Created attachment 220682 [details] Patch file Update to 1.9.4p1. Change Log: https://www.sudo.ws/stable.html#1.9.4p1
Subject: [sudo-announce] sudo 1.9.4p1 released From: "Todd C. Miller" <Todd.Miller@sudo.ws> Date: Thu, 17 Dec 2020 16:10:46 -0700 (15:10 PST) To: sudo-announce@sudo.ws (multipart/mixed) 1. (multipart/signed) GnuPG signed message - the signature hasn't been checked Check the signature with GnuPG (text/plain) Sudo version 1.9.4p1 is now available which fixes a few bugs introduced in sudo 1.9.4 (and earlier releases). Source: https://www.sudo.ws/dist/sudo-1.9.4p1.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.4p1.tar.gz SHA256 checksum: 1172099dfcdd2fa497e13a3c274a9f5920abd36ae7d2f7aaacd6bc6bc92fd677 MD5 checksum: f332f458ba1d2aa479588bd6a9f8abdd Binary packages: https://www.sudo.ws/download.html#binary For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.4p1 and 1.9.4 * Sudo on macOS now supports users with more than 16 groups without needing to set "group_source" to "dynamic" in sudo.conf. Previously, only the first 15 were used when matching group-based rules in sudoers. Bug #946. * Fixed a regression introduced in version 1.9.4 where sudo would not build when configured using the --without-sendmail option. Bug #947. * Fixed a problem where if I/O logging was disabled and sudo was unable to connect to sudo_logsrvd, the command would still be allowed to run even when the "ignore_logfile_errors" sudoers option was enabled. * Fixed a crash introduced in version 1.9.4 when attempting to run a command as a non-existent user. Bug #948. * The installed sudo.conf file now has the default sudoers Plugin lines commented out. This fixes a potential conflict when there is both a system-installed version of sudo and a user-installed version. GitHub issue #75. * Fixed a regression introduced in sudo 1.9.4 where sudo would run the command as a child process even when a pseudo-terminal was not in use and the "pam_session" and "pam_setcred" options were disabled. GitHub issue #76. * Fixed a regression introduced in sudo 1.8.9 where the "closefrom" sudoers option could not be set to a value of 3. Bug #950. Major changes between sudo 1.9.4 and 1.9.3p1 * The sudoers parser will now detect when an upper-case reserved word is used when declaring an alias. Now instead of "syntax error, unexpected CHROOT, expecting ALIAS" the message will be "syntax error, reserved word CHROOT used as an alias name". Bug #941. * Better handling of sudoers files without a final newline. The parser now adds a newline at end-of-file automatically which removes the need for special cases in the parser. * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end where an uninitialized pointer could be freed on an error path. GitHub issue #67. * The core logging code is now shared between sudo_logsrvd and the sudoers plugin. * JSON log entries sent to syslog now use "minimal" JSON which skips all non-essential whitespace. * The sudoers plugin can now produce JSON-formatted logs. The "log_format" sudoers option can be used to select sudo or json format logs. The default is sudo format logs. * The sudoers plugin and visudo now display the column number in syntax error messages in addition to the line number. Bug #841. * If I/O logging is not enabled but "log_servers" is set, the sudoers plugin will now log accept events to sudo_logsrvd. Previously, the accept event was only sent when I/O logging was enabled. The sudoers plugin now sends reject and alert events too. * The sudo logsrv protocol has been extended to allow an AlertMessage to contain an optional array of InfoMessage, as AcceptMessage and RejectMessage already do. * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result in duplicate entries in the debug log when debugging was enabled. * The visudo utility now supports EDITOR environment variables that use single or double quotes in the command arguments. Bug #942. * The PAM session modules now run when sudo is set-user-ID root, which allows a module to determine the original user-ID. Bug #944. * Fixed a regression introduced in sudo 1.8.24 in the LDAP back-end where sudoNotBefore and sudoNotAfter were applied even when the SUDOERS_TIMED setting was not present in ldap.conf. Bug #945. * Sudo packages for macOS 11 now contain universal binaries that support both Intel and Apple Silicon CPUs. * For sudo_logsrvd, an empty value for the "pid_file" setting in sudo_logsrvd.conf will now disable the process ID file. 2. (text/plain) ____________________________________________________________ sudo-announce mailing list <sudo-announce@sudo.ws> For list information, options, or to unsubscribe, visit: https://www.sudo.ws/mailman/listinfo/sudo-announce
Hi, this has a certain urgency to it, as the version rolled out right now (1.9.4_1) immediately SIGSEGV's on FreeBSD 12.1 (it does work fine on 11.4 or 12.2). gert
