shipping init scripts, as they are no longer |
350 | + necessary. |
351 | + - debian/rules: |
352 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
353 | + + install man/man8/sudo_root.8 in both flavours |
354 | + + install apport hooks |
355 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
356 | + + add usr/share/apport/package-hooks |
357 | + - debian/sudo.pam: |
358 | + + Use pam_env to read /etc/environment and /etc/default/locale |
359 | + environment files. Reading ~/.pam_environment is not permitted due |
360 | + to security reasons. |
361 | + - debian/sudoers: |
362 | + + also grant admin group sudo access |
363 | + + include /snap/bin in the secure_path |
364 | + |
365 | + -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 24 Oct 2020 17:14:39 -0700 |
366 | + |
367 | sudo (1.9.3p1-1) unstable; urgency=medium |
368 | |
369 | * new upstream version |
370 | @@ -348,12 +654,61 @@ sudo (1.9.1-2) unstable; urgency=medium |
371 | |
372 | -- Bdale Garbee <bdale@gag.com> Sun, 12 Jul 2020 09:52:08 -0600 |
373 | |
374 | +sudo (1.9.1-1ubuntu1) groovy; urgency=low |
375 | + |
376 | + * Merge from Debian unstable. Remaining changes: |
377 | + - debian/rules: |
378 | + + use dh-autoreconf |
379 | + - debian/rules: stop shipping init scripts, as they are no longer |
380 | + necessary. |
381 | + - debian/rules: |
382 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
383 | + + install man/man8/sudo_root.8 in both flavours |
384 | + + install apport hooks |
385 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
386 | + + add usr/share/apport/package-hooks |
387 | + - debian/sudo.pam: |
388 | + + Use pam_env to read /etc/environment and /etc/default/locale |
389 | + environment files. Reading ~/.pam_environment is not permitted due |
390 | + to security reasons. |
391 | + - debian/sudoers: |
392 | + + also grant admin group sudo access |
393 | + + include /snap/bin in the secure_path |
394 | + |
395 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Jul 2020 09:38:55 -0700 |
396 | + |
397 | sudo (1.9.1-1) unstable; urgency=medium |
398 | |
399 | * new upstream version |
400 | |
401 | -- Bdale Garbee <bdale@gag.com> Fri, 19 Jun 2020 15:44:09 -0600 |
402 | |
403 | +sudo (1.9.0-1ubuntu1) groovy; urgency=low |
404 | + |
405 | + * Merge from Debian unstable. Remaining changes: |
406 | + - debian/rules: |
407 | + + use dh-autoreconf |
408 | + - debian/rules: stop shipping init scripts, as they are no longer |
409 | + necessary. |
410 | + - debian/rules: |
411 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
412 | + + install man/man8/sudo_root.8 in both flavours |
413 | + + install apport hooks |
414 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
415 | + + add usr/share/apport/package-hooks |
416 | + - debian/sudo.pam: |
417 | + + Use pam_env to read /etc/environment and /etc/default/locale |
418 | + environment files. Reading ~/.pam_environment is not permitted due |
419 | + to security reasons. |
420 | + - debian/sudoers: |
421 | + + also grant admin group sudo access |
422 | + + include /snap/bin in the secure_path |
423 | + * Dropped changes, no longer needed: |
424 | + - debian/control: |
425 | + + use dh-autoreconf |
426 | + |
427 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 May 2020 17:07:02 -0700 |
428 | + |
429 | sudo (1.9.0-1) unstable; urgency=medium |
430 | |
431 | * new upstream version, closes: #669687, #571621, #734752 |
432 | @@ -366,12 +721,64 @@ sudo (1.8.31p1-1) unstable; urgency=medium |
433 | |
434 | -- Bdale Garbee <bdale@gag.com> Thu, 19 Mar 2020 15:47:17 -0600 |
435 | |
436 | +sudo (1.8.31-1ubuntu1) focal; urgency=medium |
437 | + |
438 | + * Merge from Debian unstable. Remaining changes: |
439 | + - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
440 | + shipping init script and service file, as they are no longer |
441 | + necessary. |
442 | + - debian/rules: |
443 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
444 | + + install man/man8/sudo_root.8 in both flavours |
445 | + + install apport hooks |
446 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
447 | + + add usr/share/apport/package-hooks |
448 | + - debian/sudo.pam: |
449 | + + Use pam_env to read /etc/environment and /etc/default/locale |
450 | + environment files. Reading ~/.pam_environment is not permitted due to |
451 | + security reasons. |
452 | + - debian/sudoers: |
453 | + + also grant admin group sudo access |
454 | + + include /snap/bin in the secure_path |
455 | + - debian/control, debian/rules: |
456 | + + use dh-autoreconf |
457 | + |
458 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Feb 2020 09:32:18 -0500 |
459 | + |
460 | sudo (1.8.31-1) unstable; urgency=medium |
461 | |
462 | * new upstream version |
463 | |
464 | -- Bdale Garbee <bdale@gag.com> Sat, 01 Feb 2020 23:07:09 -0800 |
465 | |
466 | +sudo (1.8.29-1ubuntu1) focal; urgency=medium |
467 | + |
468 | + * Merge from Debian unstable. |
469 | + Remaining changes: |
470 | + - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
471 | + shipping init script and service file, as they are no longer |
472 | + necessary. |
473 | + - debian/rules: |
474 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
475 | + + install man/man8/sudo_root.8 in both flavours |
476 | + + install apport hooks |
477 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
478 | + + add usr/share/apport/package-hooks |
479 | + - debian/sudo.pam: |
480 | + + Use pam_env to read /etc/environment and /etc/default/locale |
481 | + environment files. Reading ~/.pam_environment is not permitted due to |
482 | + security reasons. |
483 | + - debian/sudoers: |
484 | + + also grant admin group sudo access |
485 | + + include /snap/bin in the secure_path |
486 | + - debian/control, debian/rules: |
487 | + + use dh-autoreconf |
488 | + * Removed patches included in new version: |
489 | + - debian/patches/CVE-2019-14287.patch |
490 | + - debian/patches/CVE-2019-14287-2.patch |
491 | + |
492 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Nov 2019 13:13:21 -0500 |
493 | + |
494 | sudo (1.8.29-1) unstable; urgency=medium |
495 | |
496 | * new upstream version |
497 | @@ -394,6 +801,59 @@ sudo (1.8.27-1.1) unstable; urgency=high |
498 | |
499 | -- Salvatore Bonaccorso <carnil@debian.org> Mon, 14 Oct 2019 21:10:58 +0200 |
500 | |
501 | +sudo (1.8.27-1ubuntu4) eoan; urgency=medium |
502 | + |
503 | + * SECURITY UPDATE: privilege escalation via UID -1 |
504 | + - debian/patches/CVE-2019-14287.patch: treat an ID of -1 as invalid |
505 | + in lib/util/strtoid.c. |
506 | + - debian/patches/CVE-2019-14287-2.patch: fix and add to tests in |
507 | + lib/util/regress/atofoo/atofoo_test.c, |
508 | + plugins/sudoers/regress/testsudoers/test5.out.ok, |
509 | + plugins/sudoers/regress/testsudoers/test5.sh. |
510 | + - CVE-2019-14287 |
511 | + |
512 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 15 Oct 2019 07:09:02 -0400 |
513 | + |
514 | +sudo (1.8.27-1ubuntu3) eoan; urgency=medium |
515 | + |
516 | + * No-change upload with strops.h and sys/strops.h removed in glibc. |
517 | + |
518 | + -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:12:29 +0000 |
519 | + |
520 | +sudo (1.8.27-1ubuntu2) eoan; urgency=medium |
521 | + |
522 | + * Remove d/p/keep_home_by_default.patch (LP: #1556302) |
523 | + - This restores sudo handling of $HOME to what everyone else does |
524 | + |
525 | + -- Dan Streetman <ddstreet@canonical.com> Tue, 04 Jun 2019 08:58:02 -0400 |
526 | + |
527 | +sudo (1.8.27-1ubuntu1) disco; urgency=medium |
528 | + |
529 | + * Merge from Debian unstable. |
530 | + Remaining changes: |
531 | + - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
532 | + shipping init script and service file, as they are no longer |
533 | + necessary. |
534 | + - debian/rules: |
535 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
536 | + + install man/man8/sudo_root.8 in both flavours |
537 | + + install apport hooks |
538 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
