[sudo-workers] sudo 1.8.20rc3 released
Todd C. Miller
Todd.Miller at courtesan.com
Fri May 5 12:39:36 MDT 2017
-----BEGIN PGP SIGNED MESSAGE-----
The third release candidate for sudo 1.8.20 is now available.
For a list of download mirror sites, see:
Sudo web site:
Sudo web site mirrors:
Major changes between sudo 1.8.20rc2 and 1.8.20rc3:
* Fixed some minor coverity warnings.
* Updated Hungarian translation from translationproject.org.
* Fixed a regression introduced in sudo 1.8.18 where the "lecture"
option could not be used in a positive boolean context, only
a negative one.
Major changes between sudo 1.8.20rc1 and 1.8.20rc2:
* Fixed exponential behavior in sudo's glob() replacement
with respect to multiple '*' characters.
* Sudo no longer needs to display a message when a command
running in a pseudo-tty is killed by a signal. Now that
the main sudo process delivers the same signal to itself
the parent shell will display the message itself.
Major changes between sudo 1.8.20b2 and 1.8.20rc1:
* Fixed a typo that resulted in a compilation error on systems
where the killpg() function is not found by configure.
* Fixed a compilation error with the included version of zlib
when sudo was built outside the source tree.
* Fixed the exit value of sudo when the command is terminated by
a signal other than SIGINT. This was broken in sudo 1.8.15 by
the fix for Bug #722. Bug #784.
Major changes between sudo 1.8.20b1 and 1.8.20b2:
* Updated translations from translationproject.org.
* Fixed a use after free bug in the SSSD backend when the fqdn
sudoOption is set and no hostname value is present in sssd.conf.
Major changes between sudo 1.8.19p2 and 1.8.20b1:
* Added support for SASL_MECH in ldap.conf. Bug #764
* Added support for digest matching when the command is a glob-style
pattern or a directory. Previously, only explicit path matches
supported digest checks.
* New "fdexec" Defaults option to control whether a command
is executed by path or by open file descriptor.
* The embedded copy of zlib has been upgraded to version 1.2.11.
* Fixed a bug that prevented sudoers include files with a relative
path starting with the letter 'i' from being opened. Bug #776.
* Added support for command timeouts in sudoers. The command will
be terminated if the timeout expires.
* The SELinux role and type are now displayed in the "sudo -l"
output for the LDAP and SSSD backends, just as they are in the
* A new command line option, -T, can be used to specify a command
timeout as long as the user-specified timeout is not longer than
the timeout specified in sudoers. This option may only be
used when the "user_command_timeouts" flag is enabled in sudoers.
* Added NOTBEFORE and NOTAFTER command options to the sudoers
backend similar to what is already available in the LDAP backend.
* Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
crypt instead of the SHA2 implementation bundled with sudo.
* Fixed a compilation error on systems without the stdbool.h header
file. Bug #778.
* Fixed a compilation error in the standalone Kerberos V authentication
module. Bug #777.
* Added the iolog_flush flag to sudoers which causes I/O log data
to be written immediately to disk instead of being buffered.
* I/O log files are now created with group ID 0 by default unless
the "iolog_user" or "iolog_group" options are set in sudoers.
* It is now possible to store I/O log files on an NFS-mounted
file system where uid 0 is remapped to an unprivileged user.
The "iolog_user" option must be set to a non-root user and the
top-level I/O log directory must exist and be owned by that user.
* Added the restricted_env_file setting to sudoers which is similar
to env_file but its contents are subject to the same restrictions
as variables in the invoking user's environment.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the sudo-workers