-
sudo (1.8.3p1-1ubuntu3.10) precise-security; urgency=medium
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
- debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
plugin in plugins/sudoers/sudoers.c.
- debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
when unescaping backslashes in plugins/sudoers/sudoers.c.
- debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
allocated as a single flat buffer in src/parse_args.c.
- CVE-2021-3156
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 27 Jan 2021 08:49:33 -0300
-
sudo (1.8.3p1-1ubuntu3.7) precise-security; urgency=medium
* SECURITY UPDATE: arbitrary file access via TZ
- debian/patches/CVE-2014-9680.patch: sanity check TZ env variable in
configure, configure.in, doc/sudoers.cat, doc/sudoers.man.in,
pathnames.h.in, plugins/sudoers/env.c.
- CVE-2014-9680
-- Marc Deslauriers <email address hidden> Thu, 12 Mar 2015 11:32:42 -0400
-
sudo (1.8.3p1-1ubuntu3.6) precise-security; urgency=medium
* SECURITY UPDATE: security policy bypass when env_reset is disabled
- debian/patches/CVE-2014-0106.patch: fix logic inversion in
plugins/sudoers/env.c.
- CVE-2014-0106
* debian/sudo.sudo.init, debian/sudo-ldap.sudo.init: Set timestamps to
epoch in init scripts so they are properly invalidated. (LP: #1223297)
-- Marc Deslauriers <email address hidden> Tue, 11 Mar 2014 07:56:53 -0400
-
sudo (1.8.3p1-1ubuntu3.4) precise-security; urgency=low
* SECURITY UPDATE: authentication bypass via clock set to epoch
- debian/patches/CVE-2013-1775.patch: ignore time stamp file if it is
set to epoch in plugins/sudoers/check.c.
- CVE-2013-1775
-- Marc Deslauriers <email address hidden> Wed, 27 Feb 2013 13:34:15 -0500
-
sudo (1.8.3p1-1ubuntu3.3) precise-proposed; urgency=low
* debian/patches/pam_env_merge.patch: Merge the PAM environment into the
user environment (LP: #982684)
* debian/sudo.pam: Use pam_env to read /etc/environment and
/etc/default/locale environment files. Reading ~/.pam_environment is not
permitted due to security reasons.
-- Tyler Hicks <email address hidden> Mon, 21 May 2012 00:48:10 -0500
-
sudo (1.8.3p1-1ubuntu3.2) precise-security; urgency=low
* SECURITY UPDATE: Properly handle multiple netmasks in sudoers Host and
Host_List values
- debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4
addresses. Based on upstream patch.
- CVE-2012-2337
-- Tyler Hicks <email address hidden> Tue, 15 May 2012 23:28:04 -0500
-
sudo (1.8.3p1-1ubuntu3.1) precise-proposed; urgency=low
* Fix Abort in some PAM modules when timestamp is valid. (LP: #927828)
-- TJ (Ubuntu Contributions) <email address hidden> Mon, 30 Apr 2012 18:05:21 +0100
-
sudo (1.8.3p1-1ubuntu3) precise; urgency=low
* SECURITY UPDATE: permissions bypass via format string
- debian/patches/CVE-2012-0809.patch: fix format string vulnerability
in src/sudo.c.
- CVE-2012-0809
-- Marc Deslauriers <email address hidden> Tue, 31 Jan 2012 10:25:52 -0500
-
sudo (1.8.3p1-1ubuntu2) precise; urgency=low
* debian/sudo.preinst:
- updated to avoid conffile prompt by migrating to the new sudoers file
changes in Precise. (LP: #894410)
-- Marc Deslauriers <email address hidden> Thu, 24 Nov 2011 10:48:58 -0500
-
sudo (1.8.3p1-1ubuntu1) precise; urgency=low
* Merge from debian/testing, remaining changes:
- debian/patches/keep_home_by_default.patch:
+ Set HOME in initial_keepenv_table. (rebased for 1.8.3p1)
- debian/patches/enable_badpass.patch: turn on "mail_badpass" by default:
+ attempting sudo without knowing a login password is as bad as not
being listed in the sudoers file, especially if getting the password
wrong means doing the access-check-email-notification never happens
(rebased for 1.8.3p1)
- debian/rules:
+ compile with --without-lecture --with-tty-tickets (Ubuntu specific)
+ install man/man8/sudo_root.8 (Ubuntu specific)
+ install apport hooks
+ The ubuntu-sudo-as-admin-successful.patch was taken upstream by
Debian however it requires a --enable-admin-flag configure flag to
actually enable it.
- debian/sudoers:
+ grant admin group sudo access
- debian/sudo-ldap.dirs, debian/sudo.dirs:
+ add usr/share/apport/package-hooks
- debian/sudo.preinst:
+ avoid conffile prompt by checking for known default /etc/sudoers
and if found installing the correct default /etc/sudoers file
sudo (1.8.3p1-1) unstable; urgency=low
* new upstream version, closes: #646478
sudo (1.8.3-1) unstable; urgency=low
* new upstream version, closes: #639391, #639568
sudo (1.8.2-2) unstable; urgency=low
[ Luca Capello ]
* debian/rules improvements, closes: #642535
+ mv upstream sample.* files to the examples folder.
- do not call dh_installexamples.
[ Bdale Garbee ]
* patch from upstream for SIGBUS on sparc64, closes: #640304
* use common-session-noninteractive in the pam config to reduce log noise
when sudo is used in cron, etc, closes: #519700
* patch from Steven McDonald to fix segfault on startup under certain
conditions, closes: #639568
* add a NEWS entry regarding the secure_path change made in 1.8.2-1,
closes: #639336
sudo (1.8.2-1) unstable; urgency=low
* new upstream version, closes: #637449, #621830
* include common-session in pam config, closes: #519700, #607199
* move secure_path from configure to default sudoers, closes: #85123, 85917
* improve sudoers self-documentation, closes: #613639
* drop --disable-setresuid since modern systems should not run 2.2 kernels
* lose the --with-devel configure option since it's breaking builds in
subdirectories for some reason
-- Marc Deslauriers <email address hidden> Sun, 20 Nov 2011 12:07:45 -0500
-
sudo (1.7.4p6-1ubuntu2) oneiric; urgency=low
* debian/patches/enable_badpass.patch: turn on "mail_badpass" by default:
- attempting sudo without knowing a login password is as bad as not
being listed in the sudoers file, especially if getting the password
wrong means doing the access-check-email-notification never happens
(Closes: 641218).
-- Kees Cook <email address hidden> Sun, 11 Sep 2011 10:29:08 -0700