539 | + + add usr/share/apport/package-hooks |
540 | + - debian/sudo.pam: |
541 | + + Use pam_env to read /etc/environment and /etc/default/locale |
542 | + environment files. Reading ~/.pam_environment is not permitted due to |
543 | + security reasons. |
544 | + - debian/sudoers: |
545 | + + also grant admin group sudo access |
546 | + + include /snap/bin in the secure_path |
547 | + - debian/control, debian/rules: |
548 | + + use dh-autoreconf |
549 | + - Remaining patches: |
550 | + + keep_home_by_default.patch: Keep HOME in the default environment |
551 | + |
552 | + -- Balint Reczey <rbalint@ubuntu.com> Tue, 19 Feb 2019 09:30:21 +0100 |
553 | + |
554 | sudo (1.8.27-1) unstable; urgency=medium |
555 | |
556 | * new upstream version |
557 | @@ -418,6 +878,33 @@ sudo (1.8.26-1) unstable; urgency=medium |
558 | |
559 | -- Bdale Garbee <bdale@gag.com> Mon, 19 Nov 2018 00:32:06 -1000 |
560 | |
561 | +sudo (1.8.23-2ubuntu1) cosmic; urgency=medium |
562 | + |
563 | + * Merge from Debian unstable. |
564 | + Remaining changes: |
565 | + - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
566 | + shipping init script and service file, as they are no longer |
567 | + necessary. |
568 | + - debian/rules: |
569 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
570 | + + install man/man8/sudo_root.8 in both flavours |
571 | + + install apport hooks |
572 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
573 | + + add usr/share/apport/package-hooks |
574 | + - debian/sudo.pam: |
575 | + + Use pam_env to read /etc/environment and /etc/default/locale |
576 | + environment files. Reading ~/.pam_environment is not permitted due to |
577 | + security reasons. |
578 | + - debian/sudoers: |
579 | + + also grant admin group sudo access |
580 | + + include /snap/bin in the secure_path |
581 | + - debian/control, debian/rules: |
582 | + + use dh-autoreconf |
583 | + - Remaining patches: |
584 | + + keep_home_by_default.patch: Keep HOME in the default environment |
585 | + |
586 | + -- Balint Reczey <rbalint@ubuntu.com> Thu, 23 Aug 2018 19:36:40 +0200 |
587 | + |
588 | sudo (1.8.23-2) unstable; urgency=high |
589 | |
590 | * fix FTBFS due to earlier sudoers2ldif removal, closes: #903415 |
591 | @@ -430,12 +917,76 @@ sudo (1.8.23-1) unstable; urgency=medium |
592 | |
593 | -- Bdale Garbee <bdale@gag.com> Mon, 30 Apr 2018 20:55:10 -0600 |
594 | |
595 | +sudo (1.8.21p2-3ubuntu1) bionic; urgency=medium |
596 | + |
597 | + * Merge from Debian unstable. |
598 | + Remaining changes: |
599 | + - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
600 | + shipping init script and service file, as they are no longer |
601 | + necessary. |
602 | + - debian/rules: |
603 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
604 | + + install man/man8/sudo_root.8 in both flavours |
605 | + + install apport hooks |
606 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
607 | + + add usr/share/apport/package-hooks |
608 | + - debian/sudo.pam: |
609 | + + Use pam_env to read /etc/environment and /etc/default/locale |
610 | + environment files. Reading ~/.pam_environment is not permitted due to |
611 | + security reasons. |
612 | + - debian/sudoers: |
613 | + + also grant admin group sudo access |
614 | + + include /snap/bin in the secure_path |
615 | + - debian/control, debian/rules: |
616 | + + use dh-autoreconf |
617 | + - Remaining patches: |
618 | + + keep_home_by_default.patch: Keep HOME in the default environment |
619 | + |
620 | + -- Balint Reczey <rbalint@ubuntu.com> Thu, 18 Jan 2018 01:08:16 +0100 |
621 | + |
622 | sudo (1.8.21p2-3) unstable; urgency=medium |
623 | |
624 | * include sssd support in the sudo-ldap build too, closes: #884741 |
625 | |
626 | -- Bdale Garbee <bdale@gag.com> Mon, 18 Dec 2017 21:55:18 -0700 |
627 | |
628 | +sudo (1.8.21p2-2ubuntu1) bionic; urgency=medium |
629 | + |
630 | + * Merge from Debian unstable. (LP: #1731981) |
631 | + Remaining changes: |
632 | + - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
633 | + shipping init script and service file, as they are no longer |
634 | + necessary. |
635 | + - debian/rules: |
636 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
637 | + + install man/man8/sudo_root.8 in both flavours |
638 | + + install apport hooks |
639 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
640 | + + add usr/share/apport/package-hooks |
641 | + - debian/sudo.pam: |
642 | + + Use pam_env to read /etc/environment and /etc/default/locale |
643 | + environment files. Reading ~/.pam_environment is not permitted due to |
644 | + security reasons. |
645 | + - debian/sudoers: |
646 | + + also grant admin group sudo access |
647 | + + include /snap/bin in the secure_path |
648 | + - debian/control, debian/rules: |
649 | + + use dh-autoreconf |
650 | + - Remaining patches: |
651 | + + keep_home_by_default.patch: Keep HOME in the default environment |
652 | + Dropped changes since they are integrated in Debian: |
653 | + - Use tmpfs location to store timestamp files |
654 | + + debian/rules: change --with-rundir to /var/run/sudo |
655 | + + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old |
656 | + init script with dpkg-maintscript-helper. |
657 | + Dropped changes since the the transition took place already in every |
658 | + release the package can be upgraded from: |
659 | + + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo |
660 | + transition code, remove old /var/lib/sudo/ts timestamp directory. |
661 | + * Refresh patches |
662 | + |
663 | + -- Balint Reczey <rbalint@ubuntu.com> Mon, 13 Nov 2017 17:53:45 +0100 |
664 | + |
665 | sudo (1.8.21p2-2) unstable; urgency=medium |
666 | |
667 | * work harder to clean up mess left by sudo-ldap using /etc/init.d/sudo |
668 | @@ -469,6 +1020,41 @@ sudo (1.8.21-1) unstable; urgency=medium |
669 | |
670 | -- Bdale Garbee <bdale@gag.com> Mon, 28 Aug 2017 09:44:06 -0600 |
671 | |
672 | +sudo (1.8.20p2-1ubuntu1) artful; urgency=low |
673 | + |
674 | + * Merge from Debian unstable. (LP: #1697587) |
675 | + Remaining changes: |
676 | + - Use tmpfs location to store timestamp files |
677 | + + debian/rules: change --with-rundir to /var/run/sudo |
678 | + + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
679 | + shipping init script and service file, as they are no longer |
680 | + necessary. |
681 | + + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old |
682 | + init script with dpkg-maintscript-helper. |
683 | + + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo |
684 | + transition code, remove old /var/lib/sudo/ts timestamp directory. |
685 | + - debian/rules: |
686 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
687 | + + install man/man8/sudo_root.8 in both flavours |
688 | + + install apport hooks |
689 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
690 | + + add usr/share/apport/package-hooks |
691 | + - debian/sudo.pam: |
692 | + + Use pam_env to read /etc/environment and /etc/default/locale |
693 | + environment files. Reading ~/.pam_environment is not permitted due to |
694 | + security reasons. |
695 | + - debian/sudoers: |
696 | + + also grant admin group sudo access |
697 | + + include /snap/bin in the secure_path |
698 | + - debian/control, debian/rules: |
699 | + + use dh-autoreconf |
700 | + - Remaining patches: |
701 | + + keep_home_by_default.patch: Keep HOME in the default environment |
702 | + - Dropped patches no longer needed: |
703 | + + CVE-2017-1000367.patch |
704 | + |
705 | + -- Balint Reczey <rbalint@ubuntu.com> Mon, 12 Jun 2017 21:51:31 +0200 |
706 | + |
707 | sudo (1.8.20p2-1) unstable; urgency=medium |
708 | |
709 | * new upstream version |
710 | @@ -498,6 +1084,51 @@ sudo (1.8.20-1) unstable; urgency=medium |
711 | |
712 | -- Bdale Garbee <bdale@gag.com> Wed, 10 May 2017 10:25:46 -0600 |
713 | |
714 | +sudo (1.8.19p1-1ubuntu2) artful; urgency=medium |
715 | + |
716 | + * SECURITY UPDATE: /proc/self/stat parsing confusion |
