diff options
author | taca <taca@pkgsrc.org> | 2016-09-12 17:12:24 +0000 |
---|---|---|
committer | taca <taca@pkgsrc.org> | 2016-09-12 17:12:24 +0000 |
commit | 6fba91cc45b2cbbfa1a72499019b8e92992f4e92 (patch) | |
tree | 86db5683ea4974ab42cffacb3ba84cbf3a909f18 /security/sudo | |
parent | 061f0d17d626db301a399437b0a431886ccad8a7 (diff) | |
download | pkgsrc-6fba91cc45b2cbbfa1a72499019b8e92992f4e92.tar.gz |
Update sudo to 1.8.17p1.
What's new in Sudo 1.8.17p1
* Fixed a bug introduced in 1.8.17 where the user's groups were
not set on systems that don't use PAM. Bug #749.
What's new in Sudo 1.8.17
* On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH
but pam_start(3) fails, fall back to AIX authentication.
Bug #740.
* Sudo now takes all sudoers sources into account when determining
whether or not "sudo -l" or "sudo -b" should prompt for a password.
In other words, if both file and ldap sudoers sources are in
specified in /etc/nsswitch.conf, "sudo -v" will now require that
all entries in both sources be have NOPASSWD (file) or !authenticate
(ldap) in the entries.
* Sudo now ignores SIGPIPE until the command is executed. Previously,
SIGPIPE was only ignored in a few select places. Bug #739.
* Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log
file entries were missing the newline when loglinelen is set to
a non-positive number. Bug #742.
* Unix groups are now set before the plugin session intialization
code is run. This makes it possible to use dynamic groups with
the Linux-PAM pam_group module.
* Fixed a bug where a debugging statement could dereference a NULL
pointer when looking up a group that doesn't exist. Bug #743.
* Sudo has been run through the Coverity code scanner. A number of
minor bugs have been fixed as a result. None were security issues.
* SELinux support, which was broken in 1.8.16, has been repaired.
* Fixed a bug when logging I/O where all output buffers might not
get flushed at exit.
* Forward slashes are no longer escaped in the JSON output of
"visudo -x". This was never required by the standard and not
escaping them improves readability of the output.
* Sudo no longer treats PAM_SESSION_ERR as a fatal error when
opening the PAM session. Other errors from pam_open_session()
are still treated as fatal. This avoids the "policy plugin
failed session initialization" error message seen on some systems.
* Korean translation for sudo and sudoers from translationproject.org.
* Fixed a bug on AIX where the stack size hard resource limit was
being set to 2GB instead of 4GB on 64-bit systems.
* The SSSD backend now properly supports "sudo -U otheruser -l".
* The SSSD backend now uses the value of "ipa_hostname"
from sssd.conf, if specified, when matching the host name.
* Fixed a hang on some systems when the command is being run in
a pty and it failed to execute.
* When performing a wildcard match in sudoers, check for an exact
string match if the user command was fully-qualified (or resolved
via the PATH). This fixes an issue executing scripts on Linux
when there are multiple wildcard matches with the same base name.
Bug #746.
What's new in Sudo 1.8.16
* Fixed a compilation error on Solaris 10 with Stun Studio 12.
Bug #727.
* When preserving variables from the invoking user's environment, if
there are duplicates sudo now only keeps the first instance.
* Fixed a bug that could cause warning mail to be sent in list
mode (sudo -l) for users without sudo privileges when the
LDAP and sssd backends are used.
* Fixed a bug that prevented the "mail_no_user" option from working
properly with the LDAP backend.
* In the LDAP and sssd backends, white space is now ignored between
an operator (!, +, +=, -=) when parsing a sudoOption.
* It is now possible to disable Path settings in sudo.conf
by omitting the path name.
* The sudoedit_checkdir Defaults option is now enabled by default
and has been extended. When editing files with sudoedit, each
directory in the path to be edited is now checked. If a directory
is writable by the invoking user, symbolic links will not be
followed. If the parent directory of the file to be edited is
writable, sudoedit will refuse to edit it.
Bug #707.
* The netgroup_tuple Defaults option has been added to enable matching
of the entire netgroup tuple, not just the host or user portion.
Bug #717.
* When matching commands based on the SHA2 digest, sudo will now
use fexecve(2) to execute the command if it is available. This
fixes a time of check versus time of use race condition when the
directory holding the command is writable by the invoking user.
* On AIX systems, sudo now caches the auth registry string along
with password and group information. This fixes a potential
problem when a user or group of the same name exists in multiple
auth registries. For example, local and LDAP.
* Fixed a crash in the SSSD backend when the invoking user is not
found. Bug #732.
* Added the --enable-asan configure flag to enable address sanitizer
support. A few minor memory leaks have been plugged to quiet
the ASAN leak detector.
* The value of _PATH_SUDO_CONF may once again be overridden via
the Makefile. Bug #735.
* The sudoers2ldif script now handles multiple roles with same name.
