Bug 251930 - security/sudo: Update to 1.9.4p2
Summary: security/sudo: Update to 1.9.4p2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Renato Botelho
URL: https://www.sudo.ws/stable.html#1.9.4p2
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-18 02:24 UTC by Yasuhiro Kimura
Modified: 2020-12-21 12:44 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (garga)

Attachments
Patch file (2.59 KB, patch)
2020-12-18 02:24 UTC, Yasuhiro Kimura 		no flags Details | Diff
Updated patch file (2.59 KB, patch)
2020-12-20 21:02 UTC, Yasuhiro Kimura 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura freebsd_committer freebsd_triage 2020-12-18 02:24:53 UTC 
Created attachment 220682 [details]
Patch file

Update to 1.9.4p1.

Change Log: https://www.sudo.ws/stable.html#1.9.4p1
Comment 1 Cy Schubert freebsd_committer freebsd_triage 2020-12-18 04:02:50 UTC 
Subject: [sudo-announce] sudo 1.9.4p1 released
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 17 Dec 2020 16:10:46 -0700 (15:10 PST)
To: sudo-announce@sudo.ws

	(multipart/mixed)
1.		(multipart/signed)
GnuPG signed message - the signature hasn't been checked
 Check the signature with GnuPG 

	(text/plain)
Sudo version 1.9.4p1 is now available which fixes a few bugs
introduced in sudo 1.9.4 (and earlier releases).

Source:
    https://www.sudo.ws/dist/sudo-1.9.4p1.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.4p1.tar.gz

SHA256 checksum:
    1172099dfcdd2fa497e13a3c274a9f5920abd36ae7d2f7aaacd6bc6bc92fd677
MD5 checksum:
    f332f458ba1d2aa479588bd6a9f8abdd

Binary packages:
    https://www.sudo.ws/download.html#binary

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.9.4p1 and 1.9.4

 * Sudo on macOS now supports users with more than 16 groups without
   needing to set "group_source" to "dynamic" in sudo.conf.
   Previously, only the first 15 were used when matching group-based
   rules in sudoers.  Bug #946.

 * Fixed a regression introduced in version 1.9.4 where sudo would
   not build when configured using the --without-sendmail option.
   Bug #947.

 * Fixed a problem where if I/O logging was disabled and sudo was
   unable to connect to sudo_logsrvd, the command would still be
   allowed to run even when the "ignore_logfile_errors" sudoers
   option was enabled.

 * Fixed a crash introduced in version 1.9.4 when attempting to run
   a command as a non-existent user.  Bug #948.

 * The installed sudo.conf file now has the default sudoers Plugin
   lines commented out.  This fixes a potential conflict when there
   is both a system-installed version of sudo and a user-installed
   version.  GitHub issue #75.

 * Fixed a regression introduced in sudo 1.9.4 where sudo would run
   the command as a child process even when a pseudo-terminal was
   not in use and the "pam_session" and "pam_setcred" options were
   disabled.  GitHub issue #76.

 * Fixed a regression introduced in sudo 1.8.9 where the "closefrom"
   sudoers option could not be set to a value of 3.  Bug #950.

Major changes between sudo 1.9.4 and 1.9.3p1

 * The sudoers parser will now detect when an upper-case reserved
   word is used when declaring an alias.  Now instead of "syntax
   error, unexpected CHROOT, expecting ALIAS" the message will be
   "syntax error, reserved word CHROOT used as an alias name".
   Bug #941.

 * Better handling of sudoers files without a final newline.
   The parser now adds a newline at end-of-file automatically which
   removes the need for special cases in the parser.

 * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end
   where an uninitialized pointer could be freed on an error path.
   GitHub issue #67.

 * The core logging code is now shared between sudo_logsrvd and
   the sudoers plugin.

 * JSON log entries sent to syslog now use "minimal" JSON which
   skips all non-essential whitespace.

 * The sudoers plugin can now produce JSON-formatted logs.  The
   "log_format" sudoers option can be used to select sudo or json
   format logs.  The default is sudo format logs.

 * The sudoers plugin and visudo now display the column number in
   syntax error messages in addition to the line number.  Bug #841.

 * If I/O logging is not enabled but "log_servers" is set, the
   sudoers plugin will now log accept events to sudo_logsrvd.
   Previously, the accept event was only sent when I/O logging was
   enabled.  The sudoers plugin now sends reject and alert events too.

 * The sudo logsrv protocol has been extended to allow an AlertMessage
   to contain an optional array of InfoMessage, as AcceptMessage
   and RejectMessage already do.

 * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result
   in duplicate entries in the debug log when debugging was enabled.

 * The visudo utility now supports EDITOR environment variables
   that use single or double quotes in the command arguments.
   Bug #942.

 * The PAM session modules now run when sudo is set-user-ID root,
   which allows a module to determine the original user-ID.
   Bug #944.

 * Fixed a regression introduced in sudo 1.8.24 in the LDAP back-end
   where sudoNotBefore and sudoNotAfter were applied even when the
   SUDOERS_TIMED setting was not present in ldap.conf.  Bug #945.

 * Sudo packages for macOS 11 now contain universal binaries that
   support both Intel and Apple Silicon CPUs.

 * For sudo_logsrvd, an empty value for the "pid_file" setting in
   sudo_logsrvd.conf will now disable the process ID file.

2.		(text/plain)
____________________________________________________________
sudo-announce mailing list <sudo-announce@sudo.ws>
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-announce
Comment 2 Gert Doering 2020-12-20 19:13:07 UTC 
Hi,

this has a certain urgency to it, as the version rolled out right now (1.9.4_1) immediately SIGSEGV's on FreeBSD 12.1 (it does work fine on 11.4 or 12.2).

gert
Comment 3 Cy Schubert freebsd_committer freebsd_triage 2020-12-20 20:45:36 UTC 
1.9.4p2 was just released.

