[sudo-workers] sudo 1.8.22b3 released

Todd C. Miller Todd.Miller at sudo.ws
Fri Dec 22 14:04:49 MST 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The third beta version of sudo 1.8.22 is now available.  Sudo
1.8.22 is primarily a bug fix release.  It fixes several long-standing
issues with job control when I/O logging is enabled as well as
fixing a potential time stamp file re-use problem.

The sudo distribution files are now signed with a new pgp key.
The PGPKEYS file has been updated accordingly.

Source:
    https://www.sudo.ws/sudo/dist/beta/sudo-1.8.22b3.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.8.22b3.tar.gz

SHA256 checksum:
    ae3ca2734ad0134d4da3c6bb6143422bbf73258ca1c34080c1aa50f9f15a981a
MD5 checksum:
    76d19c7d8360a6e442366c72b2f0a556

Binary packages:
    https://www.sudo.ws/sudo/dist/beta/packages/index.html#binary

For a list of download mirror sites, see:
    https://www.sudo.ws/sudo/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/sudo/

Sudo web site mirrors:
    https://www.sudo.ws/sudo/mirrors.html

Major changes between sudo 1.8.22b3 and 1.8.22b2:

 * The sudoers time stamp file format is now documented in the new
   sudoers_timestamp manual.

 * The "timestamp_type" option now takes a "kernel" value on OpenBSD
   systems.  This causes the tty-based time stamp to be stored in
   the kernel instead of on the file system.  If no tty is present,
   the time stamp is considered to be invalid.

 * Visudo will now use the SUDO_EDITOR environment variable (if
   present) in addition to VISUAL and EDITOR.

 * Updated translations from translationproject.org.

Major changes between sudo 1.8.22b2 and 1.8.22b1:

 * A new "authfail_message" sudoers option that overrides the
   default "N incorrect password attempt(s)".

 * An empty sudoRunAsUser attribute in the LDAP and SSSD backends
   will now match the invoking user.  This is more consistent with
   how an empty runas user in the sudoers file is treated.

 * Documented that in check mode, visudo does not check the owner/mode
   on files specified with the -f flag.  Bug #809.

 * It is now an error to specify the runas user as an empty string
   on the command line.  Previously, an empty runas user was treated
   the same as an unspecified runas user.  Bug #817.

 * When "timestamp_type" option is set to "tty" and a terminal is
   present, the time stamp record will now include the start time
   of the session leader.  When the "timestamp_type" option is set
   to "ppid" or when no terminal is available, the start time of
   the parent process is used instead.  This significantly reduces
   the likelihood of a time stamp record being re-used when a user
   logs out and back in again.  Bug #818.

Major changes between sudo 1.8.22b1 and 1.8.21p2:

 * Commands run in the background from a script run via sudo will
   no longer receive SIGHUP when the parent exits and I/O logging
   is enabled.  Bug #502

 * A particularly offensive insult is now disabled by default.
   Bug #804

 * The description of "sudo -i" now correctly documents that
   the "env_keep" and "env_check" sudoers options are applied to
   the environment.  Bug #806

 * Fixed a crash when the system's host name is not set.
   Bug #807

 * The sudoers2ldif script now handles #include and #includedir 
   directives.

 * Fixed a bug where sudo would silently exit when the command was
   not allowed by sudoers and the "passwd_tries" sudoers option
   was set to a value less than one.

 * Fixed a bug with the "listpw" and "verifypw" sudoers options and
   multiple sudoers sources.  If the option is set to "all", a
   password should be required unless none of a user's sudoers
   entries from any source require authentication.

 * Fixed a bug with the "listpw" and "verifypw" sudoers options in
   the LDAP and SSSD back-ends.  If the option is set to "any", and
   the entry contained multiple rules, only the first matching rule
   was checked.  If an entry contained more than one matching rule
   and the first rule required authentication but a subsequent rule
   did not, sudo would prompt for a password when it should not have.

 * When running a command as the invoking user (not root), sudo
   would execute the command with the same group vector it was
   started with.  Sudo now executes the command with a new group
   vector based on the group database which is consistent with
   how su(1) operates.

 * Fixed a double free in the SSSD back-end that could occur when
   ipa_hostname is present in sssd.conf and is set to an unqualified
   host name.

 * When I/O logging is enabled, sudo will now write to the terminal
   even when it is a background process.  Previously, sudo would
   only write to the tty when it was the foreground process when
   I/O logging was enabled.  If the TOSTOP terminal flag is set,
   sudo will suspend the command (and then itself) with the SIGTTOU
   signal.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJaPXNhAAoJEKn0wCHOpHD7RosP/AzbuqxR8REQxBGHhLergxmR
w9waal8vRMg9CMilNFovDpO7kSqbLEZsSfw0c9NQN9MjmKvf2h2LHygbMbO+mtTw
+cDEbnMxzdJJf6q5sUeFOew8IUgRvc4jtIuQca1dp7HuiTQZToKI18iAvBrku8kP
hpZuxkpvs7zBUafgKH1mDaFIhoI77tzoNtZ4/phLUr3QQieQDvOZzplth2WfXchW
kgdGnsdsOgoPROwD83gFc04/A7yhr3dTTcSmlimJeA90XzZNMYe6OtA+mSX9bVEF
oSetXDLwT29Y+VTfCXfjEv9DvF3rbEOwo6UxkhHCuVFtG43ASWrFKYDIWmIB31I0
ZHKXlxA3neccDBJQXvrGm8Sefl34rrTvAXfhn+gm5DVYz/n4qzSi3EPB0mClxQQg
xjEFI3rnsZdZcexZdG835m3pNIMTFNPtIAnBJGHLlJzkKjDs8tFy5aIa3Ja1kvEt
ErzVZoe7fP2ooYVGQJ7yK9VtWJW5NRv+tDM2RvHdXNQICRS3JdTMa4HlyxeP47F3
eSnqd5neLg8A0Kt1StFkiMyKKVZHu2lA74yTCoz/LKqSoHUVLw0n1Y3xgML5AsMS
u8/W1lrcu4ypQV+Rj1VJmGHXMD8mDDZW5u/F4r3+BFYZCMstSNXwIIly7ChiK69G
xQLq34I2SMq39ACxveZ1
=fxR5
-----END PGP SIGNATURE-----

More information about the sudo-workers mailing list