* Fixed a compilation error on systems that have the posix_spawn()
and posix_spawnp() functions but an unusable spawn.h header.
Bug #730.
* Fixed support for negating character classes in sudo's version
of the fnmatch() function.
* Fixed a bug in the LDAP and SSSD backends that could allow an
unauthorized user to list another user's privileges. Bug #738.
* The PAM conversation function now works around an ambiguity in the
PAM spec with respect to multiple messages. Bug #726.
Diffstat (limited to 'security/sudo')
-rw-r--r-- | security/sudo/Makefile | 5 | ||||
-rw-r--r-- | security/sudo/distinfo | 14 | ||||
-rw-r--r-- | security/sudo/patches/patch-af | 18 | ||||
-rw-r--r-- | security/sudo/patches/patch-ag | 26 |
4 files changed, 31 insertions, 32 deletions
diff --git a/security/sudo/Makefile b/security/sudo/Makefile index c5723fb1ab6..835ea6969f9 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.151 2016/03/05 11:29:27 jperkin Exp $ +# $NetBSD: Makefile,v 1.152 2016/09/12 17:12:24 taca Exp $ -DISTNAME= sudo-1.8.15 -PKGREVISION= 1 +DISTNAME= sudo-1.8.17p1 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/dist/ \ ftp://ftp.sudo.ws/pub/sudo/ \ diff --git a/security/sudo/distinfo b/security/sudo/distinfo index 3aae910d112..33125ef6439 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,12 +1,12 @@ -$NetBSD: distinfo,v 1.86 2016/01/09 11:22:12 adam Exp $ +$NetBSD: distinfo,v 1.87 2016/09/12 17:12:24 taca Exp $ -SHA1 (sudo-1.8.15.tar.gz) = acb5ff3f38fa9e0365f6a91a6620b9846e2ad843 -RMD160 (sudo-1.8.15.tar.gz) = 676ee3249c2ddacd64de54d6555b820912b56f6f -SHA512 (sudo-1.8.15.tar.gz) = f2bff92104ddc4cbea8c788da446043cbfe02c977cedf18d46b1c82e98d7227432cb5a61233e7a06af84e3637f906edd5e02bb88c03a2ce4a16df410469a5dab -Size (sudo-1.8.15.tar.gz) = 2660128 bytes +SHA1 (sudo-1.8.17p1.tar.gz) = e9bb729513cd15e99def42019c35917bc9a73536 +RMD160 (sudo-1.8.17p1.tar.gz) = c3af867a6047c21614c4550534fa2566d6540913 +SHA512 (sudo-1.8.17p1.tar.gz) = e9facd2d5578d4effb516931322b5f4f9578baa779cba281d36a3d0995b1fd9d085d6b141544b3dc698569fa294163bbad9f779166a05a0f18f4ad81a630b954 +Size (sudo-1.8.17p1.tar.gz) = 2786618 bytes SHA1 (patch-aa) = 63c89e6d4e530ab92b7452f4025fbbf2a45dad65 -SHA1 (patch-af) = 9ef912344d9cd4c3811a4d705d3424cd88621710 -SHA1 (patch-ag) = c62f063ffc9e8fb3fce7c94a8cba531ecb8b76ff +SHA1 (patch-af) = 19c7cb41432404050c2452c3c53f2e4f588b3ab1 +SHA1 (patch-ag) = cb03a0a7daf4b5ef203f23726ad3a335b712a718 SHA1 (patch-plugins_sudoers_Makefile.in) = d8612ac7bf2f5a892d9720c4df91810ca807f4ed SHA1 (patch-plugins_sudoers_logging.c) = a42e54af2b6057804aecb3b6a48c565e8ac4df82 SHA1 (patch-src_Makefile.in) = 43f7266d3d106fca69003ee040342c3b201fd262 diff --git a/security/sudo/patches/patch-af b/security/sudo/patches/patch-af index 84644ceb55f..b3652283925 100644 --- a/security/sudo/patches/patch-af +++ b/security/sudo/patches/patch-af @@ -1,4 +1,4 @@ -$NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $ +$NetBSD: patch-af,v 1.33 2016/09/12 17:12:24 taca Exp $ * Add "--with-nbsdops" option, NetBSD standard options. * Link with util(3) in the case of DragonFly, too. @@ -7,9 +7,9 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $ functions (HAVE_KRB5_*). * Remove setting sysconfdir to "/etc". ---- configure.ac.orig 2015-10-31 23:35:24.000000000 +0000 +--- configure.ac.orig 2016-06-22 16:36:23.000000000 +0000 +++ configure.ac -@@ -434,6 +434,20 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi +@@ -439,6 +439,20 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi ;; esac]) @@ -30,7 +30,7 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $ AC_ARG_WITH(passwd, [AS_HELP_STRING([--without-passwd], [don't use passwd/shadow file for authentication])], [case $with_passwd in yes|no) AC_MSG_CHECKING(whether to use shadow/passwd file authentication) -@@ -1938,7 +1952,7 @@ case "$host" in +@@ -1951,7 +1965,7 @@ case "$host" in : ${mansectsu='1m'} : ${mansectform='4'} ;; @@ -39,7 +39,7 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $ shadow_funcs="getspnam" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" ;; -@@ -2286,7 +2300,7 @@ SUDO_MAILDIR +@@ -2299,7 +2313,7 @@ SUDO_MAILDIR if test ${with_logincap-'no'} != "no"; then AC_CHECK_HEADERS([login_cap.h], [LOGINCAP_USAGE='[[-c class]] '; LCMAN=1 case "$OS" in @@ -48,7 +48,7 