From nobody Wed Dec 13 22:54:30 2023 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Sr9lp4ScLz54Rnv for ; Wed, 13 Dec 2023 22:54:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Sr9lp38kHz3YDX for ; Wed, 13 Dec 2023 22:54:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702508070; a=rsa-sha256; cv=none; b=wx6Gia3/T44VNXQ9do5kTcx3RGWjX2u0BVjJeELRKs3Ezbs+V0dmXHox29UPQQhystxVEx +0DAVuIcc9AleHqRufUPx68Xf+Ci8RSyTMTDaOSH5baP58pQGwO5RKyBwkgTJABEU4kWJX pnpUEgD9zPYx0GePsbeR4C9QOYkSya9knfK9/n11kYX/q88Ol+D+3YwjGat9Y99BMOjoZC C+LSXQsKGEmx551Umw16sSBGlhA+UfFYCv+bXuHXyu6ov6O+hTqvIlCVY7mik5P1JXvZSI 56L7W4syFwIkoKH/12gkcpNBZ1gPiZv9oi6dGxkAXBFSOeI3H+ul7MNXNgiDjg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702508070; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UZj03iwEYe8jgdZqznP0uoqfsFtzCvU4YnYMgnMCbxg=; b=ojsv/1emlpJ1FVCkHJ3qifAZ6VvBcmJSUIGaI/zyg6H6CJnR4JR2gNFOzCx+YM0OXvzKgj Frzp3ffysKNn7xHpqSZvNh89iQ0U7tLHmWRzXC3h1Pop1KGTWJHU+yZTAFGdLSIbC+kcnq 4aZZ5GlrcwQ9RtDd/bdAcJShhZ83Sp/ih+fuTuGoCzAlGgh6VbcCQ/bYlfwwBwDyjyW2ly 3/cCKpEt9vzpncaxJSCJlc5m1KOs83kxChpE9TF4eSzJj796QQRJA1QKNoEqxRnhZk4+ke ljRQfnFOVR1LnUVEdlVBsXM8jOPkrii+LqFRwbCBc29ZFhUoyVReiito7d4q3g== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Sr9lp28vmz1Gvl for ; Wed, 13 Dec 2023 22:54:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3BDMsUnw074911 for ; Wed, 13 Dec 2023 22:54:30 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3BDMsUKY074910 for ports-bugs@FreeBSD.org; Wed, 13 Dec 2023 22:54:30 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 275754] security/sudo: Update to 1.9.15p3 Date: Wed, 13 Dec 2023 22:54:30 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: garga@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D275754 Bug ID: 275754 Summary: security/sudo: Update to 1.9.15p3 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: garga@FreeBSD.org Reporter: cy@FreeBSD.org Assignee: garga@FreeBSD.org Flags: maintainer-feedback?(garga@FreeBSD.org) Created attachment 247036 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D247036&action= =3Dedit Update to 1.9.15p3 Sudo version 1.9.15p3 is now available, which fixes several bugs introduced in sudo 1.9.15. In addition to bug fixes, sudo 1.9.15 includes changes to make it easier to determine which sudoers rule permitted a command to be run. Source: https://www.sudo.ws/dist/sudo-1.9.15p3.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.15p3.tar.gz SHA256 checksum: 78c87a1ccec42f7a095002fe2b1478a5106036359e362b867534a8e0056a0494 MD5 checksum: 16b0ee4c2107aaec99fe83ea319f0aec Binary packages: https://www.sudo.ws/getting/packages/ https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_15p3 For a list of download mirror sites, see: https://www.sudo.ws/getting/download_mirrors/ Sudo web site: https://www.sudo.ws/ Major changes between sudo 1.9.15p3 and 1.9.15p2: * Always disable core dumps when sudo sends itself a fatal signal. Fixes a problem where sudo could potentially dump core dump when it re-sends the fatal signal to itself. This is only an issue if the command received a signal that would normally result in a core dump but the command did not actually dump core. * Fixed a bug matching a command with a relative path name when the sudoers rule uses shell globbing rules for the path name. Bug #1062. * Permit visudo to be run even if the local host name is not set. GitHub issue #332. * Fixed an editing error introduced in sudo 1.9.15 that could prevent sudoreplay from replaying sessions correctly. GitHub issue #334. * Fixed a bug introduced in sudo 1.9.15 where "sudo -l > /dev/null" could hang on Linux systems. GitHub issue #335. * Fixed a bug introduced in sudo 1.9.15 where Solaris privileges specified in sudoers were not applied to the command being run. Major changes between sudo 1.9.15p2 and 1.9.15p1: * Fixed a bug on BSD systems where sudo would not restore the terminal settings on exit if the terminal had parity enabled. GitHub issue #326. Major changes between sudo 1.9.15p1 and 1.9.15: * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers from being able to read the ldap.conf file. GitHub issue #325. Major changes between sudo 1.9.15 and 1.9.14p3: * Fixed an undefined symbol problem on older versions of macOS when "intercept" or "log_subcmds" are enabled in sudoers. GitHub issue #276. * Fixed "make check" failure related to getpwent(3) wrapping on NetBSD. * Fixed the warning message for "sudo -l command" when the command is not permitted. There was a missing space between "list" and the actual command due to changes in sudo 1.9.14. * Fixed a bug where output could go to the wrong terminal if "use_pty" is enabled (the default) and the standard input, output or error is redirected to a different terminal. Bug #1056. * The visudo utility will no longer create an empty file when the specified sudoers file does not exist and the user exits the editor without making any changes. GitHub issue #294. * The AIX and Solaris sudo packages on www.sudo.ws now support "log_subcmds" and "intercept" with both 32-bit and 64-bit binaries. Previously, they only worked when running binaries with the same word size as the sudo binary. GitHub issue #289. * The sudoers source is now logged in the JSON event log. This makes it possible to tell which rule resulted in a match. * Running "sudo -ll command" now produces verbose output that includes matching rule as well as the path to the sudoers file the matching rule came from. For LDAP sudoers, the name of the matching sudoRole is printed instead. * The embedded copy of zlib has been updated to version 1.3. * The sudoers plugin has been modified to make it more resilient to ROWHAMMER attacks on authentication and policy matching. This addresses CVE-2023-42465. * The sudoers plugin now constructs the user time stamp file path name using the user-ID instead of the user name. This avoids a potential problem with user names that contain a path separator ('/') being interpreted as part of the path name. A similar issue in sudo-rs has been assigned CVE-2023-42456. * A path separator ('/') in a user, group or host name is now replaced with an underbar character ('_') when expanding escapes in @include and @includedir directives as well as the "iolog_file" and "iolog_dir" sudoers Default settings. * The "intercept_verify" sudoers option is now only applied when the "intercept" option is set in sudoers. Previously, it was also applied when "log_subcmds" was enabled. Sudo 1.9.14 contained an incorrect fix for this. Bug #1058. * Changes to terminal settings are now performed atomically, where possible. If the command is being run in a pseudo-terminal and the user's terminal is already in raw mode, sudo will not change the user's terminal settings. This prevents concurrent sudo processes from restoring the terminal settings to the wrong values. GitHub issue #312. * Reverted a change from sudo 1.9.4 that resulted in PAM session modules being called with the environment of the command to be run instead of the environment of the invoking user. GitHub issue #318. * New Indonesian translation from translationproject.org. * The sudo_logsrvd server will now raise its open file descriptor limit to the maximum allowed value when it starts up. Each connection can require up to nine open file descriptors so the default soft limit may be too low. * Better log message when rejecting a command if the "intercept" option is enabled and the "intercept_allow_setid" option is disabled. Previously, "command not allowed" would be logged and the user had no way of knowing what the actual problem was. * Sudo will now log the invoking user's environment as "submitenv" in the JSON logs. The command's environment ("runenv") is no longer logged for commands rejected by the sudoers file or an approval plugin. 2. (text/plain) ____________________________________________________________ sudo-announce mailing list For list information, options, or to unsubscribe, visit: https://www.sudo.ws/mailman/listinfo/sudo-announce --=20 You are receiving this mail because: You are the assignee for the bug.=