717 | + - debian/patches/CVE-2017-1000367.patch: adjust parsing to |
718 | + find ttyname |
719 | + - CVE-2017-1000367 |
720 | + |
721 | + -- Steve Beattie <sbeattie@ubuntu.com> Mon, 29 May 2017 03:13:37 -0700 |
722 | + |
723 | +sudo (1.8.19p1-1ubuntu1) zesty; urgency=low |
724 | + |
725 | + * Merge from Debian unstable. (LP: #1607666) |
726 | + Remaining changes: |
727 | + - Use tmpfs location to store timestamp files |
728 | + + debian/rules: change --with-rundir to /var/run/sudo |
729 | + + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
730 | + shipping init script and service file, as they are no longer |
731 | + necessary. |
732 | + + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old |
733 | + init script with dpkg-maintscript-helper. |
734 | + + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo |
735 | + transition code, remove old /var/lib/sudo/ts timestamp directory. |
736 | + - debian/rules: |
737 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
738 | + + install man/man8/sudo_root.8 in both flavours |
739 | + + install apport hooks |
740 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
741 | + + add usr/share/apport/package-hooks |
742 | + - debian/sudo.pam: |
743 | + + Use pam_env to read /etc/environment and /etc/default/locale |
744 | + environment files. Reading ~/.pam_environment is not permitted due to |
745 | + security reasons. |
746 | + - debian/sudoers: |
747 | + + also grant admin group sudo access |
748 | + + include /snap/bin in the secure_path |
749 | + - debian/control, debian/rules: |
750 | + + use dh-autoreconf |
751 | + - Remaining patches: |
752 | + + keep_home_by_default.patch: Keep HOME in the default environment |
753 | + - Dropped patches no longer needed: |
754 | + + debian/patches/lp1565567.patch: upstream. |
755 | + + debian/patches/also_check_sudo_group.diff: upstream. |
756 | + |
757 | + -- Timo Aaltonen <tjaalton@debian.org> Sat, 14 Jan 2017 01:41:17 +0200 |
758 | + |
759 | sudo (1.8.19p1-1) unstable; urgency=medium |
760 | |
761 | * new upstream version |
762 | @@ -538,6 +1169,61 @@ sudo (1.8.17p1-1) unstable; urgency=low |
763 | |
764 | -- Bdale Garbee <bdale@gag.com> Tue, 05 Jul 2016 16:01:55 +0200 |
765 | |
766 | +sudo (1.8.16-0ubuntu3) yakkety; urgency=medium |
767 | + |
768 | + * debian/sudoers: |
769 | + - include /snap/bin in the secure_path (LP: #1595558) |
770 | + |
771 | + -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 15 Aug 2016 18:08:34 +0200 |
772 | + |
773 | +sudo (1.8.16-0ubuntu2) yakkety; urgency=medium |
774 | + |
775 | + * debian/patches/lp1565567.patch: fix crash when looking up a negative |
776 | + cached entry which is stored as a NULL passwd or group struct pointer |
777 | + in plugins/sudoers/pwutil.c. (LP: #1565567) |
778 | + |
779 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 04 May 2016 11:31:55 -0400 |
780 | + |
781 | +sudo (1.8.16-0ubuntu1) xenial; urgency=medium |
782 | + |
783 | + * Update to new upstream version 1.8.16. (LP: #1563825) |
784 | + - Dropped patches no longer needed: |
785 | + + CVE-2015-5602-6.patch |
786 | + + CVE-2015-5602-7.patch |
787 | + * Merge from Debian unstable. Remaining changes: |
788 | + - Use tmpfs location to store timestamp files |
789 | + + debian/rules: change --with-rundir to /var/run/sudo |
790 | + + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
791 | + shipping init script and service file, as they are no longer |
792 | + necessary. |
793 | + + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old |
794 | + init script with dpkg-maintscript-helper. |
795 | + + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo |
796 | + transition code, remove old /var/lib/sudo/ts timestamp directory. |
797 | + - debian/rules: |
798 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
799 | + + install man/man8/sudo_root.8 in both flavours |
800 | + + install apport hooks |
801 | + - debian/sudoers: |
802 | + + also grant admin group sudo access |
803 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
804 | + + add usr/share/apport/package-hooks |
805 | + - debian/sudo.pam: |
806 | + + Use pam_env to read /etc/environment and /etc/default/locale |
807 | + environment files. Reading ~/.pam_environment is not permitted due to |
808 | + security reasons. |
809 | + - debian/control: |
810 | + + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command |
811 | + - Remaining patches: |
812 | + + keep_home_by_default.patch: Keep HOME in the default environment |
813 | + + debian/patches/also_check_sudo_group.diff: also check the sudo group |
814 | + in plugins/sudoers/sudoers.c to create the admin flag file. Leave the |
815 | + admin group check for backwards compatibility. |
816 | + - Dropped patches no longer needed: |
817 | + + debian/patches/pam_check_untranslated_prompt.patch: upstream. |
818 | + |
819 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 30 Mar 2016 08:03:52 -0400 |
820 | + |
821 | sudo (1.8.15-1.1) unstable; urgency=medium |
822 | |
823 | * Non-maintainer upload |
824 | @@ -555,6 +1241,58 @@ sudo (1.8.15-1) unstable; urgency=low |
825 | |
826 | -- Bdale Garbee <bdale@gag.com> Wed, 23 Dec 2015 11:15:22 -0700 |
827 | |
828 | +sudo (1.8.12-1ubuntu3) wily; urgency=medium |
829 | + |
830 | + * debian/patches/pam_check_untranslated_prompt.patch: also check the un- |
831 | + translated version of the prompt when checking if the PAM prompt matches |
832 | + "Password:". Patch from Joel Pelaez Jorge. (LP: #1414303) |
833 | + |
834 | + -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Tue, 22 Sep 2015 11:57:43 -0400 |
835 | + |
836 | +sudo (1.8.12-1ubuntu2) wily; urgency=medium |
837 | + |
838 | + * Use tmpfs location to store timestamp files (LP: #1458031) |
839 | + - debian/rules: change --with-rundir to /var/run/sudo |
840 | + - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop |
841 | + shipping init script and service file, as they are no longer |
842 | + necessary. |
843 | + - debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old init |
844 | + script with dpkg-maintscript-helper. |
845 | + - debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo |
846 | + transition code, remove old /var/lib/sudo/ts timestamp directory. |
847 | + |
848 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 05 Jun 2015 09:31:38 -0400 |
849 | + |
850 | +sudo (1.8.12-1ubuntu1) wily; urgency=medium |
851 | + |
852 | + * Merge from Debian unstable. (LP: #1451274, LP: #1219337) |
853 | + Remaining changes: |
854 | + - debian/rules: |
855 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
856 | + + install man/man8/sudo_root.8 in both flavours |
857 | + + install apport hooks |
858 | + - debian/sudoers: |
859 | + + also grant admin group sudo access |
860 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
861 | + + add usr/share/apport/package-hooks |
862 | + - debian/sudo.pam: |
863 | + + Use pam_env to read /etc/environment and /etc/default/locale |
864 | + environment files. Reading ~/.pam_environment is not permitted due to |
865 | + security reasons. |
866 | + - debian/control: |
867 | + + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command |
868 | + - Remaining patches: |
869 | + + keep_home_by_default.patch: Keep HOME in the default environment |
870 | + + debian/patches/also_check_sudo_group.diff: also check the sudo group |
871 | + in plugins/sudoers/sudoers.c to create the admin flag file. Leave the |
872 | + admin group check for backwards compatibility. |
873 | + * Dropped patches no longer needed: |
874 | + + add_probe_interfaces_setting.diff |
875 | + + actually-use-buildflags.diff |
876 | + + CVE-2014-9680.patch |
877 | + |
878 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2015 15:43:49 -0400 |
879 | + |
880 | sudo (1.8.12-1) unstable; urgency=low |
881 | |
882 | * new upstream version, closes: #772707, #773383 |
883 | @@ -597,6 +1335,64 @@ sudo (1.8.10p3-1) unstable; urgency=low |
884 | |
885 | -- Bdale Garbee <bdale@gag.com> Sun, 14 Sep 2014 10:20:15 -0600 |
