non port: security/sudo/Makefile |
Number of commits found: 254 (showing only 100 on this page) |
Wednesday, 28 Feb 2024
|
17:11 Renato Botelho (garga)
security/sudo: Mark SSSD option as deprecated
security/sssd is marked as deprecated, add a note on option description
Sponsored by: Rubicon Communications, LLC ("Netgate")
b30c216 |
Thursday, 15 Feb 2024
|
21:28 Dan Langille (dvl)
security/sudo: rename the SSSD_DEVEL option to SSSD2
security/sssd-devel was renamed to security/sssd2
PR: 277077
61cfe85 |
Wednesday, 24 Jan 2024
|
21:37 Dan Langille (dvl)
security/sudo: re-add sssd-devel option
sudo already allows for the use of security/sssd (SSSD)
This patch allows for selecting security/sssd-devel (SSSD_DEVEL)
instead.
Also updates security/sssd-devel, elminating a circular dependency.
PR: 276598 272571
2f448a8 |
Tuesday, 16 Jan 2024
|
14:02 Renato Botelho (garga)
*/*: Restore GNU_CONFIGURE on my ports
I made a mistake and changed these ports to HAS_CONFIGURE when working
on MANPREFIX sanitization. Restore proper macro usage and set
GNU_CONFIGURE_MANPREFIX properly to keep manpages installed under
${PREFIX}/share.
Reported by: danfe
Sponsored by: Rubicon Communications, LLC ("Netgate")
08a9c4d |
Monday, 15 Jan 2024
|
21:37 Renato Botelho (garga)
security/sudo: Move manpages to ${PREFIX}/share
Sponsored by: Rubicon Communications, LLC ("Netgate")
9385a69 |
Tuesday, 2 Jan 2024
|
14:17 Cy Schubert (cy)
security/sudo: Update to 1.9.15p5
Major changes between sudo 1.9.15p5 and 1.9.15p4:
* Fixed evaluation of the "lecture", "listpw", "verifypw", and
"fdexec" sudoers Defaults settings when used without an explicit
value. Previously, if specified without a value they were
evaluated as boolean "false", even when the negation operator
('!') was not present.
* Fixed a bug introduced in sudo 1.9.14 that prevented LDAP
netgroup queries using the NETGROUP_BASE setting from being
performed.
* Sudo will now transparently rename a user's lecture file from
the older name-based path to the newer user-ID-based path.
GitHub issue #342.
* Fixed a bug introduced in sudo 1.9.15 that could cause a memory
allocation failure if sysconf(_SC_LOGIN_NAME_MAX) fails. Bug #1066.
PR: 276032
Approved by: garga (maintainer)
MFH: 2024Q1
82e608c |
Tuesday, 19 Dec 2023
|
00:25 Cy Schubert (cy)
security/sudo: Update to 1.9.15p4
Major changes between sudo 1.9.15p4 and 1.9.15p3:
* Fixed a bug introduced in sudo 1.9.15 that could prevent a user's
privileges from being listed by "sudo -l" if the sudoers entry
in /etc/nsswitch.conf contains "[SUCCESS=return]". This did not
affect the ability to run commands via sudo. Bug #1063.
PR: 275788
Approved by: garga (maintainer)
MFH: 2023Q4
fb89252 |
Thursday, 14 Dec 2023
|
13:53 Cy Schubert (cy)
security/sudo: Update to 1.9.15p3
Major changes between sudo 1.9.15p3 and 1.9.15p2:
* Always disable core dumps when sudo sends itself a fatal signal.
Fixes a problem where sudo could potentially dump core dump when
it re-sends the fatal signal to itself. This is only an issue
if the command received a signal that would normally result in
a core dump but the command did not actually dump core.
* Fixed a bug matching a command with a relative path name when
the sudoers rule uses shell globbing rules for the path name.
Bug #1062.
* Permit visudo to be run even if the local host name is not set.
GitHub issue #332.
* Fixed an editing error introduced in sudo 1.9.15 that could
prevent sudoreplay from replaying sessions correctly.
GitHub issue #334.
* Fixed a bug introduced in sudo 1.9.15 where "sudo -l > /dev/null"
could hang on Linux systems. GitHub issue #335.
* Fixed a bug introduced in sudo 1.9.15 where Solaris privileges
specified in sudoers were not applied to the command being run.
PR: 275754
Approved by: garga (maintainer)
MFH: 2023Q4
003e8e2 |
Thursday, 9 Nov 2023
|
18:00 Renato Botelho (garga)
security/sudo: Update to 1.9.15p2
* Fixed a bug on BSD systems where sudo would not restore the
terminal settings on exit if the terminal had parity enabled.
GitHub issue #326.
Sponsored by: Rubicon Communications, LLC ("Netgate")
d4203ee |
Wednesday, 8 Nov 2023
|
11:19 Renato Botelho (garga)
security/sudo: Update to 1.9.15p1
* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
sudoers from being able to read the ldap.conf file.
GitHub issue #325.
PR: 274960
Reported by: Daniel Porsch <daniel.porsch@loopia.se>
Sponsored by: Rubicon Communications, LLC ("Netgate")
2c9adde |
Monday, 6 Nov 2023
|
18:13 Renato Botelho (garga)
security/sudo: Update to 1.9.15
While here:
- Prevent combination of SSSD and GSSAPI_HEIMDAL because sssd port
requires MIT kerberos and it will conflict with heimdal
- Removed SSSD_DEVEL option because sssd-devel port requires sudo and it
creates a circular dependency
- Fix OPIE on FreeBSD versions after it was removed from base
Sponsored by: Rubicon Communications, LLC ("Netgate")
dd773c1 |
Wednesday, 1 Nov 2023
|
12:00 Renato Botelho (garga)
security/sudo: Fix build with openssl from ports
Since SSL support is being changed and sudo can be built without it, add
a new SSL option, on by default.
When option is enabled, use --enable-openssl=${OPENSSLBASE} to make sure
it consumes desired OpenSSL implementation. Also add pkgconfig
dependency because configure script rely on it to detect openssl
details.
PR: 274753
Reported by: tburns@hrsd.com
Sponsored by: Rubicon Communications, LLC ("Netgate")
dbc4e4d |
Tuesday, 25 Jul 2023
|
13:44 Cy Schubert (cy)
security/sudo: Update to 1.9.14p3
Major changes between sudo 1.9.14p3 and 1.9.14p2:
* Fixed a crash with Python 3.12 when the sudo Python python is
unloaded. This only affects "make check" for the Python plugin.
* Adapted the sudo Python plugin test output to match Python 3.12.
PR: 272707
Approved by: garga (maintainer)
MFH: 2023Q3
2e3e2b5 |
Monday, 17 Jul 2023
|
14:20 Renato Botelho (garga)
security/sudo: Update to 1.9.14p2
Sponsored by: Rubicon Communications, LLC ("Netgate")
bc8853e |
Friday, 14 Jul 2023
|
13:06 Dan Langille (dvl)
security/sudo: add sssd-devel option
security/sudo already allows for the use of security/sssd (SSSD)
This patch allows for selecting security/sssd-devel (SSSD_DEVEL)
instead.
PR: 272488
c90c4cc |
Wednesday, 12 Jul 2023
|
12:46 Cy Schubert (cy)
security/sudo: Update to 1.9.14p1
Major changes between sudo 1.9.14p1 and 1.9.14:
* Fixed an "invalid free" bug in sudo_logsrvd that was introduced
in version 1.9.14 which could cause sudo_logsrvd to crash.
* The sudoers plugin no longer tries to send the terminal name
to the log server when no terminal is present. This bug was
introduced in version 1.9.14.
PR: 272456
Approved by: garga (maintainer)
MFH: 2023Q3
7bc586a |
12:44 Cy Schubert (cy)
Revert "security/sudo: Update to 1.9.14p1"
I forgot to put the PR number in its placeholder.
This reverts commit af3f8976df6f16a1a2554537e9c35188db653d0f.
c59ee60 |
12:42 Cy Schubert (cy)
security/sudo: Update to 1.9.14p1
Major changes between sudo 1.9.14p1 and 1.9.14:
* Fixed an "invalid free" bug in sudo_logsrvd that was introduced
in version 1.9.14 which could cause sudo_logsrvd to crash.
* The sudoers plugin no longer tries to send the terminal name
to the log server when no terminal is present. This bug was
introduced in version 1.9.14.