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $ SUDO_LIBS="${SUDO_LIBS} -lutil" SUDOERS_LIBS="${SUDOERS_LIBS} -lutil" ;; -@@ -3374,6 +3388,8 @@ if test ${with_kerb5-'no'} != "no"; then +@@ -3381,6 +3395,8 @@ if test ${with_kerb5-'no'} != "no"; then ]) AUTH_OBJS="$AUTH_OBJS kerb5.lo" fi @@ -57,12 +57,12 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $ _LIBS="$LIBS" LIBS="${LIBS} ${SUDOERS_LIBS}" AC_CHECK_FUNCS([krb5_verify_user krb5_init_secure_context]) -@@ -4167,7 +4183,7 @@ test "$datarootdir" = '${prefix}/share' +@@ -4220,7 +4236,7 @@ test "$datarootdir" = '${prefix}/share' test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)' test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale' test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var' --test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' -+dnl test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' +-test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' ++dnl test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' dnl dnl Substitute into the Makefile and man pages diff --git a/security/sudo/patches/patch-ag b/security/sudo/patches/patch-ag index 6491ce7fb55..7cbdebdc964 100644 --- a/security/sudo/patches/patch-ag +++ b/security/sudo/patches/patch-ag @@ -1,4 +1,4 @@ -$NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $ +$NetBSD: patch-ag,v 1.24 2016/09/12 17:12:24 taca Exp $ * Add "--with-nbsdops" option, NetBSD standard options. * Link with util(3) in the case of DragonFly, too. @@ -7,9 +7,9 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $ functions (HAVE_KRB5_*). * Remove setting sysconfdir to "/etc". ---- configure.orig 2015-10-31 23:35:24.000000000 +0000 +--- configure.orig 2016-06-22 16:36:22.000000000 +0000 +++ configure -@@ -1561,7 +1561,7 @@ Fine tuning of the installation director +@@ -1562,7 +1562,7 @@ Fine tuning of the installation director --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] @@ -18,15 +18,15 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] -@@ -1658,6 +1658,7 @@ Optional Packages: +@@ -1661,6 +1661,7 @@ Optional Packages: --with-libraries additional libraries to link with --with-efence link with -lefence for malloc() debugging --with-csops add CSOps standard options + --with-nbsdops add NetBSD standard options --without-passwd don't use passwd/shadow file for authentication - --with-skey=DIR enable S/Key support - --with-opie=DIR enable OPIE support -@@ -4482,6 +4483,22 @@ $as_echo "$as_me: WARNING: Ignoring unkn + --with-skey[=DIR] enable S/Key support + --with-opie[=DIR] enable OPIE support +@@ -4499,6 +4500,22 @@ $as_echo "$as_me: WARNING: Ignoring unkn esac fi @@ -49,7 +49,7 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $ # Check whether --with-passwd was given. -@@ -15163,7 +15180,7 @@ fi +@@ -15209,7 +15226,7 @@ fi : ${mansectsu='1m'} : ${mansectform='4'} ;; @@ -58,7 +58,7 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $ shadow_funcs="getspnam" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" ;; -@@ -17182,7 +17199,7 @@ if test "x$ac_cv_header_login_cap_h" = x +@@ -17228,7 +17245,7 @@ if test "x$ac_cv_header_login_cap_h" = x _ACEOF LOGINCAP_USAGE='[-c class] '; LCMAN=1 case "$OS" in @@ -67,7 +67,7 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $ SUDO_LIBS="${SUDO_LIBS} -lutil" SUDOERS_LIBS="${SUDOERS_LIBS} -lutil" ;; -@@ -21870,6 +21887,8 @@ fi +@@ -21839,6 +21856,8 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext AUTH_OBJS="$AUTH_OBJS kerb5.lo" fi @@ -76,12 +76,12 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $ _LIBS="$LIBS" LIBS="${LIBS} ${SUDOERS_LIBS}" for ac_func in krb5_verify_user krb5_init_secure_context -@@ -24184,7 +24203,7 @@ test "$datarootdir" = '${prefix}/share' +@@ -24341,7 +24360,7 @@ test "$datarootdir" = '${prefix}/share' test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)' test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale' test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var' --test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' -+# test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' +-test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' ++# test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' if test X"$INIT_SCRIPT" != X""; then ac_config_files="$ac_config_files init.d/$INIT_SCRIPT" |