[sudo-announce] sudo 1.9.11p3 released

Todd C. Miller Todd.Miller at sudo.ws
Tue Jun 21 10:22:04 MDT 2022 

Sudo version 1.9.11 patchlevel 3 is now available which fixes issues
with the "intercept" and "log_subcmds" sudoers options on AIX.

Source:
    https://www.sudo.ws/dist/sudo-1.9.11p3.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.11p3.tar.gz

SHA256 checksum:
    4687e7d2f56721708f59cca2e1352c056cb23de526c22725615a42bb094f1f70
MD5 checksum:
    07e95c947129d8820c78caa1fc79c7fd

Binary packages:
    https://www.sudo.ws/getting/packages/
    https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_11p3

For a list of download mirror sites, see:
    https://www.sudo.ws/getting/download_mirrors/

Sudo web site:
    https://www.sudo.ws/

Major changes between sudo 1.9.11p3 and 1.9.11p2:

 * Fixed "connection reset" errors on AIX when running shell scripts
   with the "intercept" or "log_subcmds" sudoers options enabled.
   Bug #1034.

 * Fixed very slow execution of shell scripts when the "intercept"
   or "log_subcmds" sudoers options are set on systems that enable
   Nagle's algorithm on the loopback device, such as AIX.
   Bug #1034.

Major changes between sudo 1.9.11p2 and 1.9.11p1:

 * Fixed a compilation error on Linux/x86_64 with the x32 ABI.

 * Fixed a regression introduced in 1.9.11p1 that caused a warning
   when logging to sudo_logsrvd if the command returned no output.

Major changes between sudo 1.9.11p1 and 1.9.11:

 * Correctly handle EAGAIN in the I/O read/right events.  This fixes
   a hang seen on some systems when piping a large amount of data
   through sudo, such as via rsync.  Bug #963.

 * Changes to avoid implementation or unspecified behavior when
   bit shifting signed values in the protobuf library.

 * Fixed a compilation error on Linux/aarch64.

 * Fixed the configure check for seccomp(2) support on Linux.

 * Corrected the EBNF specification for tags in the sudoers manual
   page.  GitHub issue #153.

Major changes between sudo 1.9.11 and 1.9.10:

 * Fixed a crash in the Python module with Python 3.9.10 on some
   systems.  Additionally, "make check" now passes for Python 3.9.10.

 * Error messages sent via email now include more details, including
   the file name and the line number and column of the error.
   Multiple errors are sent in a single message.  Previously, only
   the first error was included.

 * Fixed logging of parse errors in JSON format.  Previously,
   the JSON logger would not write entries unless the command and
   runuser were set.  These may not be known at the time a parse
   error is encountered.

 * Fixed a potential crash parsing sudoers lines larger than twice
   the value of LINE_MAX on systems that lack the getdelim() function.

 * The tests run by "make check" now unset the LANGUAGE environment
   variable.  Otherwise, localization strings will not match if
   LANGUAGE is set to a non-English locale.  Bug #1025.

 * The "starttime" test now passed when run under Debian faketime.
   Bug #1026.

 * The Kerberos authentication module now honors the custom password
   prompt if one has been specified.

 * The embedded copy of zlib has been updated to version 1.2.12.

 * Updated the version of libtool used by sudo to version 2.4.7.

 * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
   in the header files (currently only GNU libc).  This is required
   to allow the use of 64-bit time values on some 32-bit systems.

 * Sudo's "intercept" and "log_subcmds" options no longer force the
   command to run in its own pseudo-terminal.  It is now also
   possible to intercept the system(3) function.

 * Fixed a bug in sudo_logsrvd when run in store-first relay mode
   where the commit point messages sent by the server were incorrect
   if the command was suspended or received a window size change
   event.

 * Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
   configuration setting was used.

 * The "intercept" and "log_subcmds" functionality can now use
   ptrace(2) on Linux systems that support seccomp(2) filtering.
   This has the advantage of working for both static and dynamic
   binaries and can work with sudo's SELinux RBAC mode.  The following
   architectures are currently supported: i386, x86_64, aarch64,
   arm, mips (log_subcmds only), powerpc, riscv, and s390x.  The
   default is to use ptrace(2) where possible; the new "intercept_type"
   sudoers setting can be used to explicitly set the type.

 * New Georgian translation from translationproject.org.

 * Fixed creating packages on CentOS Stream.

 * Fixed a bug in the intercept and log_subcmds support where
   the execve(2) wrapper was using the current environment instead
   of the passed environment pointer.  Bug #1030.

 * Added AppArmor integration for Linux.  A sudoers rule can now
   specify an APPARMOR_PROFILE option to run a command confined by
   the named AppArmor profile.

 * Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
   Non-paths were being treated as paths and an actual path was
   treated as an error.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-announce/attachments/20220621/76e3e19f/attachment.bin>

More information about the sudo-announce mailing list