PR: NNNNNN
Approved by: garga (maintainer)
MFH: 2023Q3
af3f897 |
Thursday, 29 Jun 2023
|
13:28 Cy Schubert (cy)
security/sudo: Update to 1.9.14
PR: 272255
Approved by: garga (maintainer)
MFH" 2023Q2
20ef9f7 |
Tuesday, 20 Jun 2023
|
11:28 Renato Botelho (garga)
security/sudo: Ignore portscout
It doesn't understand sudo versioning scheme and keep giving false
alerts.
Sponsored by: Rubicon Communications, LLC ("Netgate")
8f55892 |
11:27 Renato Botelho (garga)
security/sudo: Pacify portclippy
No functional changes intended
Sponsored by: Rubicon Communications, LLC ("Netgate")
0601dee |
Thursday, 9 Mar 2023
|
03:48 Cy Schubert (cy) Author: Yasuhiro Kimura
security/sudo: Update to 1.9.13p3
PR 270002
Approved by: garga (maintainer - private email to myself, implicit)
message-id: 816dd4b5-0a0d-3dd2-4bcc-c9b3b1a4ddfd@FreeBSD.org
MFH: 2023Q1
ChangeLog: https://www.sudo.ws/releases/stable/#1.9.13p3
6ab8398 |
Wednesday, 1 Mar 2023
|
23:58 Cy Schubert (cy)
security/sudo: Update to 1.9.13p2
Major changes between sudo 1.9.13p2 and 1.9.13p1:
* Fixed the --enable-static-sudoers option, broken in sudo 1.9.13.
GitHub issue #245.
* Fixed a potential double-free bug when matching a sudoers rule
that contains a per-command chroot directive (CHROOT=dir). This
bug was introduced in sudo 1.9.8.
PR: 269854
Approved by: garga
MFH: 2023Q1
e974396 |
Monday, 20 Feb 2023
|
14:23 Renato Botelho (garga)
security/sudo: Upgrade to 1.9.13p1
Sponsored by: Rubicon Communications, LLC ("Netgate")
375637c |
Wednesday, 15 Feb 2023
|
19:29 Cy Schubert (cy)
security/sudo: Update to 1.9.13
Major changes between sudo 1.9.13 and 1.9.12p2:
* Fixed a bug running relative commands via sudo when "log_subcmds"
is enabled. GitHub issue #194.
* Fixed a signal handling bug when running sudo commands in a shell
script. Signals were not being forwarded to the command when
the sudo process was not run in its own process group.
* Fixed a bug in cvtsudoers' LDIF parsing when the file ends without
a newline and a backslash is the last character of the file.
* Fixed a potential use-after-free bug with cvtsudoers filtering.
GitHub issue #198.
* Added a reminder to the default lecture that the password will
not echo. This line is only displayed when the pwfeedback option
is disabled. GitHub issue #195.
* Fixed potential memory leaks in error paths. GitHub issues #199,
#202.
* Fixed potential NULL dereferences on memory allocation failure.
GitHub issues #204, #211.
* Sudo now uses C23-style attributes in function prototypes instead
of gcc-style attributes if supported.
* Added a new "list" pseudo-command in sudoers to allow a user to
list another user's privileges. Previously, only root or a user
with the ability to run any command as either root or the target
user on the current host could use the -U option. This also
includes a fix to the log entry when a user lacks permission to
run "sudo -U otheruser -l command". Previously, the logs would
indicate that the user tried to run the actual command, now the
log entry includes the list operation.
* JSON logging now escapes control characters if they happen to
appear in the command or environment.
* New Albanian translation from translationproject.org.
* Regular expressions in sudoers or logsrvd.conf may no longer
contain consecutive repetition operators. This is implementation-
specific behavior according to POSIX, but some implementations
will allocate excessive amounts of memory. This mainly affects
the fuzzers.
* Sudo now builds AIX-style shared libraries and dynamic shared
objects by default instead of svr4-style. This means that the
default sudo plugins are now .a (archive) files that contain a
.so shared object file instead of bare .so files. This was done
to improve compatibility with the AIX Freeware ecosystem,
specifically, the AIX Freeware build of OpenSSL. Sudo will still
load svr4-style .so plugins and if a .so file is requested,
either via sudo.conf or the sudoers file, and only the .a file
is present, sudo will convert the path from plugin.so to
plugin.a(plugin.so) when loading it. This ensures compatibility
with existing configurations. To restore the old, pre-1.9.13
behavior, run configure using the --with-aix-soname=svr4 option.
* Sudo no longer checks the ownership and mode of the plugins that
it loads. Plugins are configured via either the sudo.conf or
sudoers file which are trusted configuration files. These checks
suffered from time-of-check vs. time-of-use race conditions and
complicate loading plugins that are not simple paths. Ownership
and mode checks are still performed when loading the sudo.conf
and sudoers files, which do not suffer from race conditions.
The sudo.conf "developer_mode" setting is no longer used.
* Control characters in sudo log messages and "sudoreplay -l"
output are now escaped in octal format. Space characters in the
command path are also escaped. Command line arguments that
contain spaces are surrounded by single quotes and any literal
single quote or backslash characters are escaped with a backslash.
This makes it possible to distinguish multiple command line
arguments from a single argument that contains spaces.
* Improved support for DragonFly BSD which uses a different struct
procinfo than either FreeBSD or 4.4BSD.
* Fixed a compilation error on Linux arm systems running older
kernels that may not define EM_ARM in linux/elf-em.h.
GitHub issue #232.
* Fixed a compilation error when LDFLAGS contains -Wl,--no-undefined.
Sudo will now link using -Wl,--no-undefined by default if possible.
GitHub issue #234.
* Fixed a bug executing a command with a very long argument vector
when "log_subcmds" or "intercept" is enabled on a system where
"intercept_type" is set to "trace". GitHub issue #194.
* When sudo is configured to run a command in a pseudo-terminal
but the standard input is not connected to a terminal, the command
will now be run as a background process. This works around a
problem running sudo commands in the background from a shell
script where changing the terminal to raw mode could interfere
with the interactive shell that ran the script.
GitHub issue #237.
* A missing include file in sudoers is no longer a fatal error
unless the error_recovery plugin argument has been set to false.
PR: 269563
Submitted by: cy
Reported by: cy
Approved by: garga
MFH: 2023Q1
8bd6398 |
Wednesday, 8 Feb 2023
|
10:53 Muhammad Moinur Rahman (bofh)
Mk/**ldap.mk: Convert USE_LDAP to USES=ldap
Convert the USE_LDAP=yes to USES=ldap and adds the following features:
- Adds the argument USES=ldap:server to add openldap2{4|5|6}-server as
RUN_DEPENDS
- Adds the argument USES=ldap<version> and replaces WANT_OPENLDAP_VER
- Adds OPENLDAP versions in bsd.default-versions.mk
- Adds USE_OPENLDAP/WANT_OPENLDAP_VER in Mk/bsd.sanity.mk
- Changes consumers to use the features
Reviewed by: delphij
Approved by: portmgr
Differential Revision: https://reviews.freebsd.org/D38233
6e1233b |
Wednesday, 18 Jan 2023
|
17:08 Cy Schubert (cy)
security/sudo: Update to 1.9.12p2
Major changes between sudo 1.9.12p2 and 1.9.12p1:
* Fixed a compilation error on Linux/aarch64. GitHub issue #197.
* Fixed a potential crash introduced in the fix for GitHub issue #134.
If a user's sudoers entry did not have any RunAs user's set,
running "sudo -U otheruser -l" would dereference a NULL pointer.
* Fixed a bug introduced in sudo 1.9.12 that could prevent sudo
from creating a I/O files when the "iolog_file" sudoers setting
contains six or more Xs.
* Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit)
that coud allow a malicious user with sudoedit privileges to
edit arbitrary files.
PR: 269030
Submitted by: cy
Reported by: cy
Approved by: garga
MFH: 2023Q1
Security: CVE-2023-22809
8f8bd81 |
Monday, 7 Nov 2022
|
15:33 Cy Schubert (cy)
security/sudo: Update to 1.9.12p1
This release includes fixes to minor bugs, including a fix for
CVE-2022-43995, a non-exploitable potential out-of-bounds write on
systems that do not use PAM, AIX authentication or BSD authentication.
PR: 267617
Approved by: garga (Maintainer)
MFH: 2022Q4
Security: CVE-2022-43995
271b349 |
Monday, 24 Oct 2022
|
15:30 Renato Botelho (garga)
security/sudo: Update to 1.9.12
Sponsored by: Rubicon Communications, LLC ("Netgate")
8885a02 |
Wednesday, 7 Sep 2022
|
21:10 Stefan Eßer (se)
Add WWW entries to port Makefiles
It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.
Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.
There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.
This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.
There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.
The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.