886 | |
887 | +sudo (1.8.9p5-1ubuntu5) vivid; urgency=medium |
888 | + |
889 | + * SECURITY UPDATE: arbitrary file access via TZ |
890 | + - debian/patches/CVE-2014-9680.patch: sanity check TZ env variable in |
891 | + configure, configure.ac, doc/sudoers.cat, doc/sudoers.man.in, |
892 | + doc/sudoers.mdoc.in, m4/sudo.m4, pathnames.h.in, |
893 | + plugins/sudoers/env.c. |
894 | + - CVE-2014-9680 |
895 | + |
896 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 12 Mar 2015 10:45:21 -0400 |
897 | + |
898 | +sudo (1.8.9p5-1ubuntu4) vivid; urgency=medium |
899 | + |
900 | + * Correct sudo.pam use "session" for pam_env.so, not "auth". (LP: |
901 | + #155794, LP: #25700) |
902 | + |
903 | + -- Dimitri John Ledkov <dimitri.j.ledkov@linux.intel.com> Tue, 23 Dec 2014 04:08:33 +0000 |
904 | + |
905 | +sudo (1.8.9p5-1ubuntu3) vivid; urgency=medium |
906 | + |
907 | + * debian/patches/also_check_sudo_group.diff: also check the sudo group |
908 | + in plugins/sudoers/sudoers.c to create the admin flag file. Leave the |
909 | + admin group check for backwards compatibility. (LP: #1387347) |
910 | + |
911 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 29 Oct 2014 15:55:34 -0400 |
912 | + |
913 | +sudo (1.8.9p5-1ubuntu2) utopic; urgency=medium |
914 | + |
915 | + * debian/sudo_root.8: mention sudo group instead of deprecated group |
916 | + admin (LP: #1130643) |
917 | + |
918 | + -- Andrey Bondarenko <abondarenko@users.sourceforge.net> Sat, 23 Aug 2014 01:18:05 +0600 |
919 | + |
920 | +sudo (1.8.9p5-1ubuntu1) trusty; urgency=low |
921 | + |
922 | + * Merge from Debian unstable. Remaining changes: |
923 | + - debian/rules: |
924 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
925 | + + install man/man8/sudo_root.8 in both flavours |
926 | + + install apport hooks |
927 | + - debian/sudoers: |
928 | + + also grant admin group sudo access |
929 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
930 | + + add usr/share/apport/package-hooks |
931 | + - debian/sudo.pam: |
932 | + + Use pam_env to read /etc/environment and /etc/default/locale |
933 | + environment files. Reading ~/.pam_environment is not permitted due to |
934 | + security reasons. |
935 | + - debian/control: |
936 | + + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command |
937 | + - Remaining patches: |
938 | + + keep_home_by_default.patch: Keep HOME in the default environment |
939 | + + actually-use-buildflags: Pass LDFLAGS everywhere |
940 | + + add_probe_interfaces_setting.diff: option to disable network inf probe |
941 | + * add_probe_interfaces_setting.diff: fix to not modify NEWS file. |
942 | + |
943 | + -- Chris J Arges <chris.j.arges@ubuntu.com> Mon, 10 Feb 2014 12:21:53 -0600 |
944 | + |
945 | sudo (1.8.9p5-1) unstable; urgency=low |
946 | |
947 | * new upstream release, closes: #735328 |
948 | @@ -643,6 +1439,33 @@ sudo (1.8.8-3) unstable; urgency=low |
949 | |
950 | -- Bdale Garbee <bdale@gag.com> Wed, 30 Oct 2013 10:33:44 -0600 |
951 | |
952 | +sudo (1.8.8-2ubuntu2) trusty; urgency=medium |
953 | + |
954 | + * Build using dh-autoreconf. |
955 | + |
956 | + -- Matthias Klose <doko@ubuntu.com> Sun, 15 Dec 2013 16:24:49 +0100 |
957 | + |
958 | +sudo (1.8.8-2ubuntu1) trusty; urgency=low |
959 | + |
960 | + * Merge from Debian unstable. Remaining changes: |
961 | + - debian/rules: |
962 | + + compile with --without-lecture --with-tty-tickets --enable-admin-flag |
963 | + + install man/man8/sudo_root.8 in both flavours |
964 | + + install apport hooks |
965 | + - debian/sudoers: |
966 | + + also grant admin group sudo access |
967 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
968 | + + add usr/share/apport/package-hooks |
969 | + - debian/sudo.pam: |
970 | + + Use pam_env to read /etc/environment and /etc/default/locale |
971 | + environment files. Reading ~/.pam_environment is not permitted due to |
972 | + security reasons. |
973 | + - Remaining patches: |
974 | + + keep_home_by_default.patch: Keep HOME in the default environment |
975 | + + actually-use-buildflags: Pass LDFLAGS everywhere |
976 | + |
977 | + -- Stéphane Graber <stgraber@ubuntu.com> Tue, 22 Oct 2013 17:43:37 -0400 |
978 | + |
979 | sudo (1.8.8-2) unstable; urgency=low |
980 | |
981 | * fix touch errors on boot, closes: #725193 |
982 | @@ -698,6 +1521,72 @@ sudo (1.8.7-1) unstable; urgency=low |
983 | |
984 | -- Bdale Garbee <bdale@gag.com> Wed, 14 Aug 2013 00:01:14 +0200 |
985 | |
986 | +sudo (1.8.6p3-0ubuntu3) raring; urgency=low |
987 | + |
988 | + * SECURITY UPDATE: authentication bypass via clock set to epoch |
989 | + - debian/patches/CVE-2013-1775.patch: ignore time stamp file if it is |
990 | + set to epoch in plugins/sudoers/check.c. |
991 | + - CVE-2013-1775 |
992 | + |
993 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 27 Feb 2013 13:26:26 -0500 |
994 | + |
995 | +sudo (1.8.6p3-0ubuntu2) raring; urgency=low |
996 | + |
997 | + * The latest sssd upload dropped the soname from libsss_sudo.so, so we |
998 | + can now drop our sudo delta and just use libsss_sudo.so directly. |
999 | + |
1000 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 07 Dec 2012 23:11:45 -0500 |
1001 | + |
1002 | +sudo (1.8.6p3-0ubuntu1) raring; urgency=low |
1003 | + |
1004 | + * New upstream release (1.8.6p3). |
1005 | + * Add patch to fix building with sssd when ldap is disabled. |
1006 | + * Drop sudo.manpages and sudo-ldap.manpages as the upstream build system |
1007 | + now does the right thing here. |
1008 | + * Build the main sudo package with support for sssd, this doesn't add any |
1009 | + additional build time or runtime dependency. sudo will dynamically load |
1010 | + the sssd library if 'sss' is listed for the 'sudoers' nss service. |
1011 | + |
1012 | + -- Stéphane Graber <stgraber@ubuntu.com> Fri, 16 Nov 2012 09:31:32 -0500 |
1013 | + |
1014 | +sudo (1.8.5p2-1ubuntu1) quantal; urgency=low |
1015 | + |
1016 | + * Merge from debian/testing (LP: #1024154), remaining changes: |
1017 | + - debian/patches/keep_home_by_default.patch: |
1018 | + + Set HOME in initial_keepenv_table. |
1019 | + - debian/rules: |
1020 | + + compile with --without-lecture --with-tty-tickets (Ubuntu specific) |
1021 | + + install man/man8/sudo_root.8 in both flavours (Ubuntu specific) |
1022 | + + install apport hooks |
1023 | + + The ubuntu-sudo-as-admin-successful.patch was taken upstream by |
1024 | + Debian however it requires a --enable-admin-flag configure flag to |
1025 | + actually enable it in both flavours. |
1026 | + - debian/control: |
1027 | + + Mark Debian Vcs-* as XS-Debian-Vcs-* |
1028 | + + update debian/control |
1029 | + - debian/sudoers: |
1030 | + + grant admin group sudo access |
1031 | + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: |
1032 | + + add usr/share/apport/package-hooks |
1033 | + - debian/sudo.pam: |
1034 | + + Use pam_env to read /etc/environment and /etc/default/locale |
1035 | + environment files. Reading ~/.pam_environment is not permitted due to |
1036 | + security reasons. |
1037 | + * Dropped changes: |
1038 | + - debian/patches/lp927828-fix-abort-in-pam-modules-when-timestamp-valid.patch |
1039 | + + Fixed upstream in 1.8.5 |
1040 | + - debian/patches/CVE-2012-2337.patch: |
1041 | + + Fixed upstream in 1.8.4p5 |
1042 | + - debian/patches/pam_env_merge.patch: |
1043 | + + Feature released upstream in 1.8.5 |
1044 | + - debian/{sudo,sudo-ldap}.{preinst,postinst,postrm}: |
1045 | + + Drop Ubuntu-specific sudoers file migration code because the only |
1046 | + upgrade path to quantal is from precise. All necessary sudoers file |
1047 | + migration will have already been done by the time this version of the |
1048 | + sudo package is installed. |
1049 | + |
1050 | + -- Tyler Hicks <tyhicks@canonical.com> Mon, 16 Jul 2012 14:01:42 +0200 |
1051 | + |
1052 | sudo (1.8.5p2-1) unstable; urgency=low |
1053 | |
1054 | * new upstream version |
1055 | @@ -708,6 +1597,54 @@ sudo (1.8.5p2-1) unstable; urgency=low |
1056 | |
