[sudo-announce] sudo 1.8.12 released

Todd C. Miller Todd.Miller at courtesan.com
Tue Feb 10 09:28:10 MST 2015

Hash: SHA1

Sudo version 1.8.12 is now available.  In addition to bug fixes,
sudo 1.8.12 features an updated debug framework where debugging for
the plugins is now configured separately from the sudo front-end.
Multiple debug files are supported per program.  There is also new
support for directly querying an LDAP server for a user's netgroups.

Sudo 1.8.12 also includes a security fix that affects how the TZ
environment variable is handled.  For more information, please see


SHA256 checksum:
MD5 checksum:

Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Sudo web site mirrors:

Major changes between sudo 1.8.12 and 1.8.11p2:

 * The embedded copy of zlib has been upgraded to version 1.2.8 and
   is now installed as a shared library where supported.

 * Debug settings for the sudo front end and sudoers plugin are now
   configured separately.

 * Multiple sudo.conf Debug entries may now be specified per program
   (or plugin).

 * The plugin API has been extended such that the path to the plugin
   that was loaded is now included in the settings array.  This
   path can be used to register with the debugging subsystem.  The
   debug_flags setting is now prefixed with a file name and may be
   specified multiple times if there is more than one matching Debug
   setting in sudo.conf.

 * The sudoers regression tests now run with the locale set to C
   since some of the tests compare output that includes locale-specific
   messages.  Bug #672

 * Fixed a bug where sudo would not run commands on Linux when
   compiled with audit support if audit is disabled.  Bug #671

 * Added __BASH_FUNC<* to the environment blacklist to match
   Apple's syntax for newer-style bash functions.

 * The default password prompt now includes a trailing space after
   "Password:" for consistency with su(1) on most systems.
   Bug #663

 * Fixed a problem on DragonFly BSD where SIGCHLD could be ignored,
   preventing sudo from exiting.  Bug #676

 * Visudo will now use the optional sudoers_file, sudoers_mode,
   sudoers_uid and sudoers_gid arguments if specified on the
   sudoers.so Plugin line in the sudo.conf file.

 * Fixed a problem introduced in sudo 1.8.8 that prevented the full
   host name from being used when the "fqdn" sudoers option is used.
   Bug #678

 * French and Russian translations for sudoers from translationproject.org.

 * Sudo now installs a handler for SIGCHLD signal handler immediately
   before stating the process that will execute the command (or
   start the monitor).  The handler used to be installed earlier
   but this causes problems with poorly behaved PAM modules that
   install their own SIGCHLD signal handler and neglect to restore
   sudo's original handler.  Bug #657

 * Removed a limit on the length of command line arguments expanded
   by a wild card using sudo's version of the fnmatch() function.
   This limit was introduced when sudo's version of fnmatch()
   was replaced in sudo 1.8.4.

 * LDAP-based sudoers can now query an LDAP server for a user's
   netgroups directly.  This is often much faster than fetching
   every sudoRole object containing a sudoUser that begins with a
   `+' prefix and checking whether the user is a member of any of
   the returned netgroups.

 * The mail_always sudoers option no longer sends mail for "sudo -l"
   or "sudo -v" unless the user is unable to authenticate themselves.

 * Fixed a crash when sudo is run with an empty argument vector.

 * Fixed two potential crashes when sudo is run with very low
   resource limits.

 * The TZ environment variable is now checked for safety instead
   of simply being copied to the environment of the command.
Version: GnuPG v1


More information about the sudo-announce mailing list