Approved by: portmgr (tcberner)
b7f0544 |
Wednesday, 20 Jul 2022
|
14:22 Tobias C. Berner (tcberner)
security: remove 'Created by' lines
A big Thank You to the original contributors of these ports:
* <ports@c0decafe.net>
* Aaron Dalton <aaron@FreeBSD.org>
* Adam Weinberger <adamw@FreeBSD.org>
* Ade Lovett <ade@FreeBSD.org>
* Aldis Berjoza <aldis@bsdroot.lv>
* Alex Dupre <ale@FreeBSD.org>
* Alex Kapranoff <kappa@rambler-co.ru>
* Alex Samorukov <samm@freebsd.org>
* Alexander Botero-Lowry <alex@foxybanana.com>
* Alexander Kriventsov <avk@vl.ru>
* Alexander Leidinger <netchild@FreeBSD.org>
* Alexander Logvinov <ports@logvinov.com>
* Alexander Y. Grigoryev <alexander.4mail@gmail.com>
* Alexey Dokuchaev <danfe@FreeBSD.org>
* Alfred Perlstein
* Alfred Perlstein <alfred@FreeBSD.org>
* Anders Nordby <anders@FreeBSD.org>
* Anders Nordby <anders@fix.no>
* Andreas Klemm <andreas@klemm.gtn.com>
* Andrew Lewis <freeghb@gmail.com>
* Andrew Pantyukhin <infofarmer@FreeBSD.org>
* Andrew St. Jean <andrew@arda.homeunix.net>
* Anes Mukhametov <anes@anes.su>
* Antoine Brodin <antoine@FreeBSD.org>
* Anton Berezin <tobez@FreeBSD.org>
* Antonio Carlos Venancio Junior (<antonio@inf.ufsc.br>)
* Antonio Carlos Venancio Junior <antonio@inf.ufsc.br>
* Ashish SHUKLA <ashish@FreeBSD.org>
* Attila Nagy <bra@fsn.hu>
* Autrijus Tang <autrijus@autrijus.org>
* Axel Rau <axel.rau@chaos1.de>
* Babak Farrokhi <farrokhi@FreeBSD.org>
* Ben Woods <woodsb02@FreeBSD.org>
* Bernard Spil <brnrd@FreeBSD.org>
* Bernard Spil <brnrd@freebsd.org>
* Blaz Zupan <blaz@si.FreeBSD.org>
* Bob Hockney <zeus@ix.netcom.com>
* Boris Kochergin <spawk@acm.poly.edu>
* Brendan Molloy <brendan+freebsd@bbqsrc.net>
* Bruce M Simpson
* Bruce M Simpson <bms@FreeBSD.org>
* Bruce M. Simpson <bms@FreeBSD.org>
* Carlo Strub
* Carlo Strub <cs@FreeBSD.org>
* Carlos J Puga Medina <cpm@FreeBSD.org>
* Carlos J Puga Medina <cpm@fbsd.es>
* Charlie Root <se@FreeBSD.org>
* Cheng-Lung Sung <clsung@FreeBSD.org>
* Cheng-Lung Sung <clsung@dragon2.net>
* Chie Taguchi <taguchi.ch@gmail.com>
* Chris Cowart <ccowart@rescomp.berkeley.edu>
* Chris D. Faulhaber <jedgar@FreeBSD.org>
* Christer Edwards <christer.edwards@gmail.com>
* Christian Lackas
* Christopher Hall <hsw@bitmark.com>
* Clement Laforet <sheepkiller@cultdeadsheep.org>
* Clive Lin <clive@CirX.ORG>
* Colin Percival
* Cory McIntire (loon@noncensored.com)
* Craig Leres <leres@FreeBSD.org>
* Cristiano Deana <cris@gufi.org>
* Cy Schubert (Cy.Schubert@uumail.gov.bc.ca)
* Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
* Cy Schubert <cy@FreeBSD.org>
* Damian Gerow <dgerow@afflictions.org>
* Damien Bobillot
* Dan Langille
* Dan Langille <dan@freebsddiary.org>
* Dan Langille <dvl@FreeBSD.org>
* Dan Langille <dvl@freebsd.org>
* Dan Langille <dvl@sourcefire.com>
* Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* Daniel Roethlisberger <daniel@roe.ch>
* Danilo Egea Gondolfo <danilo@FreeBSD.org>
* Danton Dorati <urisso@bsd.com.br>
* Dave McKay <dave@mu.org>
* David E. Thiel <lx@FreeBSD.org>
* David O'Brien (obrien@NUXI.com)
* David O'Brien <obrien@FreeBSD.org>
* David Thiel <lx@redundancy.redundancy.org>
* Dean Hollister <dean@odyssey.apana.org.au>
* Denis Shaposhnikov <dsh@vlink.ru>
* Dereckson <dereckson@gmail.com>
* Dirk Froemberg <dirk@FreeBSD.org>
* Ditesh Shashikant Gathani <ditesh@gathani.org>
* Dom Mitchell <dom@happygiraffe.net>
* Dominic Marks <dominic.marks@btinternet.com>
* Don Croyle <croyle@gelemna.org>
* Douglas Thrift <douglas@douglasthrift.net>
* Edson Brandi <ebrandi@fugspbr.org>
* Edwin Groothuis <edwin@mavetju.org>
* Ekkehard 'Ekki' Gehm <gehm@physik.tu-berlin.de>
* Emanuel Haupt <ehaupt@FreeBSD.org>
* Emanuel Haupt <ehaupt@critical.ch>
* Eric Crist <ecrist@secure-computing.net>
* Erwin Lansing <erwin@FreeBSD.org>
* Eugene Grosbein <eugen@FreeBSD.org>
* Fabian Keil <fk@fabiankeil.de>
* Felix Palmen <felix@palmen-it.de>
* Florent Thoumie <flz@xbsd.org>
* Foxfair Hu <foxfair@FreeBSD.org>
* Frank Laszlo <laszlof@vonostingroup.com>
* Frank Wall <fw@moov.de>
* Franz Bettag <franz@bett.ag>
* Gabor Kovesdan
* Gabor Kovesdan <gabor@FreeBSD.org>
* Gabriel M. Dutra <0xdutra@gmail.com>
* Gary Hayers <Gary@Hayers.net>
* Gasol Wu <gasol.wu@gmail.com>
* Gea-Suan Lin <gslin@gslin.org>
* George Reid <greid@ukug.uk.freebsd.org>
* George Reid <services@nevernet.net>
* Greg Larkin <glarkin@FreeBSD.org>
* Greg V <greg@unrelenting.technology>
* Gregory Neil Shapiro <gshapiro@FreeBSD.org>
* Grzegorz Blach <gblach@FreeBSD.org>
* Guangyuan Yang <ygy@FreeBSD.org>
* Hakisho Nukama <nukama@gmail.com>
* Hammurabi Mendes <hmendes@brturbo.com>
* Henk van Oers <hvo.pm@xs4all.nl>
* Horia Racoviceanu <horia@racoviceanu.com>
* Hung-Yi Chen <gaod@hychen.org>
* Jaap Akkerhuis <jaap@NLnetLabs.nl>
* Jaap Boender <jaapb@kerguelen.org>
* Jacek Serwatynski <tutus@trynet.eu.org>
* James FitzGibbon <jfitz@FreeBSD.org>
* James Thomason <james@divide.org>
* Jan-Peter Koopmann <Jan-Peter.Koopmann@seceidos.de>
* Janky Jay <ek@purplehat.org>
* Janos Mohacsi
* Janos Mohacsi <janos.mohacsi@bsd.hu>
* Jean-Yves Lefort <jylefort@brutele.be>
* Jim Geovedi <jim@corebsd.or.id>
* Jim Ohlstein <jim@ohlste.in>
* Joe Clarke <marcus@marcuscom.com>
* Joe Marcus Clarke <marcus@FreeBSD.org>
* Johann Visagie <johann@egenetics.com>
* Johann Visagie <wjv@FreeBSD.org>
* John Ferrell <jdferrell3@yahoo.com>
* John Hixson <jhixson@gmail.com>
* John Polstra <jdp@polstra.com>
* John W. O'Brien <john@saltant.com>
* John-Mark Gurney <jmg@FreeBSD.org>
* Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
* Joseph Benden <joe@thrallingpenguin.com>
* Joshua D. Abraham <jabra@ccs.neu.edu>
* Jov <amutu@amutu.com>
* Jui-Nan Lin <jnlin@freebsd.cs.nctu.edu.tw>
* Ka Ho Ng <khng300@gmail.com>
* Kay Lehmann <kay_lehmann@web.de>
* Keith J. Jones <kjones@antihackertoolkit.com>
* Kevin Zheng <kevinz5000@gmail.com>
* Kimura Fuyuki <fuyuki@hadaly.org>
* Kimura Fuyuki <fuyuki@mj.0038.net>
* Klayton Monroe <klm@uidzero.org>
* Konstantin Menshikov <kostjnspb@yandex.ru>
* Koop Mast <kwm@FreeBSD.org>
* Kris Kennaway <kris@FreeBSD.org>
* Kubilay Kocak <koobs@FreeBSD.org>
* Kurt Jaeger <fbsd-ports@opsec.eu>
* LEVAI Daniel <leva@ecentrum.hu>
* Lars Engels <lme@FreeBSD.org>
* Lars Thegler <lth@FreeBSD.org>
* Laurent LEVIER <llevier@argosnet.com>
* Luiz Eduardo R. Cordeiro
* Lukas Slebodnik <lukas.slebodnik@intrak.sk>
* Lukasz Komsta
* Mageirias Anastasios <anastmag@gmail.com>
* Marcel Prisi <marcel.prisi@virtua.ch>
* Marcello Coutinho
* Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
* Mark Felder <feld@FreeBSD.org>
