From Todd.Miller at courtesan.com Mon Jan 14 09:44:02 2002 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 14 Jan 2002 07:44:02 -0700 Subject: Sudo version 1.6.4 now available Message-ID: <200201141444.g0EEi21c014585@xerxes.courtesan.com> Sudo version 1.6.4 is now available (ftp sites listed at the end). There are some thing I had promised for the next release that are not in 1.6.4 due to the large changes in the parser that these changes require to work properly. Nonetheless this release does fix the majority of problems in the sudo bugs database and adds features a number of people have asked for. I hope to make more frequent releases in the near future (it has been quite a while since 1.6.3 was originally released). - todd Major changes since 1.6.3p7: o Visudo now checks for the existence of an editor and gives a sensible error if it does not exist. o The path to the editor for visudo is now a colon-separated list of allowable editors. If the user has $EDITOR set and it matches one of the allowed editors that editor will be used. If not, the first editor that actually exists is used. o Allow special characters (including '#') to be embedded in pathnames if quoted by a '\\'. The quoted chars will be dealt with by fnmatch(). Unfortunately, 'sudo -l' still prints the '\\'. o Added the always_set_home option. o Strip NLSPATH and PATH_LOCALE out from the environment to prevent reading of protected files by a less privileged user. o Added support for BSD authentication and associated -a flag. o Added stay_setuid option for systems that have libraries that perform extra paranoia checks in system libraries for setuid programs. o Environment munging is now done by hand. The environment is zeroed upon sudo startup and a new environment is built before the command is executed. This means we don't rely on getenv(3), putenv(3), or setenv(3). o Added a class of environment variables that are only cleared if they contain '/' or '%' characters. o Use stashed user_gid when checking against exempt gid since sudo sets its gid to SUDOERS_GID, making getgid() return that, not the real gid. Fixes problem with setting exempt group == SUDOERS_GID. o Regenerated configure script with autoconf-2.52 (required some tweaking of configure.in and friends). o Added mail_badpass option to send mail when the user does not authenticate successfully. o Added env_reset Defaults option to reset the environment to a clean slate. Also implemented env_keep Defaults option to specify variables to be preserved when resetting the environment. o Added env_check and env_delete Defaults options to allow the admin to modify the builtin list of environment variables to remove. o If timestamp_timeout < 0 then the timestamp never expires. This allows users to manage their own timestamps and create or delete them via 'sudo -v' and 'sudo -k' respectively. o Authentication routines that use sudo's tgetpass() now accept ^C or ^Z at the password prompt and sudo will act appropriately. o Added a check-only mode to visudo to check an existing sudoers file for sanity. o Visudo can now edit an alternate sudoers file. o If sudo is configured with S/Key support and the system has skeyaccess(3) use that to determine whether or not to allow a normal Unix password or just S/Key. o Fixed CIDR handling in sudoers. o Fixed a segv if the local hostname is not resolvable and the 'fqdn' option is set. o "listpw=never" was not having an effect for users who did not appear in sudoers--now it does. o The --without-sendmail option now works on systems with a /usr/include/paths.h file that defines _PATH_SENDMAIL. o Removed the "secure_path" Defaults option as it does not work and cannot work until the parser is overhauled. o Added new -P flag and "preserve_groups" sudoers option to cause sudo to preserve the group vector instead of setting it to that of the target user. Previously, if the target user was root the group vector was not changed. Now it is always changed unless the -P flag or "preserve_groups" option was given. o If find_path() fails as root, try again as the invoking user (useful for NFS). Idea from Chip Capelik. o Use setpwent()/endpwent() and its shadow equivalents to be sure the passwd/shadow file gets closed. o Use getifaddrs(3) to get the list of network interfaces if it is available. o Dump list of local IP addresses and environment variables to clear when 'sudo -V' is run as root. o Wrap each call to syslog() with openlog()/closelog() since some things (such as PAM) may call closelog(3) behind sudo's back. o The LOGNAME and USER environment variables are now set if the user specified a target uid and that uid exists in the password database. o Now call pam_setcreds() to