1057 | -- Bdale Garbee <bdale@gag.com> Thu, 28 Jun 2012 12:01:37 -0600 |
1058 | |
1059 | +sudo (1.8.3p2-1ubuntu2) quantal; urgency=low |
1060 | + |
1061 | + * debian/patches/pam_env_merge.patch: Merge the PAM environment into the |
1062 | + user environment (LP: #982684) |
1063 | + * debian/sudo.pam: Use pam_env to read /etc/environment and |
1064 | + /etc/default/locale environment files. Reading ~/.pam_environment is not |
1065 | + permitted due to security reasons. |
1066 | + |
1067 | + -- Tyler Hicks <tyhicks@canonical.com> Mon, 21 May 2012 00:48:10 -0500 |
1068 | + |
1069 | +sudo (1.8.3p2-1ubuntu1) quantal; urgency=low |
1070 | + |
1071 | + * Merge from debian/testing, remaining changes: |
1072 | + - debian/patches/keep_home_by_default.patch: |
1073 | + + Set HOME in initial_keepenv_table. (rebased for 1.8.3p1) |
1074 | + - debian/patches/lp927828-fix-abort-in-pam-modules-when-timestamp-valid.patch |
1075 | + + Fix Abort in some PAM modules when timestamp is valid. (LP: #927828) |
1076 | + - debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4 |
1077 | + addresses. Based on upstream patch. |
1078 | + - debian/rules: |
1079 | + + compile with --without-lecture --with-tty-tickets (Ubuntu specific) |
1080 | + + install man/man8/sudo_root.8 in both flavours (Ubuntu specific) |
1081 | + + install apport hooks |
1082 | + + The ubuntu-sudo-as-admin-successful.patch was taken upstream by |
1083 | + Debian however it requires a --enable-admin-flag configure flag to |
1084 | + actually enable it in both flavours. |
1085 | + - debian/control: |
1086 | + + Mark Debian Vcs-* as XS-Debian-Vcs-* |
1087 | + + update debian/control |
1088 | + - debian/sudoers: |
1089 | + + grant admin group sudo access |
1090 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
1091 | + + add usr/share/apport/package-hooks |
1092 | + - debian/sudo.preinst: |
1093 | + + avoid conffile prompt by checking for known default /etc/sudoers |
1094 | + and if found installing the correct default /etc/sudoers file. |
1095 | + Modified for updated default sudoers. Aproach taken is different |
1096 | + from Debian. Maybe this should now be dropped, since an LTS was |
1097 | + released. |
1098 | + |
1099 | + * Dropped changes: |
1100 | + - debian/patches/CVE-2012-0809.patch: |
1101 | + + dropped, included in this new upstream release. |
1102 | + - debian/patches/enable_badpass.patch: |
1103 | + + dropped as Debian chose to set this by default in the sudoers. |
1104 | + |
1105 | + -- Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com> Tue, 01 May 2012 16:12:45 +0100 |
1106 | + |
1107 | sudo (1.8.3p2-1) unstable; urgency=high |
1108 | |
1109 | * new upstream version, closes: #657985 (CVE-2012-0809) |
1110 | @@ -738,6 +1675,66 @@ sudo (1.8.3p1-2) unstable; urgency=low |
1111 | |
1112 | -- Bdale Garbee <bdale@gag.com> Sat, 12 Nov 2011 16:27:13 -0700 |
1113 | |
1114 | +sudo (1.8.3p1-1ubuntu5) quantal; urgency=low |
1115 | + |
1116 | + * SECURITY UPDATE: Properly handle netmasks in sudoers Host and Host_List |
1117 | + values (LP: #1000276) |
1118 | + - debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4 |
1119 | + addresses. Based on upstream patch. |
1120 | + - CVE-2012-2337 |
1121 | + |
1122 | + -- Tyler Hicks <tyhicks@canonical.com> Wed, 16 May 2012 09:42:17 -0500 |
1123 | + |
1124 | +sudo (1.8.3p1-1ubuntu4) quantal; urgency=low |
1125 | + |
1126 | + * Fix Abort in some PAM modules when timestamp is valid. (LP: #927828) |
1127 | + |
1128 | + -- TJ (Ubuntu Contributions) <ubuntu@tjworld.net> Mon, 30 Apr 2012 17:55:27 +0100 |
1129 | + |
1130 | +sudo (1.8.3p1-1ubuntu3) precise; urgency=low |
1131 | + |
1132 | + * SECURITY UPDATE: permissions bypass via format string |
1133 | + - debian/patches/CVE-2012-0809.patch: fix format string vulnerability |
1134 | + in src/sudo.c. |
1135 | + - CVE-2012-0809 |
1136 | + |
1137 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 31 Jan 2012 10:25:52 -0500 |
1138 | + |
1139 | +sudo (1.8.3p1-1ubuntu2) precise; urgency=low |
1140 | + |
1141 | + * debian/sudo.preinst: |
1142 | + - updated to avoid conffile prompt by migrating to the new sudoers file |
1143 | + changes in Precise. (LP: #894410) |
1144 | + |
1145 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 24 Nov 2011 10:48:58 -0500 |
1146 | + |
1147 | +sudo (1.8.3p1-1ubuntu1) precise; urgency=low |
1148 | + |
1149 | + * Merge from debian/testing, remaining changes: |
1150 | + - debian/patches/keep_home_by_default.patch: |
1151 | + + Set HOME in initial_keepenv_table. (rebased for 1.8.3p1) |
1152 | + - debian/patches/enable_badpass.patch: turn on "mail_badpass" by default: |
1153 | + + attempting sudo without knowing a login password is as bad as not |
1154 | + being listed in the sudoers file, especially if getting the password |
1155 | + wrong means doing the access-check-email-notification never happens |
1156 | + (rebased for 1.8.3p1) |
1157 | + - debian/rules: |
1158 | + + compile with --without-lecture --with-tty-tickets (Ubuntu specific) |
1159 | + + install man/man8/sudo_root.8 (Ubuntu specific) |
1160 | + + install apport hooks |
1161 | + + The ubuntu-sudo-as-admin-successful.patch was taken upstream by |
1162 | + Debian however it requires a --enable-admin-flag configure flag to |
1163 | + actually enable it. |
1164 | + - debian/sudoers: |
1165 | + + grant admin group sudo access |
1166 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
1167 | + + add usr/share/apport/package-hooks |
1168 | + - debian/sudo.preinst: |
1169 | + + avoid conffile prompt by checking for known default /etc/sudoers |
1170 | + and if found installing the correct default /etc/sudoers file |
1171 | + |
1172 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sun, 20 Nov 2011 12:07:45 -0500 |
1173 | + |
1174 | sudo (1.8.3p1-1) unstable; urgency=low |
1175 | |
1176 | * new upstream version, closes: #646478 |
1177 | @@ -780,6 +1777,33 @@ sudo (1.8.2-1) unstable; urgency=low |
1178 | |
1179 | -- Bdale Garbee <bdale@gag.com> Wed, 24 Aug 2011 13:33:11 -0600 |
1180 | |
1181 | +sudo (1.7.4p6-1ubuntu2) oneiric; urgency=low |
1182 | + |
1183 | + * debian/patches/enable_badpass.patch: turn on "mail_badpass" by default: |
1184 | + - attempting sudo without knowing a login password is as bad as not |
1185 | + being listed in the sudoers file, especially if getting the password |
1186 | + wrong means doing the access-check-email-notification never happens |
1187 | + (Closes: 641218). |
1188 | + |
1189 | + -- Kees Cook <kees@ubuntu.com> Sun, 11 Sep 2011 10:29:08 -0700 |
1190 | + |
1191 | +sudo (1.7.4p6-1ubuntu1) oneiric; urgency=low |
1192 | + |
1193 | + * Merge from debian/unstable, remaining changes: |
1194 | + - debian/patches/keep_home_by_default.patch: |
1195 | + + Set HOME in initial_keepenv_table. |
1196 | + - debian/rules: |
1197 | + + compile with --without-lecture --with-tty-tickets (Ubuntu specific) |
1198 | + + install man/man8/sudo_root.8 (Ubuntu specific) |
1199 | + + install apport hooks |
1200 | + - debian/sudoers: |
1201 | + + grant admin group sudo access |
1202 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: |
1203 | + + add usr/share/apport/package-hooks |
1204 | + * drop debian/patches/CVE-2011-0010.patch, applied upstream now |
1205 | + |
1206 | + -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 23 May 2011 09:50:37 +0200 |
1207 | + |
1208 | sudo (1.7.4p6-1) unstable; urgency=low |
1209 | |
1210 | * new upstream version |
1211 | @@ -796,6 +1820,77 @@ sudo (1.7.4p4-6) unstable; urgency=low |
1212 | |
1213 | -- Bdale Garbee <bdale@gag.com> Tue, 11 Jan 2011 10:22:39 -0700 |
1214 | |
1215 | +sudo (1.7.4p4-5ubuntu8) oneiric; urgency=low |
1216 | + |
1217 | + * debian/sudo.preinst: |
1218 | + - if well-known ec2 vmbuilder file is found, write a file in |
1219 | + sudoers.d for the 'ubuntu' user (LP: #768625) |
1220 | + |
1221 | + -- Scott Moser <smoser@ubuntu.com> Thu, 21 Apr 2011 18:04:34 -0400 |
1222 | + |
1223 | +sudo (1.7.4p4-5ubuntu7) natty; urgency=low |