Subject: [sudo-announce] sudo 1.9.4p2 released
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Sun, 20 Dec 2020 10:40:58 -0700 (09:40 PST)
To: sudo-announce@sudo.ws

	(multipart/mixed)
1.		(multipart/signed)
GnuPG signed message - the signature hasn't been checked
 Check the signature with GnuPG 

	(text/plain)
Sudo version 1.9.4p2 is now available which fixes a bug introduced
in sudo 1.9.4p1.

Source:
    https://www.sudo.ws/dist/sudo-1.9.4p2.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.4p2.tar.gz

SHA256 checksum:
    c34af1fa79d40d0869e4010bdd64005290ea2e1ba35638ef07fcc684c4470f64
MD5 checksum:
    d7fab0f99b9b2fd38df90b0788fc8dc9

Binary packages:
    https://www.sudo.ws/download.html#binary

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.9.4p2 and 1.9.4p1

 * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash
   if the sudoers file contains a runas user-specific Defaults entry.
   Bug #951.

Major changes between sudo 1.9.4p1 and 1.9.4

 * Sudo on macOS now supports users with more than 16 groups without
   needing to set "group_source" to "dynamic" in sudo.conf.
   Previously, only the first 15 were used when matching group-based
   rules in sudoers.  Bug #946.

 * Fixed a regression introduced in version 1.9.4 where sudo would
   not build when configured using the --without-sendmail option.
   Bug #947.

 * Fixed a problem where if I/O logging was disabled and sudo was
   unable to connect to sudo_logsrvd, the command would still be
   allowed to run even when the "ignore_logfile_errors" sudoers
   option was enabled.

 * Fixed a crash introduced in version 1.9.4 when attempting to run
   a command as a non-existent user.  Bug #948.

 * The installed sudo.conf file now has the default sudoers Plugin
   lines commented out.  This fixes a potential conflict when there
   is both a system-installed version of sudo and a user-installed
   version.  GitHub issue #75.

 * Fixed a regression introduced in sudo 1.9.4 where sudo would run
   the command as a child process even when a pseudo-terminal was
   not in use and the "pam_session" and "pam_setcred" options were
   disabled.  GitHub issue #76.

 * Fixed a regression introduced in sudo 1.8.9 where the "closefrom"
   sudoers option could not be set to a value of 3.  Bug #950.

Major changes between sudo 1.9.4 and 1.9.3p1

 * The sudoers parser will now detect when an upper-case reserved
   word is used when declaring an alias.  Now instead of "syntax
   error, unexpected CHROOT, expecting ALIAS" the message will be
   "syntax error, reserved word CHROOT used as an alias name".
   Bug #941.

 * Better handling of sudoers files without a final newline.
   The parser now adds a newline at end-of-file automatically which
   removes the need for special cases in the parser.

 * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end
   where an uninitialized pointer could be freed on an error path.
   GitHub issue #67.

 * The core logging code is now shared between sudo_logsrvd and
   the sudoers plugin.

 * JSON log entries sent to syslog now use "minimal" JSON which
   skips all non-essential whitespace.

 * The sudoers plugin can now produce JSON-formatted logs.  The
   "log_format" sudoers option can be used to select sudo or json
   format logs.  The default is sudo format logs.

 * The sudoers plugin and visudo now display the column number in
   syntax error messages in addition to the line number.  Bug #841.

 * If I/O logging is not enabled but "log_servers" is set, the
   sudoers plugin will now log accept events to sudo_logsrvd.
   Previously, the accept event was only sent when I/O logging was
   enabled.  The sudoers plugin now sends reject and alert events too.

 * The sudo logsrv protocol has been extended to allow an AlertMessage
   to contain an optional array of InfoMessage, as AcceptMessage
   and RejectMessage already do.

 * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result
   in duplicate entries in the debug log when debugging was enabled.

 * The visudo utility now supports EDITOR environment variables
   that use single or double quotes in the command arguments.
   Bug #942.

 * The PAM session modules now run when sudo is set-user-ID root,
   which allows a module to determine the original user-ID.
   Bug #944.

 * Fixed a regression introduced in sudo 1.8.24 in the LDAP back-end
   where sudoNotBefore and sudoNotAfter were applied even when the
   SUDOERS_TIMED setting was not present in ldap.conf.  Bug #945.

 * Sudo packages for macOS 11 now contain universal binaries that
   support both Intel and Apple Silicon CPUs.

 * For sudo_logsrvd, an empty value for the "pid_file" setting in
   sudo_logsrvd.conf will now disable the process ID file.

2.		(text/plain)
____________________________________________________________
sudo-announce mailing list <sudo-announce@sudo.ws>
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-announce
Comment 4 Yasuhiro Kimura freebsd_committer freebsd_triage 2020-12-20 21:02:12 UTC 
Created attachment 220764 [details]
Updated patch file

Update to 1.9.4p2.
Comment 5 commit-hook freebsd_committer freebsd_triage 2020-12-21 12:44:27 UTC 
A commit references this bug:

Author: garga
Date: Mon Dec 21 12:44:16 UTC 2020
New revision: 558816
URL: https://svnweb.freebsd.org/changeset/ports/558816

Log:
  security/sudo: Update to 1.9.4p2

  PR:		251930
  Submitted by:	Yasuhiro Kimura <yasu@utahime.org>
  Sponsored by:	Rubicon Communications, LLC (Netgate)

Changes:
  head/security/sudo/Makefile
  head/security/sudo/distinfo
  head/security/sudo/files/patch-fix_build_without_sendmail