* Mark Hannon <markhannon@optusnet.com.au>
* Mark Murray <markm@FreeBSD.org>
* Mark Pulford <mark@kyne.com.au>
* Marko Njezic <sf@maxempire.com>
* Martin Matuska <martin@tradex.sk>
* Martin Matuska <mm@FreeBSD.org>
* Martin Mersberger
* Martin Wilke <miwi@FreeBSD.org>
* Martti Kuparinen <martti.kuparinen@ericsson.com>
* Mateusz Piotrowski <0mp@FreeBSD.org>
* Matt <matt@xtaz.net>
* Matt Behrens <matt@zigg.com>
* Matthias Andree <mandree@FreeBSD.org>
* Matthias Fechner <mfechner@FreeBSD.org>
* Matthieu BOUTHORS <matthieu@labs.fr>
* Maxim Sobolev <sobomax@FreeBSD.org>
* Meno Abels <meno.abels@adviser.com>
* Michael Haro <mharo@FreeBSD.org>
* Michael Johnson <ahze@FreeBSD.org>
* Michael Nottebrock <lofi@FreeBSD.org>
* Michael Reifenberger <mr@FreeBSD.org>
* Michael Schout <mschout@gkg.net>
* Michal Bielicki <m.bielicki@llizardfs.com>
* Michiel van Baak <michiel@vanbaak.eu
* Mij <mij@bitchx.it>
* Mike Heffner <mheffner@vt.edu>
* Mikhail T. <m.tsatsenko@gmail.com>
* Mikhail Teterin <mi@aldan.algebra.com>
* Milan Obuch
* Mosconi <mosconi.rmg@gmail.com>
* Muhammad Moinur Rahman <5u623l20@gmail.com>
* Mustafa Arif <ma499@doc.ic.ac.uk>
* Neil Booth
* Neil Booth <kyuupichan@gmail.com>
* Nick Barkas <snb@threerings.net>
* Nicola Vitale <nivit@FreeBSD.org>
* Niels Heinen
* Nikola Kolev <koue@chaosophia.net>
* Nobutaka Mantani <nobutaka@FreeBSD.org>
* Oliver Lehmann
* Oliver Lehmann <oliver@FreeBSD.org>
* Olivier Duchateau
* Olivier Duchateau <duchateau.olivier@gmail.com>
* Olli Hauer
* Patrick Li <pat@databits.net>
* Paul Chvostek <paul@it.ca>
* Paul Schmehl <pauls@utdallas.edu>
* Pavel I Volkov <pavelivolkov@googlemail.com>
* Pete Fritchman <petef@databits.net>
* Peter Ankerstal <peter@pean.org>
* Peter Haight <peterh@sapros.com>
* Peter Johnson <johnson.peter@gmail.com>
* Peter Pentchev <roam@FreeBSD.org>
* Petr Rehor <rx@rx.cz>
* Philippe Audeoud <jadawin@tuxaco.net>
* Philippe Rocques <phil@teaser.fr>
* Piotr Kubaj <pkubaj@FreeBSD.org>
* Piotr Kubaj <pkubaj@anongoth.pl>
* Po-Chuan Hsieh <sunpoet@FreeBSD.org>
* RaRa Rasputin <rasputin@submonkey.net>
* Radim Kolar
* Ralf Meister
* Remington Lang <MrL0Lz@gmail.com>
* Renaud Chaput <renchap@cocoa-x.com>
* Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl>
* Roland van Laar <roland@micite.net>
* Romain Tartiere <romain@blogreen.org>
* Roman Bogorodskiy
* Roman Bogorodskiy <novel@FreeBSD.org>
* Roman Shterenzon <roman@xpert.com>
* Rong-En Fan <rafan@FreeBSD.org>
* Ryan Steinmetz <zi@FreeBSD.org>
* Sahil Tandon <sahil@tandon.net>
* Sascha Holzleiter <sascha@root-login.org>
* SeaD
* Seamus Venasse <svenasse@polaris.ca>
* Sean Greven <sean.greven@gmail.com>
* Sebastian Schuetz <sschuetz@fhm.edu>
* Sergei Kolobov <sergei@FreeBSD.org>
* Sergei Kolobov <sergei@kolobov.com>
* Sergei Vyshenski
* Sergei Vyshenski <svysh.fbsd@gmail.com>
* Sergey Skvortsov <skv@protey.ru>
* Seth Kingsley <sethk@meowfishies.com>
* Shaun Amott <shaun@inerd.com>
* Simeon Simeonov <sgs@pichove.org>
* Simon Dick <simond@irrelevant.org>
* Sofian Brabez <sbrabez@gmail.com>
* Stanislav Sedov <ssedov@mbsd.msk.ru>
* Stefan Esser <se@FreeBSD.org>
* Stefan Grundmann
* Stefan Walter <sw@gegenunendlich.de>
* Stephon Chen <stephon@gmail.com>
* Steve Wills <steve@mouf.net>
* Steve Wills <swills@FreeBSD.org>
* Steven Kreuzer
* Steven Kreuzer <skreuzer@exit2shell.com>
* Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org>
* TAKAHASHI Kaoru <kaoru@kaisei.org>
* TAKATSU Tomonari <tota@FreeBSD.org>
* Tatsuki Makino <tatsuki_makino@hotmail.com>
* Thibault Payet <monwarez@mailoo.org>
* Thierry Thomas (<thierry@pompo.net>)
* Thierry Thomas <thierry@pompo.net>
* Thomas Hurst <tom@hur.st>
* Thomas Quinot <thomas@cuivre.fr.eu.org>
* Thomas Zander <riggs@FreeBSD.org>
* Thomas von Dein <freebsd@daemon.de>
* Tilman Linneweh <arved@FreeBSD.org>
* Tim Bishop <tim@bishnet.net>
* Tom Judge <tom@tomjudge.com>
* Tomoyuki Sakurai <cherry@trombik.org>
* Toni Viemerö <toni.viemero@iki.fi>
* Tony Maher
* Torsten Zuhlsdorff <ports@toco-domains.de>
* Travis Campbell <hcoyote@ghostar.org>
* Tsung-Han Yeh <snowfly@yuntech.edu.tw>
* Ulf Lilleengen
* Vaida Bogdan <vaida.bogdan@gmail.com>
* Valentin Zahariev <curly@e-card.bg>
* Valerio Daelli <valerio.daelli@gmail.com>
* Veniamin Gvozdikov <vg@FreeBSD.org>
* Victor Popov
* Victor Popov <v.a.popov@gmail.com>
* Vsevolod Stakhov
* Vsevolod Stakhov <vsevolod@FreeBSD.org>
* Wen Heping <wen@FreeBSD.org>
* Wen Heping <wenheping@gmail.com>
* Yarodin <yarodin@gmail.com>
* Yen-Ming Lee <leeym@FreeBSD.org>
* Yen-Ming Lee <leeym@cae.ce.ntu.edu.tw>
* Yen-Ming Lee <leeym@leeym.com>
* Ying-Chieh Liao <ijliao@FreeBSD.org>
* Yonatan <Yonatan@Xpert.com>
* Yonatan <onatan@gmail.com>
* Yoshisato YANAGISAWA
* Yuri Victorovich
* Yuri Victorovich <yuri@rawbw.com>
* Zach Thompson <hideo@lastamericanempire.com>
* Zane C. Bowers <vvelox@vvelox.net>
* Zeus Panchenko <zeus@gnu.org.ua>
* ache
* adamw
* ajk@iu.edu
* alex@FreeBSD.org
* allan@saddi.com
* alm
* andrej@ebert.su
* andrew@scoop.co.nz
* andy@fud.org.nz
* antoine@FreeBSD.org
* arved
* barner
* brix@FreeBSD.org
* buganini@gmail.com
* chinsan
* chris@still.whet.org
* clement
* clsung
* crow
* cy@FreeBSD.org
* dominik karczmarski <dominik@karczmarski.com>
* dwcjr@inethouston.net
* eivind
* erich@rrnet.com
* erwin@FreeBSD.org
* girgen@FreeBSD.org
* glen.j.barber@gmail.com
* hbo@egbok.com
* ijliao
* jesper
* jfitz
* johans
* joris
* kftseng@iyard.org
* kris@FreeBSD.org
* lx
* markm
* mharo@FreeBSD.org
* michaelnottebrock@gmx.net
* mnag@FreeBSD.org
* mp39590@gmail.com
* nbm
* nectar@FreeBSD.org
* nork@FreeBSD.org
* nork@cityfujisawa.ne.jp
* nsayer@FreeBSD.org
* nsayer@quack.kfu.com
* ntarmos@cs.uoi.gr
* oly
* onatan@gmail.com
* pandzilla
* patrick@mindstep.com
* pauls
* perl@FreeBSD.org
* petef@FreeBSD.org
* peter.thoenen@yahoo.com
* ports@c0decafe.net
* ports@rbt.ca
* roam@FreeBSD.org
* rokaz
* sada@FreeBSD.org
* scrappy
* se
* shane@freebsdhackers.net aka modsix@gmail.com
* snb@threerings.net
* sumikawa
* sviat
* teramoto@comm.eng.osaka-u.ac.jp
* thierry@pompo.net
* tobez@FreeBSD.org
* torstenb@FreeBSD.org
* trasz <trasz@pin.if.uz.zgora.pl>
* trevor
* truckman
* vanhu
* vanilla@
* wen@FreeBSD.org
* will
With hat: portmgr
857c05f |
Tuesday, 21 Jun 2022
|
17:56 Renato Botelho (garga)
security/sudo: Update to 1.9.11p3
Sponsored by: Rubicon Communications, LLC ("Netgate")
c6a7564 |
Monday, 13 Jun 2022
|
14:05 Cy Schubert (cy)
security/sudo: Update to 1.9.11p2 -- Fix regressions
Major changes between sudo 1.9.11p2 and 1.9.11p1:
* Fixed a compilation error on Linux/x86_64 with the x32 ABI.
