Ubuntu
sudo package

Change logs for sudo source package in Maverick

  1. Maverick (10.10)
  2. Change log 
  • sudo (1.7.2p7-1ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: privilege escalation via -g when using group Runas_List
    - debian/patches/user_in_group.patch: add user_in_group(), backported from
      upstream
    - debian/patches/CVE-2011-0010.patch: prompt for password when the user is
      running sudo as himself but as a different group
    - CVE-2011-0010
 -- Jamie Strandboge <email address hidden>   Wed, 19 Jan 2011 10:30:27 -0600
  • sudo (1.7.2p7-1ubuntu2) maverick; urgency=low

  * SECURITY UPDATE: privilege escalation via '-g' option when using
    'user:group' in Runas_Spec
    - debian/patches/CVE-2010-2956.patch: update match.c to verify both user
      and group match sudoers when using '-g'
    - CVE-2010-2956
 -- Jamie Strandboge <email address hidden>   Tue, 31 Aug 2010 14:54:06 -0500
  • sudo (1.7.2p7-1ubuntu1) maverick; urgency=low

  * Merge from debian unstable.  Remaining changes:
   - debian/rules:
     - compile with --without-lecture --with-tty-tickets (Ubuntu specific)
     - install man/man8/sudo_root.8 (Ubuntu specific)
     - install apport hooks
   - debian/sudo-ldap.dirs, debian/sudo.dirs: add
     usr/share/apport/package-hooks
   - debian/patches/ubuntu-sudo-as-admin-successful.patch: adjust sudo.c so
     that if the user successfully authenticated and he is in the 'admin'
     group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
     profile checks for this and displays a short intro about sudo if the flag
     is not present
  * Dropped the following, now included upstream:
    - fix for CVE-2010-1163
    - fix for CVE-2010-0426
    - debian/sudo.postinst, debian/sudo-ldap.postinst: update description to
      match behavior in sudoers file
    - don't install init script. Debian moved to /var/lib/sudo from
      /var/run/sudo, so Ubuntu's tmpfs usage won't clean those out
      automatically any more, so we now need the initscript.

sudo (1.7.2p7-1) unstable; urgency=high

  * new upstream release with security fix for secure path (CVE-2010-1646),
    closes: #585394
  * move timestamps from /var/run/sudo to /var/lib/sudo, so that the state
    about whether to give the lecture is preserved across reboots even when
    RAMRUN is set, closes: #581393
  * add a note to README.Debian about LDAP needing an entry in
    /etc/nsswitch.conf, closes: #522065
  * add a note to README.Debian about how to turn off lectures if using
    RAMRUN in /etc/default/rcS, closes: #581393

sudo (1.7.2p6-1) unstable; urgency=low

  * new upstream version fixing CVE-2010-1163, closes: #578275, #570737

sudo (1.7.2p5-1) unstable; urgency=low

  * new upstream release, closes a bug filed upstream regarding missing man
    page processing scripts in the 1.7.2p1 tarball, also includes the fix
    for CVE-2010-0426 previously the subject of a security team nmu
  * move to source format 3.0 (quilt) and restructure changes as patches
  * fix unprocessed substitution variables in man pages, closes: #557204
  * apply patch from Neil Moore to fix Debian-specific content in the
    visudo man page, closes: #555013
  * update descriptions to better explain sudo-ldap, closes: #573108
  * eliminate spurious 'and' in man page, closes: #571620
  * fix confusing text in default sudoers, closes: #566607
 -- Jamie Strandboge <email address hidden>   Tue, 06 Jul 2010 11:43:05 -0500
  • sudo (1.7.2p1-1ubuntu5) lucid; urgency=low

  * SECURITY UPDATE: properly verify path in find_path.c for the 'sudoedit'
    pseudo-command when running from the current working directory and
    secure_path is disabled
    - CVE-2010-XXXX
 -- Jamie Strandboge <email address hidden>   Wed, 07 Apr 2010 15:35:36 -0500