[sudo-announce] sudo 1.9.7p1 released
Todd C. Miller
Todd.Miller at sudo.ws
Fri Jun 11 15:58:03 MDT 2021
Sudo version 1.9.7 patchelevel 1 is now available which fixes a few
minor bugs in sudo 1.9.7.
Source:
https://www.sudo.ws/dist/sudo-1.9.7p1.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.7p1.tar.gz
SHA256 checksum:
391431f454e55121b60c6ded0fcf30ddb80d623d7d16a6d1907cfa6a0b91d8cf
MD5 checksum:
0ea3649ef66df80e6ecd04d45ea0f762
Binary packages:
https://www.sudo.ws/download.html#binary
https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_7p1
For a list of download mirror sites, see:
https://www.sudo.ws/download_mirrors.html
Sudo web site:
https://www.sudo.ws/
Sudo web site mirrors:
https://www.sudo.ws/mirrors.html
Major changes between sudo 1.9.7p1 and 1.9.7
* Fixed an SELinux sudoedit bug when the edited temporary file
could not be opened. The sesh helper would still be run even
when there are no temporary files available to install.
* Fixed a compilation problem on FreeBSD.
* The sudo_noexec.so file is now built as a module on all systems
other than macOS. This makes it possible to use other libtool
implementations such as slibtool. On macOS shared libraries and
modules are not interchangeable and the version of libtool shipped
with sudo must be used.
* Fixed a few bugs in the getgrouplist() emulation on Solaris when
reading from the local group file.
* Fixed a bug in sudo_logsrvd that prevented periodic relay server
connection retries from occurring in "store_first" mode.
* Disabled the nss_search()-based getgrouplist() emulation on HP-UX
due to a crash when the group source is set to "compat" in
/etc/nsswitch.conf. This is probably due to a mismatch between
include/compat/nss_dbdefs.h and what HP-UX uses internally. On
HP-UX we now just cycle through groups the slow way using
getgrent(). Bug #978.
Major changes between sudo 1.9.7 and 1.9.6p1
* The "fuzz" Makefile target now runs all the fuzzers for 8192
passes (can be overridden via the FUZZ_RUNS variable). This makes
it easier to run the fuzzers in-tree. To run a fuzzer indefinitely,
set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".
* Fixed fuzzing on FreeBSD where the ld.lld linker returns an
error by default when a symbol is multiply-defined.
* Added support for determining local IPv6 addresses on systems
that lack the getifaddrs() function. This now works on AIX,
HP-UX and Solaris (at least). Bug #969.
* Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to
report a usage error. Also, when invoked as sudoedit, sudo now
allows a more restricted set of options that matches the usage
statement and documentation. GitHub issue #95.
* Fixed a crash in sudo_sendlog when the specified certificate
or key does not exist or is invalid. Bug #970.
* Fixed a compilation error when sudo is configured with the
--disable-log-client option.
* Sudo's limited support for SUCCESS=return entries in nsswitch.conf
is now documented. Bug #971.
* Sudo now requires autoconf 2.70 or higher to regenerate the
configure script. Bug #972.
* sudo_logsrvd now has a relay mode which can be used to create
a hierarchy of log servers. By default, when a relay server is
defined, messages from the client are forwarded immediately to
the relay. However, if the "store_first" setting is enabled,
the log will be stored locally until the command completes and
then relayed. Bug #965.
* Sudo now links with OpenSSL by default if it is available unless
the --disable-openssl configure option is used or both the
--disable-log-client and --disable-log-server configure options
are specified.
* Fixed configure's Python version detection when the version minor
number is more than a single digit, for example Python 3.10.
* The sudo Python module tests now pass for Python 3.10.
* Sudo will now avoid changing the datasize resource limit
as long as the existing value is at least 1GB. This works around
a problem on 64-bit HP-UX where it is not possible to exactly
restore the original datasize limit. Bug #973.
* Fixed a race condition that could result in a hang when sudo is
executed by a process where the SIGCHLD handler is set to SIG_IGN.
This fixes the bug described by GitHub PR #98.
* Fixed an out-of-bounds read in sudoedit and visudo when the
EDITOR, VISUAL or SUDO_EDITOR environment variables end in an
unescaped backslash. Also fixed the handling of quote characters
that are escaped by a backslash. GitHub issue #99.
* Fixed a bug that prevented the "log_server_verify" sudoers option
from taking effect.
* The sudo_sendlog utility has a new -s option to cause it to stop
sending I/O records after a user-specified elapsed time. This
can be used to test the I/O log restart functionality of sudo_logsrvd.
* Fixed a crash introduced in sudo 1.9.4 in sudo_logsrvd when
attempting to restart an interrupted I/O log transfer.
* The TLS connection timeout in the sudoers log client was previously
hard-coded to 10 seconds. It now uses the value of log_server_timeout.
* The configure script now outputs a summary of the user-configurable
options at the end, separate from output of configure script tests.
Bug #820.
* Corrected the description of which groups may be specified via the
-g option in the Runas_Spec section. Bug #975.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-announce/attachments/20210611/569b1c5a/attachment.bin>
More information about the sudo-announce
mailing list