* Fixed a regression introduced in 1.9.11p1 that caused a warning
when logging to sudo_logsrvd if the command returned no output.
PR: 264643
Approved by: garga (maintainer)
7c653e8 |
Thursday, 9 Jun 2022
|
20:41 Cy Schubert (cy)
security/sudo: Update to 1.9.11p1
Major changes between sudo 1.9.11p1 and 1.9.11:
* Correctly handle EAGAIN in the I/O read/right events. This fixes
a hang seen on some systems when piping a large amount of data
through sudo, such as via rsync. Bug #963.
* Changes to avoid implementation or unspecified behavior when
bit shifting signed values in the protobuf library.
* Fixed a compilation error on Linux/aarch64.
* Fixed the configure check for seccomp(2) support on Linux.
* Corrected the EBNF specification for tags in the sudoers manual
page. GitHub issue #153.
Major changes between sudo 1.9.11 and 1.9.10:
* Fixed a crash in the Python module with Python 3.9.10 on some
systems. Additionally, "make check" now passes for Python 3.9.10.
* Error messages sent via email now include more details, including
the file name and the line number and column of the error.
Multiple errors are sent in a single message. Previously, only
the first error was included.
* Fixed logging of parse errors in JSON format. Previously,
the JSON logger would not write entries unless the command and
runuser were set. These may not be known at the time a parse
error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice
the value of LINE_MAX on systems that lack the getdelim() function.
* The tests run by "make check" now unset the LANGUAGE environment
variable. Otherwise, localization strings will not match if
LANGUAGE is set to a non-English locale. Bug #1025.
* The "starttime" test now passed when run under Debian faketime.
Bug #1026.
* The Kerberos authentication module now honors the custom password
prompt if one has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
in the header files (currently only GNU libc). This is required
to allow the use of 64-bit time values on some 32-bit systems.
* Sudo's "intercept" and "log_subcmds" options no longer force the
command to run in its own pseudo-terminal. It is now also
possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode
where the commit point messages sent by the server were incorrect
if the command was suspended or received a window size change
event.
* Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
configuration setting was used.
* The "intercept" and "log_subcmds" functionality can now use
ptrace(2) on Linux systems that support seccomp(2) filtering.
This has the advantage of working for both static and dynamic
binaries and can work with sudo's SELinux RBAC mode. The following
architectures are currently supported: i386, x86_64, aarch64,
arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
default is to use ptrace(2) where possible; the new "intercept_type"
sudoers setting can be used to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where
the execve(2) wrapper was using the current environment instead
of the passed environment pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now
specify an APPARMOR_PROFILE option to run a command confined by
the named AppArmor profile.
* Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
Non-paths were being treated as paths and an actual path was
treated as an error.
PR: 264554
Approved by: garga (maintainer)
7e42695 |
Wednesday, 8 Jun 2022
|
13:51 Cy Schubert (cy)
security/sudo: Update to 1.9.11
Major changes between sudo 1.9.11 and 1.9.10:
* Fixed a crash in the Python module with Python 3.9.10 on some
systems. Additionally, "make check" now passes for Python 3.9.10.
* Error messages sent via email now include more details, including
the file name and the line number and column of the error.
Multiple errors are sent in a single message. Previously, only
the first error was included.
* Fixed logging of parse errors in JSON format. Previously,
the JSON logger would not write entries unless the command and
runuser were set. These may not be known at the time a parse
error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice
the value of LINE_MAX on systems that lack the getdelim() function.
* The tests run by "make check" now unset the LANGUAGE environment
variable. Otherwise, localization strings will not match if
LANGUAGE is set to a non-English locale. Bug #1025.
* The "starttime" test now passed when run under Debian faketime.
Bug #1026.
* The Kerberos authentication module now honors the custom password
prompt if one has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
in the header files (currently only GNU libc). This is required
to allow the use of 64-bit time values on some 32-bit systems.
* Sudo's "intercept" and "log_subcmds" options no longer force the
command to run in its own pseudo-terminal. It is now also
possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode
where the commit point messages sent by the server were incorrect
if the command was suspended or received a window size change
event.
* Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
configuration setting was used.
* The "intercept" and "log_subcmds" functionality can now use
ptrace(2) on Linux systems that support seccomp(2) filtering.
This has the advantage of working for both static and dynamic
binaries and can work with sudo's SELinux RBAC mode. The following
architectures are currently supported: i386, x86_64, aarch64,
arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
default is to use ptrace(2) where possible; the new "intercept_type"
sudoers setting can be used to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where
the execve(2) wrapper was using the current environment instead
of the passed environment pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now
specify an APPARMOR_PROFILE option to run a command confined by
the named AppArmor profile.
* Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
Non-paths were being treated as paths and an actual path was
treated as an error.
PR: 264515
Approved by: garga (maintainer)
3ee710e |
Friday, 4 Mar 2022
|
15:04 Cy Schubert (cy)
security/sudo: Update to 1.9.10
PR: 262331
Approved by: garga (maintainer)
c003f33 |
Wednesday, 2 Feb 2022
|
11:04 Renato Botelho (garga) Author: Yasuhiro Kimura
security/sudo: Update to 1.9.9
PR: 261529
Sponsored by: Rubicon Communications, LLC ("Netgate")
af389a6 |
Thursday, 30 Sep 2021
|
13:51 Cy Schubert (cy)
security/sudo: Update to 1.9.8p2
Major changes between sudo 1.9.8p2 and 1.9.8p1:
* Fixed a potential out-of-bounds read with "sudo -i" when the
target user's shell is bash. This is a regression introduced
in sudo 1.9.8. Bug #998.
* sudo_logsrvd now only sends a log ID for first command of a session.
There is no need to send the log ID for each sub-command.
* Fixed a few minor memory leaks in intercept mode.
* Fixed a problem with sudo_logsrvd in relay mode if "store_first"
was enabled when handling sub-commands. A new zero-length journal
file was created for each sub-command instead of simply using
the existing journal file.
