Bug 257454 - security/sudo: Update to 1.9.7p2
Summary: security/sudo: Update to 1.9.7p2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Renato Botelho
URL: https://www.sudo.ws/stable.html#1.9.7p2
Depends on:
Reported: 2021-07-27 16:44 UTC by Yasuhiro Kimura
Modified: 2021-08-13 13:11 UTC (History)
1 user (show)

See Also:
garga: maintainer-feedback+

Patch file (1.18 KB, patch)
2021-07-27 16:44 UTC, Yasuhiro Kimura
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura freebsd_committer 2021-07-27 16:44:06 UTC
Created attachment 226741 [details]
Patch file

Update to 1.9.7p2.

Change Log: https://www.sudo.ws/stable.html#1.9.7p2
Comment 1 Cy Schubert freebsd_committer 2021-07-27 18:11:36 UTC
Sudo version 1.9.7 patchelevel 2 is now available which fixes a few
minor bugs in sudo 1.9.7.


SHA256 checksum:
MD5 checksum:

Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Sudo web site mirrors:

Major changes between sudo 1.9.7p2 and 1.9.7p1:

 * When formatting JSON output, octal numbers are now stored as
   strings, not numbers.  The JSON spec does not actually support
   octal numbers with a '0' prefix.

 * Fixed a compilation issue on Solaris 9.

 * Sudo now can handle the getgroups() function returning a different
   number of groups for subsequent invocations.  GitHub PR #106.

 * When loading a Python plugin, python_plugin.so now verifies
   that the module loaded matches the one we tried to load.  This
   allows sudo to display a more useful error message when trying
   to load a plugin with a name that conflicts with a Python module
   installed in the system location.

 * Sudo no longer sets the the open files resource limit to "unlimited"
   while it runs.  This avoids a problem where sudo's closefrom()
   emulation would need to close a very large number of descriptors
   on systems without a way to determine which ones are actually open.

 * Sudo now includes a configure check for va_copy or __va_copy and
   only defines its own version if the configure test fails.

 * Fixed a bug in sudo's utmp file handling which prevented old
   entries from being reused.  As a result, the utmp (or utmpx)
   file was appended to unnecessarily.  GitHub PR #108.

 * Fixed a bug introduced in sudo 1.9.7 that prevented sudo_logsrvd
   from accepting TLS connections when OpenSSL is used.  Bug #988.

Major changes between sudo 1.9.7p1 and 1.9.7:

 * Fixed an SELinux sudoedit bug when the edited temporary file
   could not be opened.  The sesh helper would still be run even
   when there are no temporary files available to install.

 * Fixed a compilation problem on FreeBSD.

 * The sudo_noexec.so file is now built as a module on all systems
   other than macOS.  This makes it possible to use other libtool
   implementations such as slibtool.  On macOS shared libraries and
   modules are not interchangeable and the version of libtool shipped
   with sudo must be used.

 * Fixed a few bugs in the getgrouplist() emulation on Solaris when
   reading from the local group file.

 * Fixed a bug in sudo_logsrvd that prevented periodic relay server
   connection retries from occurring in "store_first" mode.

 * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
   due to a crash when the group source is set to "compat" in
   /etc/nsswitch.conf.  This is probably due to a mismatch between
   include/compat/nss_dbdefs.h and what HP-UX uses internally.  On
   HP-UX we now just cycle through groups the slow way using
   getgrent().  Bug #978.

Major changes between sudo 1.9.7 and 1.9.6p1:

 * The "fuzz" Makefile target now runs all the fuzzers for 8192
   passes (can be overridden via the FUZZ_RUNS variable).  This makes
   it easier to run the fuzzers in-tree.  To run a fuzzer indefinitely,
   set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".

 * Fixed fuzzing on FreeBSD where the ld.lld linker returns an
   error by default when a symbol is multiply-defined.

 * Added support for determining local IPv6 addresses on systems
   that lack the getifaddrs() function.  This now works on AIX,
   HP-UX and Solaris (at least).  Bug #969.

 * Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to
   report a usage error.  Also, when invoked as sudoedit, sudo now
   allows a more restricted set of options that matches the usage
   statement and documentation.  GitHub issue #95.

 * Fixed a crash in sudo_sendlog when the specified certificate
   or key does not exist or is invalid.  Bug #970.

 * Fixed a compilation error when sudo is configured with the
   --disable-log-client option.

 * Sudo's limited support for SUCCESS=return entries in nsswitch.conf
   is now documented.  Bug #971.

 * Sudo now requires autoconf 2.70 or higher to regenerate the
   configure script.  Bug #972.

 * sudo_logsrvd now has a relay mode which can be used to create
   a hierarchy of log servers.  By default, when a relay server is
   defined, messages from the client are forwarded immediately to
   the relay.  However, if the "store_first" setting is enabled,
   the log will be stored locally until the command completes and
   then relayed.  Bug #965.

 * Sudo now links with OpenSSL by default if it is available unless
   the --disable-openssl configure option is used or both the
   --disable-log-client and --disable-log-server configure options
   are specified.

 * Fixed configure's Python version detection when the version minor
   number is more than a single digit, for example Python 3.10.

 * The sudo Python module tests now pass for Python 3.10.

 * Sudo will now avoid changing the datasize resource limit
   as long as the existing value is at least 1GB.  This works around
   a problem on 64-bit HP-UX where it is not possible to exactly
   restore the original datasize limit.  Bug #973.

 * Fixed a race condition that could result in a hang when sudo is
   executed by a process where the SIGCHLD handler is set to SIG_IGN.
   This fixes the bug described by GitHub PR #98.

 * Fixed an out-of-bounds read in sudoedit and visudo when the
   EDITOR, VISUAL or SUDO_EDITOR environment variables end in an
   unescaped backslash.  Also fixed the handling of quote characters
   that are escaped by a backslash.  GitHub issue #99.

 * Fixed a bug that prevented the "log_server_verify" sudoers option
   from taking effect.

 * The sudo_sendlog utility has a new -s option to cause it to stop
   sending I/O records after a user-specified elapsed time.  This
   can be used to test the I/O log restart functionality of sudo_logsrvd.

 * Fixed a crash introduced in sudo 1.9.4 in sudo_logsrvd when
   attempting to restart an interrupted I/O log transfer.

 * The TLS connection timeout in the sudoers log client was previously
   hard-coded to 10 seconds.  It now uses the value of log_server_timeout.

 * The configure script now outputs a summary of the user-configurable
   options at the end, separate from output of configure script tests.
   Bug #820.

 * Corrected the description of which groups may be specified via the
   -g option in the Runas_Spec section.  Bug #975.
Comment 2 Renato Botelho freebsd_committer 2021-07-30 17:21:36 UTC
Approved.  Thanks!!!
Comment 3 Renato Botelho freebsd_committer 2021-07-30 17:22:43 UTC
Oh, I thought it was submitted by cy@

I'll get it committed.  thanks!
Comment 4 Renato Botelho freebsd_committer 2021-08-13 13:11:58 UTC
Updated on commit 6aeff2e8d145527738a0fc5cec87c9e2e122ef81