setup creds for the target user when PAM is in use. On Linux this often sets resource limits. [ Note that I'm now using the sudo.ws domain instead of courtesan.com for sudo-related things. This is just a cosmetic change as the sudo.ws addresses still point to the same machine they always have. ] Master WWW site: http://www.sudo.ws/sudo/dist/ WWW Mirrors: http://sudo.stikman.com/ (Los Angeles, California, USA) http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA) http://www.c0r3dump.com/sudo/ (Edmonton, Canada) http://sudo.cdu.elektra.ru/ (Russia) Master FTP sites: ftp.sudo.ws:/pub/sudo/ ftp.cs.colorado.edu:/pub/sudo/ FTP Mirrors: ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA) ftp.stikman.com:/pub/sudo/ (Los Angeles, California, USA) ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA) ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA) coast.cs.purdue.edu:/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA) ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA) sudobash.com:/pub/sudo/ (Ypsilanti, Michigan, USA) ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA) ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA) mirage.informationwave.net:/sudo/ (Fanwood, New Jersey, USA) ftp.wiretapped.net:/pub/security/host-security/sudo/ (Australia) ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria) sunsite.ualberta.ca:/pub/Mirror/sudo/ (Alberta, Canada) ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong, China) ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia) ftp.umds.ac.uk:/pub/sudo/ (Great Britain) ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland) ftp.lps.ens.fr:/pub/software/sudo/ (France) ftp.crihan.fr:/pub/security/sudo/ (France) ftp.rz.uni-osnabrueck.de:/pub/unix/security/sudo/ (Germany) ftp.win.ne.jp:/pub/misc/sudo/ (Japan) ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan) ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan) ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan) ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan) ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan) ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan) core.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ayamura.org:/pub/sudo/ (Japan) ftp.iphil.net:/pub/sudo/ (Makati City, Philippines) ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland) ftp.assist.ro:/pub/mirrors/ftp.courtesan.com/pub/sudo/ (Romania) ftp.sai.msu.su:/pub/unix/security/ (Russia) ftp.cdu.elektra.ru:/pub/unix/security/sudo/ (Russia) ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden) ftp.sekure.net:/pub/sudo/ (Sweden) ftp.edu.tw:/UNIX/sudo/ (Taiwan) ftp.comu.edu.tr:/pub/linux/prog/sudo/ (Turkey) From Todd.Miller at courtesan.com Mon Jan 14 21:42:28 2002 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 14 Jan 2002 19:42:28 -0700 Subject: Sudo Security Alert Message-ID: <200201150242.g0F2gS1c024224@xerxes.courtesan.com> Summary: A security issue has been found by Sebastian Krahmer of the SuSE Security Team in Sudo versions 1.6.0 - 1.6.3p7. When the Postfix sendmail replacement is installed on a machine an attacker may be able to gain root privileges by way of Sudo. Sudo versions affected: 1.6.0 - 1.6.3p7 (inclusive) Details: Starting with version 1.6.0 Sudo sends mail to the administrator as root to prevent the invoking user from killing the mail process and thus avoiding logging (in previous versions of Sudo the mail was sent as the invoking user). The security problem occurs because the environment that the "sendmail" program is run with comes from the user (with some potentially dangerous variables removed). It is thus possible for an attacker to influence the mail program via environment variables. This is compounded by the fact that since Sudo runs the mail program with both real and effective uids set to 0 (root) the mailer cannot tell that it has been called from a setuid process and thus treat the environment with suspicion. Currently, the only sendmail replacement known to be affected is Postfix but others may be as well. I did a quick check of the current version of Sendmail and it does not appear to trust the environment in any significant manner so it is probably safe. However, to be on the safe side I recommend that people upgrade to Sudo 1.6.4 or 1.6.4p1 which runs the mail program with a clean environment. Sudo web site: http://www.sudo.ws/sudo - todd From Todd.Miller at courtesan.com Mon Jan 14 21:46:54 2002 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Mon, 14 Jan 2002 19:46:54 -0700 Subject: Sudo version 1.6.4p1 now available Message-ID: <200201150246.g0F2ks1c021053@xerxes.courtesan.com> Sudo version 1.6.4 patchlevel is now available (ftp sites listed at the end). This patch fixes the following problems in sudo 1.6.4: o The "set_home" sudoers option was broken in sudo 1.6.4. o Use of the "fqdn" sudoers option could result in memory being accessed after it had been freed. sudo 1.6.4p1 distribution: ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.4p1.tar.gz patch against sudo 1.6.4: ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.4p1.patch.gz Note that it may take a while for the mirrors to update. - todd Master WWW site: http://www.sudo.ws/sudo/dist/ WWW Mirrors: http://sudo.stikman.com/ (Los Angeles, California, USA) http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA) http://www.c0r3dump.com/sudo/ (Edmonton, Canada) http://sudo.cdu.elektra.ru/ (Russia) Master FTP sites: ftp.sudo.ws:/pub/sudo/ ftp.cs.colorado.edu:/pub/sudo/ FTP Mirrors: ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA) ftp.stikman.com:/pub/sudo/ (Los Angeles, California, USA) ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA) ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA) coast.cs.purdue.edu:/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA) ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA) sudobash.com:/pub/sudo/ (Ypsilanti, Michigan, USA) ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA) ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA) mirage.informationwave.net:/sudo/ (Fanwood, New Jersey, USA) ftp.wiretapped.net:/pub/security/host-security/sudo/ (Australia) ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria) sunsite.ualberta.ca:/pub/Mirror/sudo/ (Alberta, Canada) ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong, China) ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia) ftp.umds.ac.uk:/pub/sudo/ (Great Britain) ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland) ftp.lps.ens.fr:/pub/software/sudo/ (France) ftp.crihan.fr:/pub/security/sudo/ (France) ftp.rz.uni-osnabrueck.de:/pub/unix/security/sudo/ (Germany) ftp.win.ne.jp:/pub/misc/sudo/ (Japan) ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan) ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan) ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan) ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan) ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan) ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan) core.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ayamura.org:/pub/sudo/ (Japan) ftp.iphil.net:/pub/sudo/ (Makati City, Philippines) ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland) ftp.assist.ro:/pub/mirrors/ftp.courtesan.com/pub/sudo/ (Romania) ftp.sai.msu.su:/pub/unix/security/ (Russia) ftp.cdu.elektra.ru:/pub/unix/security/sudo/ (Russia) ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden) ftp.sekure.net:/pub/sudo/ (Sweden) ftp.edu.tw:/UNIX/sudo/ (Taiwan) ftp.comu.edu.tr:/pub/linux/prog/sudo/ (Turkey) From Todd.Miller at courtesan.com Wed Jan 16 13:15:31 2002 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 16 Jan 2002 11:15:31 -0700 Subject: Sudo version 1.6.4p2 now available Message-ID: <200201161815.g0GIFV1c009797@xerxes.courtesan.com> Sudo version 1.6.4 patchlevel 2 is now available (ftp sites listed at the end). This patch fixes the following problems in sudo 1.6.4p1: o Some special characters were not being escaped properly (e..g '\,' and '\:') in command line arguments and would cause a syntax error. o "sudo -l" would not work if the always_set_home option was set. o Added a configure option to disable use of POSIX saved IDs for operating systems where these are broken. o The SHELL environment variable was preserved from the user's environment instead of being reset based on the passwd database even when the "env_reset" option was set. sudo 1.6.4p2 distribution: ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.4p2.tar.gz patch against sudo 1.6.4p1: ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.4p2.patch.gz Note that it may take a while for the mirrors to update. - todd Master WWW site: http://www.sudo.ws/sudo/dist/ WWW Mirrors: http://sudo.stikman.com/ (Los Angeles, California, USA) http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA) http://www.c0r3dump.com/sudo/ (Edmonton, Canada) http://sudo.cdu.elektra.ru/ (Russia) Master FTP sites: ftp.sudo.ws:/pub/sudo/ ftp.cs.colorado.edu:/pub/sudo/ FTP Mirrors: ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA) ftp.stikman.com:/pub/sudo/ (Los Angeles, California, USA) ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA) ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA) coast.cs.purdue.edu:/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA) ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA) sudobash.com:/pub/sudo/ (Ypsilanti, Michigan, USA) ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA) ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA) mirage.informationwave.net:/sudo/ (Fanwood, New Jersey, USA) ftp.wiretapped.net:/pub/security/host-security/sudo/ (Australia) ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria) sunsite.ualberta.ca:/pub/Mirror/sudo/ (Alberta, Canada) ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong, China) ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia) ftp.umds.ac.uk:/pub/sudo/ (Great Britain) ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland) ftp.lps.ens.fr:/pub/software/sudo/ (France) ftp.crihan.fr:/pub/security/sudo/ (France) ftp.rz.uni-osnabrueck.de:/pub/unix/security/sudo/ (Germany) ftp.win.ne.jp:/pub/misc/sudo/ (Japan) ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan) ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan) ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan) ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan) ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan) ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan) core.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ayamura.org:/pub/sudo/ (Japan) ftp.iphil.net:/pub/sudo/ (Makati City, Philippines) ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland) ftp.assist.ro:/pub/mirrors/ftp.courtesan.com/pub/sudo/ (Romania) ftp.sai.msu.su:/pub/unix/security/ (Russia) ftp.cdu.elektra.ru:/pub/unix/security/sudo/ (Russia) ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden) ftp.sekure.net:/pub/sudo/ (Sweden) ftp.edu.tw:/UNIX/sudo/ (Taiwan) ftp.comu.edu.tr:/pub/linux/prog/sudo/ (Turkey) From Todd.Miller at courtesan.com Wed Jan 16 22:42:55 2002 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 16 Jan 2002 20:42:55 -0700 Subject: Sudo version 1.6.5 now available Message-ID: <200201170342.g0H3gt1c003628@xerxes.courtesan.com> Sudo version 1.6.5 is now available (ftp sites listed at the end). Normally this would simply be a patch against sudo 1.6.4 but I hope to avoid some confusion and so am rolling this out as sudo 1.6.5. Changes since sudo 1.6.4p2: o If the mailer is being run as root, use a hard-coded environment that is not influenced in any way by the invoking user's environment. o A new configure option can be used to cause mail sent by sudo to be run as the invoking user instead of root. Some people consider this to be safer. Changes since sudo 1.6.4p1: o Some special characters were not being escaped properly (e..g '\,' and '\:') in command line arguments and would cause a syntax error. o "sudo -l" would not work if the always_set_home option was set. o Added a configure option to disable use of POSIX saved IDs for operating systems where these are broken. o The SHELL environment variable was preserved from the user's environment instead of being reset based on the passwd database even when the "env_reset" option was set. Changes since sudo 1.6.4: o The "set_home" sudoers option was broken in sudo 1.6.4. o Use of the "fqdn" sudoers option could result in memory being accessed after it had been freed. sudo 1.6.5 distribution: ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.5.tar.gz Master WWW site: http://www.sudo.ws/sudo/dist/ WWW Mirrors: http://sudo.stikman.com/ (Los Angeles, California, USA) http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA) http://www.c0r3dump.com/sudo/ (Edmonton, Canada) http://sudo.cdu.elektra.ru/ (Russia) Master FTP sites: ftp.sudo.ws:/pub/sudo/ ftp.cs.colorado.edu:/pub/sudo/ FTP Mirrors: ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA) ftp.stikman.com:/pub/sudo/ (Los Angeles, California, USA) ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA) ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA) coast.cs.purdue.edu:/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA) ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA) sudobash.com:/pub/sudo/ (Ypsilanti, Michigan, USA) ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA) ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA) mirage.informationwave.net:/sudo/ (Fanwood, New Jersey, USA) ftp.wiretapped.net:/pub/security/host-security/sudo/ (Australia) ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria) sunsite.ualberta.ca:/pub/Mirror/sudo/ (Alberta, Canada) ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong, China) ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia) ftp.umds.ac.uk:/pub/sudo/ (Great Britain) ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland) ftp.lps.ens.fr:/pub/software/sudo/ (France) ftp.crihan.fr:/pub/security/sudo/ (France) ftp.rz.uni-osnabrueck.de:/pub/unix/security/sudo/ (Germany) ftp.win.ne.jp:/pub/misc/sudo/ (Japan) ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan) ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan) ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan) ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan) ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan) ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan) core.