1224 | + |
1225 | + * debian/sudo.preinst: |
1226 | + - do not consider the ec2 vmbuilder default sudoers file |
1227 | + verbatim as its actually customized (LP: #761689) |
1228 | + |
1229 | + -- Michael Vogt <michael.vogt@ubuntu.com> Fri, 15 Apr 2011 16:40:10 +0200 |
1230 | + |
1231 | +sudo (1.7.4p4-5ubuntu6) natty; urgency=low |
1232 | + |
1233 | + * debian/patches/keep_home_by_default.patch: Set HOME in |
1234 | + initial_keepenv_table. LP: #760140 |
1235 | + |
1236 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 13 Apr 2011 12:32:25 -0700 |
1237 | + |
1238 | +sudo (1.7.4p4-5ubuntu5) natty; urgency=low |
1239 | + |
1240 | + * debian/sudo.preinst: |
1241 | + - avoid conffile prompt by checking for known default /etc/sudoers |
1242 | + and if found installing the correct default /etc/sudoers file |
1243 | + (LP: #690873) |
1244 | + |
1245 | + -- Michael Vogt <michael.vogt@ubuntu.com> Fri, 25 Mar 2011 09:13:43 +0100 |
1246 | + |
1247 | +sudo (1.7.4p4-5ubuntu4) natty; urgency=low |
1248 | + |
1249 | + * debian/rules: The ubuntu-sudo-as-admin-successful.patch was taken |
1250 | + upstream by Debian however it requires a --enable-admin-flag configure |
1251 | + flag to actually enable it. |
1252 | + (LP: #706045) |
1253 | + |
1254 | + -- Bryce Harrington <bryce@ubuntu.com> Thu, 10 Feb 2011 12:01:53 -0800 |
1255 | + |
1256 | +sudo (1.7.4p4-5ubuntu3) natty; urgency=low |
1257 | + |
1258 | + * SECURITY UPDATE: privilege escalation via -g when using group Runas_List |
1259 | + - debian/patches/CVE-2011-0010.patch: prompt for password when the user is |
1260 | + running sudo as himself but as a different group |
1261 | + - CVE-2011-0010 |
1262 | + |
1263 | + -- Jamie Strandboge <jamie@ubuntu.com> Tue, 18 Jan 2011 16:37:09 -0600 |
1264 | + |
1265 | +sudo (1.7.4p4-5ubuntu2) natty; urgency=low |
1266 | + |
1267 | + * debian/sudoers: temporarily workaround LP #690873 by adding %admin |
1268 | + into the default sudoers file in case people just say "yes" to the |
1269 | + dpkg conffile prompt. |
1270 | + |
1271 | + -- Kees Cook <kees@ubuntu.com> Wed, 15 Dec 2010 15:38:17 -0800 |
1272 | + |
1273 | +sudo (1.7.4p4-5ubuntu1) natty; urgency=low |
1274 | + |
1275 | + * Merge from debian unstable (LP: #689025), remaining changes: |
1276 | + - debian/rules: |
1277 | + + compile with --without-lecture --with-tty-tickets (Ubuntu specific) |
1278 | + + install man/man8/sudo_root.8 (Ubuntu specific) |
1279 | + + install apport hooks |
1280 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: add |
1281 | + usr/share/apport/package-hooks |
1282 | + * This upload also fixes: LP: #609645 |
1283 | + |
1284 | + -- Lorenzo De Liso <blackz@ubuntu.com> Wed, 15 Dec 2010 21:32:57 +0100 |
1285 | + |
1286 | sudo (1.7.4p4-5) unstable; urgency=low |
1287 | |
1288 | * patch from Jakub Wilk to add noopt and nostrip build option support, |
1289 | @@ -849,6 +1944,47 @@ sudo (1.7.4p4-1) unstable; urgency=high |
1290 | |
1291 | -- Bdale Garbee <bdale@gag.com> Tue, 07 Sep 2010 12:22:42 -0600 |
1292 | |
1293 | +sudo (1.7.2p7-1ubuntu3) natty; urgency=low |
1294 | + |
1295 | + * No-change upload to drop sizable upstream changelog. |
1296 | + |
1297 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 22 Nov 2010 11:24:33 +0100 |
1298 | + |
1299 | +sudo (1.7.2p7-1ubuntu2) maverick; urgency=low |
1300 | + |
1301 | + * SECURITY UPDATE: privilege escalation via '-g' option when using |
1302 | + 'user:group' in Runas_Spec |
1303 | + - debian/patches/CVE-2010-2956.patch: update match.c to verify both user |
1304 | + and group match sudoers when using '-g' |
1305 | + - CVE-2010-2956 |
1306 | + |
1307 | + -- Jamie Strandboge <jamie@ubuntu.com> Tue, 31 Aug 2010 14:54:06 -0500 |
1308 | + |
1309 | +sudo (1.7.2p7-1ubuntu1) maverick; urgency=low |
1310 | + |
1311 | + * Merge from debian unstable. Remaining changes: |
1312 | + - debian/rules: |
1313 | + - compile with --without-lecture --with-tty-tickets (Ubuntu specific) |
1314 | + - install man/man8/sudo_root.8 (Ubuntu specific) |
1315 | + - install apport hooks |
1316 | + - debian/sudo-ldap.dirs, debian/sudo.dirs: add |
1317 | + usr/share/apport/package-hooks |
1318 | + - debian/patches/ubuntu-sudo-as-admin-successful.patch: adjust sudo.c so |
1319 | + that if the user successfully authenticated and he is in the 'admin' |
1320 | + group, then create a stamp ~/.sudo_as_admin_successful. Our default bash |
1321 | + profile checks for this and displays a short intro about sudo if the flag |
1322 | + is not present |
1323 | + * Dropped the following, now included upstream: |
1324 | + - fix for CVE-2010-1163 |
1325 | + - fix for CVE-2010-0426 |
1326 | + - debian/sudo.postinst, debian/sudo-ldap.postinst: update description to |
1327 | + match behavior in sudoers file |
1328 | + - don't install init script. Debian moved to /var/lib/sudo from |
1329 | + /var/run/sudo, so Ubuntu's tmpfs usage won't clean those out |
1330 | + automatically any more, so we now need the initscript. |
1331 | + |
1332 | + -- Jamie Strandboge <jamie@ubuntu.com> Tue, 06 Jul 2010 11:43:05 -0500 |
1333 | + |
1334 | sudo (1.7.2p7-1) unstable; urgency=high |
1335 | |
1336 | * new upstream release with security fix for secure path (CVE-2010-1646), |
1337 | @@ -884,6 +2020,62 @@ sudo (1.7.2p5-1) unstable; urgency=low |
1338 | |
1339 | -- Bdale Garbee <bdale@gag.com> Thu, 11 Mar 2010 15:44:53 -0700 |
1340 | |
1341 | +sudo (1.7.2p1-1ubuntu5) lucid; urgency=low |
1342 | + |
1343 | + * SECURITY UPDATE: properly verify path in find_path.c for the 'sudoedit' |
1344 | + pseudo-command when running from the current working directory and |
1345 | + secure_path is disabled |
1346 | + - CVE-2010-XXXX |
1347 | + |
1348 | + -- Jamie Strandboge <jamie@ubuntu.com> Wed, 07 Apr 2010 15:35:36 -0500 |
1349 | + |
1350 | +sudo (1.7.2p1-1ubuntu4) lucid; urgency=low |
1351 | + |
1352 | + * env.c: Revert addition of "http_proxy" again. This was an Ubuntu specific |
1353 | + EBW hack, caused inconsistencies with other proxy variables (such as |
1354 | + https_proxy and ftp_proxy), made sudo incompatible to upstream |
1355 | + behaviour/documentation. This is solved in a much better way in apt itself |
1356 | + and gnome-network-properties now. (LP: #432631) |
1357 | + |
1358 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 26 Mar 2010 18:48:18 +0100 |
1359 | + |
1360 | +sudo (1.7.2p1-1ubuntu3) lucid; urgency=low |
1361 | + |
1362 | + * debian/sudo.postinst, debian/sudo-ldap.postinst: update description to |
1363 | + match behaviour in sudoers file. (LP: #534090) |
1364 | + |
1365 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sun, 07 Mar 2010 19:49:39 -0500 |
1366 | + |
1367 | +sudo (1.7.2p1-1ubuntu2) lucid; urgency=low |
1368 | + |
1369 | + * SECURITY UPDATE: properly verify path for the 'sudoedit' pseudo-command |
1370 | + in match.c |
1371 | + - http://sudo.ws/repos/sudo/rev/88f3181692fe |
1372 | + - CVE-2010-0426 |
1373 | + |
1374 | + -- Jamie Strandboge <jamie@ubuntu.com> Wed, 24 Feb 2010 16:50:11 -0600 |
1375 | + |
1376 | +sudo (1.7.2p1-1ubuntu1) lucid; urgency=low |
1377 | + |
1378 | + * Merge from debian testing. Remaining changes: |
1379 | + - debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu |
1380 | + specific) |
1381 | + - Add debian/sudo_root.8: Explanation of root handling through sudo. |
1382 | + Install it in debian/rules. (Ubuntu specific) |
1383 | + - sudo.c: If the user successfully authenticated and he is in the 'admin' |
1384 | + group, then create a stamp ~/.sudo_as_admin_successful. Our default bash |
1385 | + profile checks for this and displays a short intro about sudo if the |
1386 | + flag is not present. (Ubuntu specific) |
1387 | + - env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept |
1388 | + for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at |
1389 | + some point) |
1390 | + - debian/{rules,postinst,sudo-ldap.postinst}: Disable init script |
1391 | + installation. Debian reintroduced it because /var/run tmpfs is not the |