1.9.4p2 was just released. Subject: [sudo-announce] sudo 1.9.4p2 released From: "Todd C. Miller" <Todd.Miller@sudo.ws> Date: Sun, 20 Dec 2020 10:40:58 -0700 (09:40 PST) To: sudo-announce@sudo.ws (multipart/mixed) 1. (multipart/signed) GnuPG signed message - the signature hasn't been checked Check the signature with GnuPG (text/plain) Sudo version 1.9.4p2 is now available which fixes a bug introduced in sudo 1.9.4p1. Source: https://www.sudo.ws/dist/sudo-1.9.4p2.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.4p2.tar.gz SHA256 checksum: c34af1fa79d40d0869e4010bdd64005290ea2e1ba35638ef07fcc684c4470f64 MD5 checksum: d7fab0f99b9b2fd38df90b0788fc8dc9 Binary packages: https://www.sudo.ws/download.html#binary For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.4p2 and 1.9.4p1 * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash if the sudoers file contains a runas user-specific Defaults entry. Bug #951. Major changes between sudo 1.9.4p1 and 1.9.4 * Sudo on macOS now supports users with more than 16 groups without needing to set "group_source" to "dynamic" in sudo.conf. Previously, only the first 15 were used when matching group-based rules in sudoers. Bug #946. * Fixed a regression introduced in version 1.9.4 where sudo would not build when configured using the --without-sendmail option. Bug #947. * Fixed a problem where if I/O logging was disabled and sudo was unable to connect to sudo_logsrvd, the command would still be allowed to run even when the "ignore_logfile_errors" sudoers option was enabled. * Fixed a crash introduced in version 1.9.4 when attempting to run a command as a non-existent user. Bug #948. * The installed sudo.conf file now has the default sudoers Plugin lines commented out. This fixes a potential conflict when there is both a system-installed version of sudo and a user-installed version. GitHub issue #75. * Fixed a regression introduced in sudo 1.9.4 where sudo would run the command as a child process even when a pseudo-terminal was not in use and the "pam_session" and "pam_setcred" options were disabled. GitHub issue #76. * Fixed a regression introduced in sudo 1.8.9 where the "closefrom" sudoers option could not be set to a value of 3. Bug #950. Major changes between sudo 1.9.4 and 1.9.3p1 * The sudoers parser will now detect when an upper-case reserved word is used when declaring an alias. Now instead of "syntax error, unexpected CHROOT, expecting ALIAS" the message will be "syntax error, reserved word CHROOT used as an alias name". Bug #941. * Better handling of sudoers files without a final newline. The parser now adds a newline at end-of-file automatically which removes the need for special cases in the parser. * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end where an uninitialized pointer could be freed on an error path. GitHub issue #67. * The core logging code is now shared between sudo_logsrvd and the sudoers plugin. * JSON log entries sent to syslog now use "minimal" JSON which skips all non-essential whitespace. * The sudoers plugin can now produce JSON-formatted logs. The "log_format" sudoers option can be used to select sudo or json format logs. The default is sudo format logs. * The sudoers plugin and visudo now display the column number in syntax error messages in addition to the line number. Bug #841. * If I/O logging is not enabled but "log_servers" is set, the sudoers plugin will now log accept events to sudo_logsrvd. Previously, the accept event was only sent when I/O logging was enabled. The sudoers plugin now sends reject and alert events too. * The sudo logsrv protocol has been extended to allow an AlertMessage to contain an optional array of InfoMessage, as AcceptMessage and RejectMessage already do. * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result in duplicate entries in the debug log when debugging was enabled. * The visudo utility now supports EDITOR environment variables that use single or double quotes in the command arguments. Bug #942. * The PAM session modules now run when sudo is set-user-ID root, which allows a module to determine the original user-ID. Bug #944. * Fixed a regression introduced in sudo 1.8.24 in the LDAP back-end where sudoNotBefore and sudoNotAfter were applied even when the SUDOERS_TIMED setting was not present in ldap.conf. Bug #945. * Sudo packages for macOS 11 now contain universal binaries that support both Intel and Apple Silicon CPUs. * For sudo_logsrvd, an empty value for the "pid_file" setting in sudo_logsrvd.conf will now disable the process ID file. 2. (text/plain) ____________________________________________________________ sudo-announce mailing list <sudo-announce@sudo.ws> For list information, options, or to unsubscribe, visit: https://www.sudo.ws/mailman/listinfo/sudo-announce
Created attachment 220764 [details] Updated patch file Update to 1.9.4p2.
A commit references this bug: Author: garga Date: Mon Dec 21 12:44:16 UTC 2020 New revision: 558816 URL: https://svnweb.freebsd.org/changeset/ports/558816 Log: security/sudo: Update to 1.9.4p2 PR: 251930 Submitted by: Yasuhiro Kimura <yasu@utahime.org> Sponsored by: Rubicon Communications, LLC (Netgate) Changes: head/security/sudo/Makefile head/security/sudo/distinfo head/security/sudo/files/patch-fix_build_without_sendmail