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ayamura.org:/pub/sudo/ (Japan) ftp.iphil.net:/pub/sudo/ (Makati City, Philippines) ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland) ftp.assist.ro:/pub/mirrors/ftp.courtesan.com/pub/sudo/ (Romania) ftp.sai.msu.su:/pub/unix/security/ (Russia) ftp.cdu.elektra.ru:/pub/unix/security/sudo/ (Russia) ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden) ftp.sekure.net:/pub/sudo/ (Sweden) ftp.edu.tw:/UNIX/sudo/ (Taiwan) ftp.comu.edu.tr:/pub/linux/prog/sudo/ (Turkey) From Todd.Miller at courtesan.com Wed Jan 23 20:23:42 2002 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 23 Jan 2002 18:23:42 -0700 Subject: Sudo version 1.6.5p2 now available Message-ID: <200201240123.g0O1NgaQ010797@xerxes.courtesan.com> Sudo version 1.6.5 patchlevel 2 is now available (ftp sites listed at the end). Changes since sudo 1.6.5p1: o Older versions of BSDi have getifaddrs() but no freeifaddrs(). o BSDi has a fake setreuid() as do certain versions of FreeBSD and NetBSD. o Ignore the return value of pam_setcred(). In Linux-PAM 0.75, pam_setcred() will return PAM_PERM_DENIED even if the setcred function of the module succeeds when pam_authenticate() has not been called. o Avoid giving PAM a NULL password response, use the empty string instead. This avoids a log warning when the user hits ^C at the password prompt when Linux-PAM is in use. This also prevents older versions of Linux-PAM from dereferencing the NULL pointer. o The user's password was not zeroed after use when AIX authentication, BSD authentication, FWTK or PAM was in use. Changes since sudo 1.6.5: o Visudo could access memory that was already freed. o If the skey.access file denied use of plaintext passwords sudo would exit instead of allowing the user to enter an S/Key. sudo 1.6.5p2 distribution: ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.5p2.tar.gz Master WWW site: http://www.sudo.ws/sudo/dist/ WWW Mirrors: http://sudo.stikman.com/ (Los Angeles, California, USA) http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA) http://www.c0r3dump.com/sudo/ (Edmonton, Canada) http://sudo.cdu.elektra.ru/ (Russia) Master FTP sites: ftp.sudo.ws:/pub/sudo/ ftp.cs.colorado.edu:/pub/sudo/ FTP Mirrors: ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA) ftp.stikman.com:/pub/sudo/ (Los Angeles, California, USA) ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA) ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA) coast.cs.purdue.edu:/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA) ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA) sudobash.com:/pub/sudo/ (Ypsilanti, Michigan, USA) ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA) ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA) mirage.informationwave.net:/sudo/ (Fanwood, New Jersey, USA) ftp.wiretapped.net:/pub/security/host-security/sudo/ (Australia) ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria) sunsite.ualberta.ca:/pub/Mirror/sudo/ (Alberta, Canada) ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong, China) ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia) ftp.umds.ac.uk:/pub/sudo/ (Great Britain) ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland) ftp.lps.ens.fr:/pub/software/sudo/ (France) ftp.crihan.fr:/pub/security/sudo/ (France) ftp.rz.uni-osnabrueck.de:/pub/unix/security/sudo/ (Germany) ftp.win.ne.jp:/pub/misc/sudo/ (Japan) ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan) ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan) ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan) ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan) ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan) ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan) core.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ring.gr.jp:/pub/misc/sudo/ (Japan) ftp.ayamura.org:/pub/sudo/ (Japan) ftp.iphil.net:/pub/sudo/ (Makati City, Philippines) ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland) ftp.assist.ro:/pub/mirrors/ftp.courtesan.com/pub/sudo/ (Romania) ftp.sai.msu.su:/pub/unix/security/ (Russia) ftp.cdu.elektra.ru:/pub/unix/security/sudo/ (Russia) ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden) ftp.sekure.net:/pub/sudo/ (Sweden) ftp.edu.tw:/UNIX/sudo/ (Taiwan) ftp.comu.edu.tr:/pub/linux/prog/sudo/ (Turkey)