Bug 252598 - [PATCH] security/sudo - update to 1.9.5p1 - suid regression fix
Summary: [PATCH] security/sudo - update to 1.9.5p1 - suid regression fix
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Renato Botelho
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-12 03:50 UTC by Cy Schubert
Modified: 2021-01-12 12:43 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (garga)
cy: maintainer-feedback? (garga)
cy: merge-quarterly?

Attachments
sudo 1.9.5p1 fixes a setuid security vulnerbility introduced in 1.9.5 (781 bytes, patch)
2021-01-12 03:50 UTC, Cy Schubert 		cy: maintainer-approval?
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cy Schubert freebsd_committer freebsd_triage 2021-01-12 03:50:30 UTC 
Created attachment 221481 [details]
sudo 1.9.5p1 fixes a setuid security vulnerbility introduced in 1.9.5

The priority is set to P1 due to the security exposure.

Sudo version 1.9.5p1 is now available which fixes a bug introduced
in sudo 1.9.5.  Sudo 1.9.5 fixed several bugs, including CVE-2021-23239
and CVE-2021-23240 which have security implications.  See below for
details.

Source:
    https://www.sudo.ws/dist/sudo-1.9.5p1.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p1.tar.gz

SHA256 checksum:
    4dddf37c22653defada299e5681e0daef54bb6f5fc950f63997bb8eb966b7882
MD5 checksum:
    145f6e69c116f82cf0377ccf459344eb

Binary packages:
    https://www.sudo.ws/download.html#binary

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.9.5p1 and 1.9.5

 * Fixed a regression introduced in sudo 1.9.5 where the editor run
   by sudoedit was set-user-ID root unless SELinux RBAC was in use.
   The editor is now run with the user's real and effective user-IDs.
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-01-12 12:40:54 UTC 
A commit references this bug:

Author: garga
Date: Tue Jan 12 12:40:24 UTC 2021
New revision: 561323
URL: https://svnweb.freebsd.org/changeset/ports/561323

Log:
  security/sudo: Update to 1.9.5p1

  This version fixes a regression introduced by 1.9.5

  Changelog: https://www.sudo.ws/stable.html#1.9.5p1

  PR:		252598
  Submitted by:	cy
  MFH:		2021Q1
  Sponsored by:	Rubicon Communications, LLC (Netgate)

Changes:
  head/security/sudo/Makefile
  head/security/sudo/distinfo
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-01-12 12:43:57 UTC 
A commit references this bug:

Author: garga
Date: Tue Jan 12 12:43:27 UTC 2021
New revision: 561325
URL: https://svnweb.freebsd.org/changeset/ports/561325

Log:
  MFH: r561259 r561323

  Update 1.9.4p2 --> 1.9.5

  PR:		252583
  Submitted by:	cy
  Reported by:	cy
  Approved by:	garga (maintainer)
  Security:	CVE-2021-23239

  security/sudo: Update to 1.9.5p1

  This version fixes a regression introduced by 1.9.5

  Changelog: https://www.sudo.ws/stable.html#1.9.5p1

  PR:		252598
  Submitted by:	cy
  Sponsored by:	Rubicon Communications, LLC (Netgate)

Changes:
_U  branches/2021Q1/
  branches/2021Q1/security/sudo/Makefile
  branches/2021Q1/security/sudo/distinfo