PR: 258666
Submitted by: cy
Reported by: cy
Approved by: garga (maintainer)
MFH: 2021Q3
3c5b4da |
Friday, 17 Sep 2021
|
15:33 Cy Schubert (cy)
security/sudo: Update to 1.9.8p1 to fix LDAP SEGFAULT
Sudo version 1.9.8 patchelevel 1 is now available which fixes a few
regressions introduced in sudo 1.9.8.
Source:
https://www.sudo.ws/dist/sudo-1.9.8p1.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.8p1.tar.gz
SHA256 checksum:
0939ee24df7095a92e0ca4aa3bd53b2a10965a7b921d51a26ab70cdd24388d69
MD5 checksum:
ae9c8b32268f27d05bcdcb8f0c04d461
Binary packages:
https://www.sudo.ws/download.html#binary
https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_8
For a list of download mirror sites, see:
https://www.sudo.ws/download_mirrors.html
Sudo web site:
https://www.sudo.ws/
Sudo web site mirrors:
https://www.sudo.ws/mirrors.html
Major changes between sudo 1.9.8p1 and 1.9.8:
* Fixed support for passing a prompt (sudo -p) or a login class
(sudo -c) on the command line. This is a regression introduced
in sudo 1.9.8. Bug #993.
* Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
This is a regression introduced in sudo 1.9.8. Bug #994.
* Fixed a compilation error when the --enable-static-sudoers configure
option was specified. This is a regression introduced in sudo
1.9.8 caused by a symbol clash with the intercept and log server
protobuf functions.
PR: 258537
Submitted by: cy
Reported by: Adrian Waters <draenan _ gmail_com>
Approved by: garga (maintainer)
MFH: 2021Q3
549e87a |
Tuesday, 14 Sep 2021
|
16:50 Cy Schubert (cy)
securty/sudo: Update to 1.9.8
Major changes between sudo 1.9.8 and 1.9.7p2:
* It is now possible to transparently intercepting sub-commands
executed by the original command run via sudo. Intercept support
is implemented using LD_PRELOAD (or the equivalent supported by
the system) and so has some limitations. The two main limitations
are that only dynamic executables are supported and only the
execl, execle, execlp, execv, execve, execvp, and execvpe library
functions are currently intercepted. Its main use case is to
support restricting privileged shells run via sudo.
To support this, there is a new "intercept" Defaults setting and
an INTERCEPT command tag that can be used in sudoers. For example:
Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
Defaults!SHELLS intercept
would cause sudo to run the listed shells in intercept mode.
This can also be set on a per-rule basis. For example:
Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
chuck ALL = INTERCEPT: SHELLS
would only apply intercept mode to user "chuck" when running one
of the listed shells.
In intercept mode, sudo will not prompt for a password before
running a sub-command and will not allow a set-user-ID or
set-group-ID program to be run by default. The new
intercept_authenticate and intercept_allow_setid sudoers settings
can be used to change this behavior.
* The new "log_subcmds" sudoers setting can be used to log additional
commands run in a privileged shell. It uses the same mechanism as
the intercept support described above and has the same limitations.
* Support for logging sudo_logsrvd errors via syslog or to a file.
Previously, most sudo_logsrvd errors were only visible in the
debug log.
* Better diagnostics when there is a TLS certificate validation error.
* Using the "+=" or "-=" operators in a Defaults setting that takes
a string, not a list, now produces a warning from sudo and a
syntax error from inside visudo.
* Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
had no effect when creating I/O log parent directories if the I/O log
file name ended with the string "XXXXXX".
* Fixed a bug in the sudoers custom prompt code where the size
parameter that was passed to the strlcpy() function was incorrect.
No overflow was possible since the correct amount of memory was
already pre-allocated.
* The mksigname and mksiglist helper programs are now built with
the host compiler, not the target compiler, when cross-compiling.
Bug #989.
* Fixed compilation error when the --enable-static-sudoers configure
option was specified. This was due to a typo introduced in sudo
1.9.7. GitHub PR #113.
Submitted by: cy
PR: 258479
Approved by: garga (maintainer)
MFH: 2021Q3
c403b78 |
Friday, 13 Aug 2021
|
13:10 Renato Botelho (garga) Author: Yasuhiro Kimura
security/sudo: Update to 1.9.7p2
Sponsored by: Rubicon Communications, LLC ("Netgate")
6aeff2e |
Monday, 14 Jun 2021
|
16:04 Cy Schubert (cy)
securty/sudo: Update to 1.9.7p1
Major changes between sudo 1.9.7p1 and 1.9.7
* Fixed an SELinux sudoedit bug when the edited temporary file
could not be opened. The sesh helper would still be run even
when there are no temporary files available to install.
* Fixed a compilation problem on FreeBSD.
* The sudo_noexec.so file is now built as a module on all systems
other than macOS. This makes it possible to use other libtool
implementations such as slibtool. On macOS shared libraries and
modules are not interchangeable and the version of libtool shipped
with sudo must be used.
* Fixed a few bugs in the getgrouplist() emulation on Solaris when
reading from the local group file.
* Fixed a bug in sudo_logsrvd that prevented periodic relay server
connection retries from occurring in "store_first" mode.
* Disabled the nss_search()-based getgrouplist() emulation on HP-UX
due to a crash when the group source is set to "compat" in
/etc/nsswitch.conf. This is probably due to a mismatch between
include/compat/nss_dbdefs.h and what HP-UX uses internally. On
HP-UX we now just cycle through groups the slow way using
getgrent(). Bug #978.
PR: 256561
Submitted by: cy
Reported by: cy
Approved by: garga (maintainer)
MFH: 2020Q2
f34318c5 |
Tuesday, 18 May 2021
|
20:07 Cy Schubert (cy)
security/sudo: update to 1.9.7
Among other changes this release fixes -fcommon errors. A complete list
of changes can be found at https://www.sudo.ws/stable.html/
PR: 255812
Submitted by: Yasuhiro Kimura <yasu@utahime.org> (mostly)
Reported by: Yasuhiro Kimura <yasu@utahime.org>
Tested by: cy
Approved by: garga (maintainer)
MFH: 2021Q2
72d1eb1 |
Tuesday, 6 Apr 2021
|
14:31 Mathieu Arnold (mat)
Remove # $FreeBSD$ from Makefiles.
305f148 |
Wednesday, 17 Mar 2021
|
11:56 garga
security/sudo: Update to 1.9.6p1
PR: 254260
Submitted by: Yasuhiro Kimura <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
Tuesday, 26 Jan 2021
|
20:15 cy
security/sudo - update 1.9.5p1 to 1.9.5p2
(text/plain)
Sudo version 1.9.5p2 is now available which fixes CVE-2021-3156
(aka Baron Samedit), a severe security vulnerability in sudo versions
1.8.2 through 1.9.5p1. For more details, see:
https://www.sudo.ws/alerts/unescape_overflow.html
https://www.openwall.com/lists/oss-security/2021/01/26/3
Source:
https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.tar.gz
SHA256 539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978
MD5 e6bc4c18c06346e6b3431637a2b5f3d5
Patch:
https://www.sudo.ws/dist/sudo-1.9.5p2.patch.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.patch.gz
SHA256 0dd80809c4061670a0b393445b2807be452caf5d5988f279e736040cef1c14dc
MD5 2816f5fa537c61fb913046ef20b88e3b
Binary packages:
https://www.sudo.ws/download.html#binary
https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2
For a list of download mirror sites, see:
https://www.sudo.ws/download_mirrors.html
Sudo web site:
https://www.sudo.ws/
Sudo web site mirrors:
https://www.sudo.ws/mirrors.html
Major changes between sudo 1.9.5p2 and 1.9.5p1
* Fixed sudo's setprogname(3) emulation on systems that don't
provide it.
* Fixed a problem with the sudoers log server client where a partial
write to the server could result the sudo process consuming large
amounts of CPU time due to a cycle in the buffer queue. Bug #954.
* Added a missing dependency on libsudo_util in libsudo_eventlog.
Fixes a link error when building sudo statically.
* The user's KRB5CCNAME environment variable is now preserved when
performing PAM authentication. This fixes GSSAPI authentication
when the user has a non-default ccache.
* When invoked as sudoedit, the same set of command line options
are now accepted as for "sudo -e". The -H and -P options are
now rejected for sudoedit and "sudo -e" which matches the sudo
1.7 behavior. This is part of the fix for CVE-2021-3156.
* Fixed a potential buffer overflow when unescaping backslashes
in the command's arguments. Normally, sudo escapes special
characters when running a command via a shell (sudo -s or sudo
-i). However, it was also possible to run sudoedit with the -s
or -i flags in which case no escaping had actually been done,
making a buffer overflow possible. This fixes CVE-2021-3156.