1392 | + default there, but has been on Ubuntu for ages. |
1393 | + - debian/{source_sudo.py,rules,sudo-ldap.dirs,sudo.dirs}: Add apport hook |
1394 | + |
1395 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Feb 2010 18:47:06 -0500 |
1396 | + |
1397 | sudo (1.7.2p1-1) unstable; urgency=low |
1398 | |
1399 | * new upstream version |
1400 | @@ -911,6 +2103,40 @@ sudo (1.7.2-1) unstable; urgency=low |
1401 | |
1402 | -- Bdale Garbee <bdale@gag.com> Wed, 15 Jul 2009 01:29:46 -0600 |
1403 | |
1404 | +sudo (1.7.0-1ubuntu3) lucid; urgency=low |
1405 | + |
1406 | + * debian/{source_sudo.py,rules}: Add apport hook |
1407 | + |
1408 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Jan 2010 09:31:00 -0500 |
1409 | + |
1410 | +sudo (1.7.0-1ubuntu2) karmic; urgency=low |
1411 | + |
1412 | + * env.c: add logic similar to pam_env's stripping of single and double |
1413 | + quotes around /etc/environment env vars; fixes literal quotes in LANG when |
1414 | + using sudo -i; LP: #387262. |
1415 | + |
1416 | + -- Loïc Minier <loic.minier@ubuntu.com> Mon, 22 Jun 2009 18:03:45 +0200 |
1417 | + |
1418 | +sudo (1.7.0-1ubuntu1) karmic; urgency=low |
1419 | + |
1420 | + * Merge from debian unstable, remaining changes: |
1421 | + - debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu |
1422 | + specific) |
1423 | + - Add debian/sudo_root.8: Explanation of root handling through sudo. |
1424 | + Install it in debian/rules. (Ubuntu specific) |
1425 | + - sudo.c: If the user successfully authenticated and he is in the 'admin' |
1426 | + group, then create a stamp ~/.sudo_as_admin_successful. Our default bash |
1427 | + profile checks for this and displays a short intro about sudo if the |
1428 | + flag is not present. (Ubuntu specific) |
1429 | + - env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept |
1430 | + for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at |
1431 | + some point) |
1432 | + - debian/{rules,postinst,sudo-ldap.postinst}: Disable init script |
1433 | + installation. Debian reintroduced it because /var/run tmpfs is not the |
1434 | + default there, but has been on Ubuntu for ages. |
1435 | + |
1436 | + -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 11 May 2009 18:07:03 +0200 |
1437 | + |
1438 | sudo (1.7.0-1) unstable; urgency=low |
1439 | |
1440 | * new upstream version, closes: #510179, #128268, #520274, #508514 |
1441 | diff --git a/debian/control b/debian/control |
1442 | index b5a73de..92387f8 100644 |
1443 | --- a/debian/control |
1444 | +++ b/debian/control |
1445 | @@ -1,7 +1,8 @@ |
1446 | Source: sudo |
1447 | Section: admin |
1448 | Priority: optional |
1449 | -Maintainer: Sudo Maintainers <sudo@packages.debian.org> |
1450 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1451 | +XSBC-Original-Maintainer: Sudo Maintainers <sudo@packages.debian.org> |
1452 | Uploaders: Marc Haber <mh+debian-packages@zugschlus.de>, |
1453 | Hanno Wagner <wagner@debian.org>, |
1454 | Hilko Bengen <bengen@debian.org>, |
1455 | diff --git a/debian/etc/pam.d/sudo b/debian/etc/pam.d/sudo |
1456 | index 96e8906..7819ab1 100644 |
1457 | --- a/debian/etc/pam.d/sudo |
1458 | +++ b/debian/etc/pam.d/sudo |
1459 | @@ -3,6 +3,9 @@ |
1460 | # Set up user limits from /etc/security/limits.conf. |
1461 | session required pam_limits.so |
1462 | |
1463 | +session required pam_env.so readenv=1 user_readenv=0 |
1464 | +session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 |
1465 | + |
1466 | @include common-auth |
1467 | @include common-account |
1468 | @include common-session-noninteractive |
1469 | diff --git a/debian/etc/pam.d/sudo-i b/debian/etc/pam.d/sudo-i |
1470 | index d638522..584b2d8 100644 |
1471 | --- a/debian/etc/pam.d/sudo-i |
1472 | +++ b/debian/etc/pam.d/sudo-i |
1473 | @@ -3,6 +3,9 @@ |
1474 | # Set up user limits from /etc/security/limits.conf. |
1475 | session required pam_limits.so |
1476 | |
1477 | +session required pam_env.so readenv=1 user_readenv=0 |
1478 | +session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 |
1479 | + |
1480 | @include common-auth |
1481 | @include common-account |
1482 | @include common-session |
1483 | diff --git a/debian/etc/sudoers b/debian/etc/sudoers |
1484 | index b5da8e9..8b0fb7f 100644 |
1485 | --- a/debian/etc/sudoers |
1486 | +++ b/debian/etc/sudoers |
1487 | @@ -8,7 +8,7 @@ |
1488 | # |
1489 | Defaults env_reset |
1490 | Defaults mail_badpass |
1491 | -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" |
1492 | +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" |
1493 | |
1494 | # This fixes CVE-2005-4890 and possibly breaks some versions of kdesu |
1495 | # (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532) |
1496 | @@ -46,6 +46,9 @@ Defaults use_pty |
1497 | # User privilege specification |
1498 | root ALL=(ALL:ALL) ALL |
1499 | |
1500 | +# Members of the admin group may gain root privileges |
1501 | +%admin ALL=(ALL) ALL |
1502 | + |
1503 | # Allow members of group sudo to execute any command |
1504 | %sudo ALL=(ALL:ALL) ALL |
1505 | |
1506 | diff --git a/debian/sudo-ldap.init b/debian/sudo-ldap.init |
1507 | deleted file mode 100644 |
1508 | index b907b8a..0000000 |
1509 | --- a/debian/sudo-ldap.init |
1510 | +++ /dev/null |
1511 | @@ -1,46 +0,0 @@ |
1512 | -#! /bin/sh |
1513 | - |
1514 | -### BEGIN INIT INFO |
1515 | -# Provides: sudo-ldap |
1516 | -# Required-Start: $local_fs $remote_fs |
1517 | -# Required-Stop: |
1518 | -# X-Start-Before: rmnologin |
1519 | -# Default-Start: 2 3 4 5 |
1520 | -# Default-Stop: |
1521 | -# Short-Description: Provide limited super user privileges to specific users |
1522 | -# Description: Provide limited super user privileges to specific users. |
1523 | -### END INIT INFO |
1524 | - |
1525 | -. /lib/lsb/init-functions |
1526 | - |
1527 | -N=/etc/init.d/sudo-ldap |
1528 | - |
1529 | -set -e |
1530 | - |
1531 | -case "$1" in |
1532 | - start) |
1533 | - # make sure privileges don't persist across reboots |
1534 | - # if the /run/sudo directory doesn't exist, let's create it with the |
1535 | - # correct permissions and SELinux label |
1536 | - if ! [ -d /run/systemd/system ] ; then |
1537 | - if [ -d /run/sudo ] |
1538 | - then |
1539 | - find /run/sudo -exec touch -d @0 '{}' \; |
1540 | - else |
1541 | - mkdir /run/sudo /run/sudo/ts |
1542 | - chown root:root /run/sudo /run/sudo/ts |
1543 | - chmod 0711 /run/sudo |
1544 | - chmod 0700 /run/sudo/ts |
1545 | - [ -x /sbin/restorecon ] && /sbin/restorecon /run/sudo /run/sudo/ts |
1546 | - fi |
1547 | - fi |
1548 | - ;; |
1549 | - stop|reload|restart|force-reload|status) |
1550 | - ;; |
1551 | - *) |
1552 | - echo "Usage: $N {start|stop|restart|force-reload|status}" >&2 |
1553 | - exit 1 |
1554 | - ;; |
1555 | -esac |
1556 | - |
1557 | -exit 0 |
1558 | diff --git a/debian/sudo-ldap.manpages b/debian/sudo-ldap.manpages |
1559 | new file mode 100644 |
1560 | index 0000000..72826b8 |
1561 | --- /dev/null |
1562 | +++ b/debian/sudo-ldap.manpages |
1563 | @@ -0,0 +1 @@ |
1564 | +debian/sudo_root.8 |
1565 | diff --git a/debian/sudo.init b/debian/sudo.init |
1566 | deleted file mode 100644 |
1567 | index 602d9bf..0000000 |
1568 | --- a/debian/sudo.init |
1569 | +++ /dev/null |
1570 | @@ -1,46 +0,0 @@ |
1571 | -#! /bin/sh |
1572 | - |
1573 | -### BEGIN INIT INFO |
1574 | -# Provides: sudo |
1575 | -# Required-Start: $local_fs $remote_fs |
1576 | -# Required-Stop: |
1577 | -# X-Start-Before: rmnologin |
1578 | -# Default-Start: 2 3 4 5 |
1579 | -# Default-Stop: |
1580 | -# Short-Description: Provide limited super user privileges to specific users |
1581 | -# Description: Provide limited super user privileges to specific users. |
1582 | -### END INIT INFO |
1583 | - |
1584 | -. /lib/lsb/init-functions |
1585 | - |
1586 | -N=/etc/init.d/sudo |
1587 | - |
1588 | -set -e |
1589 | - |
1590 | -case "$1" in |
1591 | - start) |
1592 | - # make sure privileges don't persist across reboots |
1593 | - # if the /run/sudo directory doesn't exist, let's create it with the |
