[sudo-workers] sudo 1.9.6rc1 released

Todd C. Miller Todd.Miller at sudo.ws
Thu Mar 11 07:21:00 MST 2021

The first release candidate of sudo 1.9.6 is now available.  This
is primarily a bug fix release that contains fixes to minor issues
found while fuzzing the sudo code base.


SHA256 checksum:

MD5 checksum:

Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Sudo web site mirrors:

Major changes between sudo 1.9.6rc1 and 1.9.6b2:

 * Updated translations from translationproject.org.

 * Fixed potential redefinition of sys/stat.h macros in sudo_compat.h.
   Bug #968.

 * Fixed a compilation problem on systems with pre-C99 headers when
   the compiler supports C99.

 * Fixed package build on Solaris 11.4.

 * Fixed compilation problems on FreeBSD and NetBSD.

Major changes between sudo 1.9.6b2 and 1.9.6b1:

 * Fixed a potential use-after-free in the PAM conversation function.
   Bug #967.

 * Updated translations from translationproject.org.

Major changes between sudo 1.9.6b1 and 1.9.5p2:

 * Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.

 * Fixed a regression introduced in sudo 1.9.4 where the
   --disable-root-mailer configure option had no effect.

 * Added a --disable-leaks configure option that avoids some
   memory leaks on exit that would otherwise occur.  This is intended
   to be used with development tools that measure memory leaks.  It
   is not safe to be use in production at this time.

 * Plugged some memory leaks identified by oss-fuzz and ASAN.

 * Fixed the handling of sudoOptions for an LDAP sudoRole that
   contains multiple sudoCommands.  Previously, some of the options
   would only be applied to the first sudoCommand.

 * Fixed a potential out of bounds read in the parsing of NOTBEFORE
   and NOTAFTER sudoers command options (and their LDAP equivalents).

 * The parser used for reading I/O log JSON files is now more
   resilient when processing invalid JSON.

 * Fixed typos that prevented "make uninstall" from working.
   GitHub issue #87.

 * Fixed a regression introduced in sudo 1.9.4 where the last line
   in a sudoers file might not have a terminating NUL character
   added if no newline was present.

 * Integrated oss-fuzz and LLVM's libFuzzer with sudo.  The new
   --enable-fuzzer configure option can be combined with the
   --enable-sanitizer option to build sudo with fuzzing support.
   Multiple fuzz targets are available for fuzzing different parts
   of sudo.  Fuzzers are built and tested via "make fuzz" or as part
   of "make check" (even when sudo is not built with fuzzing support).
   Fuzzing support currently requires the LLVM clang compiler (not gcc).

 * Fixed the --enable-static-sudoers configure option.
   GitHub issue #92.

 * Fixed a potential out of bounds read sudo when is run by a user
   with more groups than the value of "max_groups" in sudo.conf.

 * Added an "admin_flag" sudoers option to make the use of the
   ~/.sudo_as_admin_successful file configurable on systems where
   sudo is build with the --enable-admin-flag configure option.
   This mostly affects Ubuntu and its derivatives.  GitHub issue #56.

 * The "max_groups" setting in sudo.conf is now limited to 1024.
   This setting is obsolete and should no longer be needed.

 * Fixed a bug in the tilde expansion of "CHROOT=dir" and "CWD=dir"
   sudoers command options.  A path "~/foo" was expanded to
   "/home/userfoo" instead of "/home/user/foo".  This also affects
   the runchroot and runcwd Defaults settings.

 * Fixed a bug on systems without a native getdelim(3) function
   where very long lines could cause parsing of the sudoers file
   to end prematurely.  Bug #960.

 * Fixed a potential integer overflow when converting the
   timestamp_timeout and passwd_timeout sudoers settings to a
   timespec struct.

 * The default for the "group_source" setting in sudo.conf is now
   "dynamic" on macOS.  Recent versions of macOS do not reliably
   return all of a user's non-local groups via getgroups(2), even
   when _DARWIN_UNLIMITED_GETGROUPS is defined.  Bug #946.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-workers/attachments/20210311/cdb2f4ef/attachment.bin>

More information about the sudo-workers mailing list