Major changes between sudo 1.9.5p1 and 1.9.5
* Fixed a regression introduced in sudo 1.9.5 where the editor run
by sudoedit was set-user-ID root unless SELinux RBAC was in use.
The editor is now run with the user's real and effective user-IDs.
Major changes between sudo 1.9.5 and 1.9.4p2
* Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
unknown user. This is related to but distinct from Bug #948.
* If the "lecture_file" setting is enabled in sudoers, it must now
refer to a regular file or a symbolic link to a regular file.
* Fixed a potential use-after-free bug in sudo_logsrvd when the
server shuts down if there are existing connections from clients
that are only logging events and not session I/O data.
* Fixed a buffer size mismatch when serializing the list of IP
addresses for configured network interfaces. This bug is not
actually exploitable since the allocated buffer is large enough
to hold the list of addresses.
* If sudo is executed with a name other than "sudo" or "sudoedit",
it will now fall back to "sudo" as the program name. This affects
warning, help and usage messages as well as the matching of Debug
lines in the /etc/sudo.conf file. Previously, it was possible
for the invoking user to manipulate the program name by setting
argv[0] to an arbitrary value when executing sudo.
* Sudo now checks for failure when setting the close-on-exec flag
on open file descriptors. This should never fail but, if it
were to, there is the possibility of a file descriptor leak to
a child process (such as the command sudo runs).
* Fixed CVE-2021-23239, a potential information leak in sudoedit
that could be used to test for the existence of directories not
normally accessible to the user in certain circumstances. When
creating a new file, sudoedit checks to make sure the parent
directory of the new file exists before running the editor.
However, a race condition exists if the invoking user can replace
(or create) the parent directory. If a symbolic link is created
in place of the parent directory, sudoedit will run the editor
as long as the target of the link exists. If the target of the
link does not exist, an error message will be displayed. The
race condition can be used to test for the existence of an
arbitrary directory. However, it _cannot_ be used to write to
an arbitrary location.
* Fixed CVE-2021-23240, a flaw in the temporary file handling of
sudoedit's SELinux RBAC support. On systems where SELinux is
enabled, a user with sudoedit permissions may be able to set the
owner of an arbitrary file to the user-ID of the target user.
On Linux kernels that support "protected symlinks", setting
/proc/sys/fs/protected_symlinks to 1 will prevent the bug from
being exploited. For more information see
https://www.sudo.ws/alerts/sudoedit_selinux.html.
* Added writability checks for sudoedit when SELinux RBAC is in use.
This makes sudoedit behavior consistent regardless of whether
or not SELinux RBAC is in use. Previously, the "sudoedit_checkdir"
setting had no effect for RBAC entries.
* A new sudoers option "selinux" can be used to disable sudo's
SELinux RBAC support.
* Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
Added suppression annotations for PVS Studio false positives.
PR: 253034
Submitted by: cy
Reported by: cy
Reviewed by: emaste
Approved by: emaste
MFH: 2020Q1
Security: CVE-2021-3156, CVE-2021-3156
Differential Revision: https://reviews.freebsd.org/D28363
|
Tuesday, 12 Jan 2021
|
12:40 garga
security/sudo: Update to 1.9.5p1
This version fixes a regression introduced by 1.9.5
Changelog: https://www.sudo.ws/stable.html#1.9.5p1
PR: 252598
Submitted by: cy
MFH: 2021Q1
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Monday, 11 Jan 2021
|
20:06 cy
Update 1.9.4p2 --> 1.9.5
PR: 252583
Submitted by: cy
Reported by: cy
Approved by: garga (maintainer)
MFH: 2021Q1
Security: CVE-2021-23239
|
Monday, 21 Dec 2020
|
16:54 garga
security/sudo: Fix version
Use PORTVERSION here to end up with 1.9.4p2, which is considered newer than
previous one (1.9.4_1)
Reported by: ohauer <ohauer@gmx.de>
|
12:44 garga
security/sudo: Update to 1.9.4p2
PR: 251930
Submitted by: Yasuhiro Kimura <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Monday, 7 Dec 2020
|
12:43 garga
security/sudo: Fix build without sendmail
PR: 251582
Reported by: Alexander Kuznetsov <alex@kuznetcoff.ru>
Obtained from: https://www.sudo.ws/repos/sudo/raw-rev/41db1aad85bb
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Friday, 4 Dec 2020
|
12:32 garga
security/sudo: Update to 1.9.4
PR: 251488
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Wednesday, 18 Nov 2020
|
12:22 rene
security/sudo: readd option for SSSD, reverting r553505
|
Tuesday, 27 Oct 2020
|
22:17 rene
security/sudo: remove optional expired dependency on security/sssd
|
Thursday, 24 Sep 2020
|
18:53 garga
security/sudo: Update to 1.9.3p1
PR: 249566
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Tuesday, 22 Sep 2020
|
13:25 garga
security/sudo: Update to 1.9.3
PR: 249511
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Wednesday, 22 Jul 2020
|
17:17 cy
Update 1.9.1 --> 1.9.2
Major changes between sudo 1.9.2 and 1.9.1
* The configure script now uses pkg-config to find the openssl
cflags and libs where possible.
* The contents of the log.json I/O log file is now documented in
the sudoers manual.
* The sudoers plugin now properly exports the sudoers_audit symbol
on systems where the compiler lacks symbol visibility controls.
This caused a regression in 1.9.1 where a successful sudo command
was not logged due to the missing audit plugin. Bug #931.
* Fixed a regression introduced in 1.9.1 that can result in crash
when there is a syntax error in the sudoers file. Bug #934.
PR: 248179
Submitted by: cy
Reported by: cy
Approved by: garga
Obtained from: sudo-announce mailing list
MFH: 2020Q3 (because of regression fix)
|
Friday, 19 Jun 2020
|
14:22 garga
security/sudo: Update to 1.9.1
* Add new option PYTHON that enables python plugin support
PR: 246472
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Wednesday, 18 Mar 2020
|
14:01 garga
security/sudo: Update to 1.8.31p1
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Friday, 31 Jan 2020
|
13:59 cy
security/sudo update 1.8.30 --> 1.8.31
PR: 243745
Submitted by: cy@
Reported by: cy@
Approved by: garga@
MFH: 2020Q1
Security: CVE-2019-18634
|
Thursday, 2 Jan 2020
|
18:18 cy
Update 1.8.29 --> 1.8.30
PR: 243009
Submitted by: cy
Approved by: garga (maintainer)
MFH: 2020Q1
|
Tuesday, 29 Oct 2019
|
18:42 garga
security/sudo: Update to 1.8.29
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Wednesday, 16 Oct 2019
|
18:52 garga
security/sudo: Fix wrong version added in r514607 using PORTVERSION
Reported by: Herbert J. Skuhra <herbert@gojira.at>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
18:37 garga
security/sudo: Update to 1.8.28p1
MFH: 2019Q4
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Monday, 14 Oct 2019
|
16:46 garga
security/sudo: Update to 1.8.28
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Tuesday, 22 Jan 2019
|
13:51 garga
security/sudo: Fix listpw=never
When listpw=never is set, 'sudo -l' is expected to run without asking for a
password.
PR: 234756
Reported by: vas@mpeks.tomsk.su
Obtained from: https://bugzilla.sudo.ws/show_bug.cgi?id=869
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Monday, 14 Jan 2019
|
12:52 cy
Update 1.8.26 --> 1.8.27
Notable changes:
* Fixes and clarifications to the sudo plugin documentation.
* The sudo manuals no longer require extensive post-processing to
hide system-specific features. Conditionals in the roff source
are now used instead. This fixes corruption of the sudo manual
on systems without BSD login classes. Bug #861.
* If an I/O logging plugin is configured but the plugin does not
actually log any I/O, sudo will no longer force the command to
be run in a pseudo-tty.
* The fix for bug #843 in sudo 1.8.24 was incomplete. If the
user's password was expired or needed to be updated, but no sudo
password was required, the PAM handle was freed too early,
resulting in a failure when processing PAM session modules.
* In visudo, it is now possible to specify the path to sudoers
without using the -f option. Bug #864.
* Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx)
file would not be updated when a command was run in a pseudo-tty.
Bug #865.
* Sudo now sets the silent flag when opening the PAM session except
when running a shell via "sudo -s" or "sudo -i". This prevents
the pam_lastlog module from printing the last login information
for each sudo command. Bug #867.