1594 | - # correct permissions and SELinux label |
1595 | - if ! [ -d /run/systemd/system ] ; then |
1596 | - if [ -d /run/sudo ] |
1597 | - then |
1598 | - find /run/sudo -exec touch -d @0 '{}' \; |
1599 | - else |
1600 | - mkdir /run/sudo /run/sudo/ts |
1601 | - chown root:root /run/sudo /run/sudo/ts |
1602 | - chmod 0711 /run/sudo |
1603 | - chmod 0700 /run/sudo/ts |
1604 | - [ -x /sbin/restorecon ] && /sbin/restorecon /run/sudo /run/sudo/ts |
1605 | - fi |
1606 | - fi |
1607 | - ;; |
1608 | - stop|reload|restart|force-reload|status) |
1609 | - ;; |
1610 | - *) |
1611 | - echo "Usage: $N {start|stop|restart|force-reload|status}" >&2 |
1612 | - exit 1 |
1613 | - ;; |
1614 | -esac |
1615 | - |
1616 | -exit 0 |
1617 | diff --git a/debian/sudo.manpages b/debian/sudo.manpages |
1618 | new file mode 100644 |
1619 | index 0000000..72826b8 |
1620 | --- /dev/null |
1621 | +++ b/debian/sudo.manpages |
1622 | @@ -0,0 +1 @@ |
1623 | +debian/sudo_root.8 |
1624 | diff --git a/debian/sudo_root.8 b/debian/sudo_root.8 |
1625 | new file mode 100644 |
1626 | index 0000000..47532ed |
1627 | --- /dev/null |
1628 | +++ b/debian/sudo_root.8 |
1629 | @@ -0,0 +1,138 @@ |
1630 | +.TH sudo_root 8 "February 8, 2006" |
1631 | + |
1632 | +.SH NAME |
1633 | +sudo_root \- How to run administrative commands |
1634 | + |
1635 | +.SH SYNOPSIS |
1636 | + |
1637 | +.B sudo |
1638 | +.I command |
1639 | + |
1640 | +.B sudo \-i |
1641 | + |
1642 | +.SH INTRODUCTION |
1643 | + |
1644 | +By default, the password for the user "root" (the system |
1645 | +administrator) is locked. This means you cannot login as root or use |
1646 | +su. Instead, the installer will set up sudo to allow the user that is |
1647 | +created during install to run all administrative commands. |
1648 | + |
1649 | +This means that in the terminal you can use sudo for commands that |
1650 | +require root privileges. All programs in the menu will use a graphical |
1651 | +sudo to prompt for a password. When sudo asks for a password, it needs |
1652 | +.B your password, |
1653 | +this means that a root password is not needed. |
1654 | + |
1655 | +To run a command which requires root privileges in a terminal, simply |
1656 | +prepend |
1657 | +.B sudo |
1658 | +in front of it. To get an interactive root shell, use |
1659 | +.B sudo \-i\fR. |
1660 | + |
1661 | +.SH ALLOWING OTHER USERS TO RUN SUDO |
1662 | + |
1663 | +By default, only the user who installed the system is permitted to run |
1664 | +sudo. To add more administrators, i. e. users who can run sudo, you |
1665 | +have to add these users to the group 'sudo' by doing one of the |
1666 | +following steps: |
1667 | + |
1668 | +.IP * 2 |
1669 | +In a shell, do |
1670 | + |
1671 | +.RS 4 |
1672 | +.B sudo adduser |
1673 | +.I username |
1674 | +.B sudo |
1675 | +.RE |
1676 | + |
1677 | +.IP * 2 |
1678 | +Use the graphical "Users & Groups" program in the "System settings" |
1679 | +menu to add the new user to the |
1680 | +.B sudo |
1681 | +group. |
1682 | + |
1683 | +.SH BENEFITS OF USING SUDO |
1684 | + |
1685 | +The benefits of leaving root disabled by default include the following: |
1686 | + |
1687 | +.IP * 2 |
1688 | +Users do not have to remember an extra password, which they are likely to forget. |
1689 | +.IP * 2 |
1690 | +The installer is able to ask fewer questions. |
1691 | +.IP * 2 |
1692 | +It avoids the "I can do anything" interactive login by default \- you |
1693 | +will be prompted for a password before major changes can happen, which |
1694 | +should make you think about the consequences of what you are doing. |
1695 | +.IP * 2 |
1696 | +Sudo adds a log entry of the command(s) run (in \fB/var/log/auth.log\fR). |
1697 | +.IP * 2 |
1698 | +Every attacker trying to brute\-force their way into your box will |
1699 | +know it has an account named root and will try that first. What they |
1700 | +do not know is what the usernames of your other users are. |
1701 | +.IP * 2 |
1702 | +Allows easy transfer for admin rights, in a short term or long term |
1703 | +period, by adding and removing users from the sudo group, while not |
1704 | +compromising the root account. |
1705 | +.IP * 2 |
1706 | +sudo can be set up with a much more fine\-grained security policy. |
1707 | +.IP * 2 |
1708 | +On systems with more than one administrator using sudo avoids sharing |
1709 | +a password amongst them. |
1710 | + |
1711 | +.SH DOWNSIDES OF USING SUDO |
1712 | + |
1713 | +Although for desktops the benefits of using sudo are great, there are |
1714 | +possible issues which need to be noted: |
1715 | + |
1716 | +.IP * 2 |
1717 | +Redirecting the output of commands run with sudo can be confusing at |
1718 | +first. For instance consider |
1719 | + |
1720 | +.RS 4 |
1721 | +.B sudo ls > /root/somefile |
1722 | +.RE |
1723 | + |
1724 | +.RS 2 |
1725 | +will not work since it is the shell that tries to write to that file. You can use |
1726 | +.RE |
1727 | + |
1728 | +.RS 4 |
1729 | +.B ls | sudo tee /root/somefile |
1730 | +.RE |
1731 | + |
1732 | +.RS 2 |
1733 | +to get the behaviour you want. |
1734 | +.RE |
1735 | + |
1736 | +.IP * 2 |
1737 | +In a lot of office environments the ONLY local user on a system is |
1738 | +root. All other users are imported using NSS techniques such as |
1739 | +nss\-ldap. To setup a workstation, or fix it, in the case of a network |
1740 | +failure where nss\-ldap is broken, root is required. This tends to |
1741 | +leave the system unusable. An extra local user, or an enabled root |
1742 | +password is needed here. |
1743 | + |
1744 | +.SH GOING BACK TO A TRADITIONAL ROOT ACCOUNT |
1745 | + |
1746 | +.B This is not recommended! |
1747 | + |
1748 | +To enable the root account (i.e. set a password) use: |
1749 | + |
1750 | +.RS 4 |
1751 | +.B sudo passwd root |
1752 | +.RE |
1753 | + |
1754 | +Afterwards, edit the sudo configuration with |
1755 | +.B sudo visudo |
1756 | +and comment out the line |
1757 | + |
1758 | +.RS 4 |
1759 | +%sudo ALL=(ALL) ALL |
1760 | +.RE |
1761 | + |
1762 | +to disable sudo access to members of the sudo group. |
1763 | + |
1764 | +.SH SEE ALSO |
1765 | +.BR sudo (8), |
1766 | +.B https://wiki.ubuntu.com/RootSudo |
1767 | + |
1768 | diff --git a/debian/tests/control b/debian/tests/control |
1769 | index abea94c..75e51a0 100644 |
1770 | --- a/debian/tests/control |
1771 | +++ b/debian/tests/control |
1772 | @@ -6,11 +6,15 @@ Tests: 02-1003969-audit-no-resolve |
1773 | Depends: sudo |
1774 | Restrictions: needs-root |
1775 | |
1776 | -Tests: 03-getroot-ldap |
1777 | -Depends: sudo-ldap, adduser, slapd, ldap-utils, cron |
1778 | -Restrictions: needs-root |
1779 | +# We cannot add 'sudo-ldap' as a Depends: as there is a removal conflict with |
1780 | +# 'sudo' in Ubuntu and we need to pass the SUDO_FORCE_REMOVE env var to avoid |
1781 | +# this. Removing sudo conflicts with autopkgtest-virt-ssh, so we skip this test |
1782 | +# (except for armhf/LXD containers). Needs more investigation... |
1783 | +Test-Command: systemd-detect-virt -q --container || exit 77; env SUDO_FORCE_REMOVE=yes apt-get -y install sudo-ldap && debian/tests/03-getroot-ldap |
1784 | +Depends: adduser, slapd, ldap-utils, cron |
1785 | +Restrictions: needs-root, skippable |
1786 | +Features: test-name=03-getroot-ldap |
1787 | |
1788 | Tests: 04-getroot-sssd |
1789 | Depends: sudo, adduser, slapd, ldap-utils, sssd-common, sssd-ldap, cron |
1790 | Restrictions: needs-root |
1791 | - |
Tests are working and the code change looks good. I have one minor request: Could you separate the changelog section:
``` patches/ CVE-2023- 27320.patch
- Drop patch for issue fixed upstream
+ + debian/
```
Into a top level bullet point titled `Dropped changes, now included in Debian:` similar to how I did it when uploading version 1.9.5p2-3ubuntu1? I think having that as a separate top-level bullet point in the changelog entry makes it more clear that it's a dropped patch and not a "Remaining change"