PR: 234904
Submitted by: cy@
Approved by: garga@
MFH: 2019Q1
|
Wednesday, 14 Nov 2018
|
15:33 garga
security/sudo: Update to 1.8.26
PR: 233206 (based on)
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Thursday, 13 Sep 2018
|
16:49 garga
Update security/sudo to 1.8.25p1
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Tuesday, 4 Sep 2018
|
11:42 garga
security/sudo: Update to 1.8.25
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Monday, 20 Aug 2018
|
14:23 garga
security/sudo: Update to 1.8.24
PR: 230739
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Thursday, 3 May 2018
|
18:57 garga
Add --rundir definition to CONFIGURE_ARGS to make sure configure script uses
/var/run/sudo. Without it, on a system that has /run directory, configure
will by default define rundir to /run/sudo
Reported by: Walter Schwarzenfeld <w.schwarzenfeld@utanet.at>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
12:36 garga
Fix PLIST without LDAP
PR: 227926
Reported by: O. Hartmann
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Wednesday, 2 May 2018
|
13:09 garga
Update security/sudo to 1.8.23
PR: 227900
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Tuesday, 24 Apr 2018
|
16:52 garga
Add a new version of the patch committed in r468197 that fixes a regression
introduced by that version.
PR: 223587
Submitted by: Todd C. Miller <Todd.Miller@sudo.ws>
Reported by: vas@mpeks.tomsk.su
Obtained from: https://bugzilla.sudo.ws/show_bug.cgi?id=831
MFH: 2018Q2
Sponsored by: Rubicon Communications, LLC (Netgate)
|
11:07 garga
Add a patch to fix cryptographic digest in command specification for shell
scripts and other interpreted files. Error happens because fexecve() requires
/dev/fd to be mounted. This patch detects if /dev/fd/N exists before attempt
to use fexecve and workaround the issue.
PR: 223587
Submitted by: Todd C. Miller <Todd.Miller@sudo.ws>
Reported by: vas@mpeks.tomsk.su
Obtained from: https://bugzilla.sudo.ws/show_bug.cgi?id=831
MFH: 2018Q2
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Monday, 23 Apr 2018
|
18:43 garga
Last commit was supposed to be a local change for testing. Patch was not yet
ready for production. Reverting it for now.
|
18:40 garga
Add a patch to fix cryptographic digest in command specification for shell
scripts and other interpreted files. Error happens because fexecve() requires
/dev/fd to be mounted. This patch detects if /dev/fd/N exists before attempt
to use fexecve and workaround the issue.
PR: 223587
Submitted by: Todd C. Miller <Todd.Miller@sudo.ws>
Reported by: vas@mpeks.tomsk.su
Obtained from: https://www.sudo.ws/repos/sudo/rev/30f7c5d64104
MFH: 2018Q2
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Thursday, 19 Apr 2018
|
13:11 garga
- Add new options to security/sudo to make it possible to build it with
kerberos support.
- Bump PORTREVISION
PR: 225498
Submitted by: Cullum Smith <cullum@c0ffee.net>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Wednesday, 17 Jan 2018
|
15:07 garga
Update security/sudo to 1.8.22
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Monday, 13 Nov 2017
|
16:58 brd
Pull in an upstream patch for security/sudo to not coredump if the hostname is
not set.
PR: 222510
Approved by: garga
|
Monday, 18 Sep 2017
|
16:47 garga
Update security/sudo to 1.8.21p2
PR: 222194
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Tuesday, 5 Sep 2017
|
17:15 garga
Update security/sudo to 1.8.21p1
|
Tuesday, 29 Aug 2017
|
10:30 garga
- Update security/sudo to 1.8.21
PR: 221874
Submitted by: Yasuhiro KIMURA <yasu@utahime.org>
bdrewery (SIGINFO fix)
Sponsored by: Rubicon Communications, LLC (Netgate)
|
Friday, 11 Aug 2017
|
18:32 bdrewery
- Fix sudo sending a 2nd SIGINFO on ^T to processes, which is already
handled by the kernel sending it to the entire controlling terminal's
process group.
- This fixes ^T with 'sudo poudriere ...' showing a status log twice.
- This is intended to be upstreamed.
Approved by: garga (maintainer)
Tested by: swills, bdrewery
Reviewed/Discussed with: kib
Reported by: kwm, swills, bapt, dim, kib, many others
MFH: 2017Q3
|
Tuesday, 27 Jun 2017
|
13:49 garga
Fix the way ${PREFIX}/etc/sudoers.d is handled removing the workaround added in
r260609 and using @dir
PR: 220234
Submitted by: Jose Luis Duran <jlduran@gmail.com>
Sponsored by: Rubicon Communications (Netgate)
|
Thursday, 15 Jun 2017
|
11:01 mat
Starting in 1.8.20, the sample sudoers file has been installed twice,
once as sudoers.sample and once as sudoers.dist. Remove one of them.
PR: 219708
Submitted by: mat
Approved by: maintainer timeout
Sponsored by: Absolight
|
Saturday, 10 Jun 2017
|
14:10 garga
Update security/sudo to 1.8.20p2
Sponsored by: Rubicon Communications (Netgate)
|
Wednesday, 31 May 2017
|
12:42 cy
Update 1.8.20 --> 1.8.20p1
This release fixes a potential security issue that may allow a user to
bypass the "tty_ticket" constraints or overwrite an arbitrary file.
The issue is reported to only be present on Linux systems but I don't
think it hurts to update the FreeBSD port at this time.
Approved by: garga@ (maintainer)
MFH: 2017Q2
Differential Revision: D10997
|
Thursday, 11 May 2017
|
17:03 garga
Update security/sudo to 1.8.20
Sponsored by: Rubicon Communications (Netgate)
|
Monday, 16 Jan 2017
|
13:38 cy
Update 1.8.19p1 --> 1.8.19p2.
Major changes between sudo 1.8.19p2 and 1.8.19p1:
* Fixed a crash in visudo introduced in sudo 1.8.9 when an IP address
or network is used in a host-based Defaults entry. Bug #766
* Added a missing check for the ignore_iolog_errors flag when
the sudoers plugin generates the I/O log file path name.
* Fixed a typo in sudo's vsyslog() replacement that resulted in
garbage being logged to syslog.
Approved by: garga (maintainer)
MFH: 2917Q1
Differential Revision: D9181
|
Tuesday, 20 Dec 2016
|
21:11 cy
Update 1.8.19 --> 1.8.19p1
As per sudo announcement:
* Fixed a bug introduced in sudo 1.8.19 that resulted in the wrong
syslog priority and facility being used.
PR: 215447
Submitted by: myself (in pr 215447)
Approved by: garga (maintainer)
|
Monday, 19 Dec 2016
|
23:59 cy
Update 1.8.18p1 --> 1.8.19.
PR: 215434
Submitted by: cy
Reviewed by: garga (maintainer)
|
Friday, 28 Oct 2016
|
12:16 cy
Update 1.8.18 --> 1.8.18p1
From the sudo announcment:
Depending on your sudoers file configuration, the bug fixed in
1.8.18p1 may have a security impact. For more information, see
https://www.sudo.ws/alerts/noexec_wordexp.html
Approved by: garga@ (maintainer)
MFH: 2016Q4
Differential Revision: D8363
|
Wednesday, 21 Sep 2016
|
13:45 garga
Update security/sudo to 1.8.18
Sponsored by: Rubicon Communications (Netgate)
|
Thursday, 23 Jun 2016
|
00:55 garga
Update security/sudo to 1.8.17p1
MFH: 2016Q2
Sponsored by: Rubicon Communications (Netgate)
|
Monday, 20 Jun 2016
|
14:03 cy
Update 1.8.16 --> 1.8.17
PR: 210407
Submitted by: cy@
Approved by: garga@
MFH: 2016Q2
|
Saturday, 11 Jun 2016
|
20:39 garga
Add a patch to fix sudo bug #743 that causes a bug where it dereference
a NULL pointer when it looks up a negative cached entry which is stored
as a NULL passwd or group struct pointer
PR: 208198
Submitted by: Fredrik Eriksson <fredrik.eriksson@loopia.se>
Obtained from: https://www.sudo.ws/repos/sudo/rev/1d13341d53ec
Sponsored by: Rubicon Communications (Netgate)
|
20:11 garga
- Stop forcing -lssp_nonshared since libc already include it in every link.
It should fix build when world is built with WITHOUT_SSP
- Bump PORTREVISION
PR: 203380
Submitted by: Kenneth Salerno <kennethsalerno@yahoo.com>
Sponsored by: Rubicon Communications (Netgate)
|
Friday, 1 Apr 2016
|
14:25 mat
Remove ${PORTSDIR}/ from dependencies, categories r, s, t, and u.
With hat: portmgr
Sponsored by: Absolight
|
Number of commits found: 254 (showing only 100 on this page) |