17:11 Renato Botelho (garga) 

security/sudo: Mark SSSD option as deprecated

security/sssd is marked as deprecated, add a note on option description

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    b30c216

21:28 Dan Langille (dvl) 

security/sudo: rename the SSSD_DEVEL option to SSSD2

security/sssd-devel was renamed to security/sssd2

PR:		277077

    61cfe85

21:37 Dan Langille (dvl) 

security/sudo: re-add sssd-devel option

sudo already allows for the use of security/sssd (SSSD)

This patch allows for selecting security/sssd-devel (SSSD_DEVEL)
instead.

Also updates security/sssd-devel, elminating a circular dependency.

PR:		276598 272571

    2f448a8

14:02 Renato Botelho (garga) 

*/*: Restore GNU_CONFIGURE on my ports

I made a mistake and changed these ports to HAS_CONFIGURE when working
on MANPREFIX sanitization.  Restore proper macro usage and set
GNU_CONFIGURE_MANPREFIX properly to keep manpages installed under
${PREFIX}/share.

Reported by:	danfe
Sponsored by:	Rubicon Communications, LLC ("Netgate")

    08a9c4d

21:37 Renato Botelho (garga) 

security/sudo: Move manpages to ${PREFIX}/share

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    9385a69

14:17 Cy Schubert (cy) 

security/sudo: Update to 1.9.15p5

Major changes between sudo 1.9.15p5 and 1.9.15p4:

 * Fixed evaluation of the "lecture", "listpw", "verifypw", and
   "fdexec" sudoers Defaults settings when used without an explicit
   value.  Previously, if specified without a value they were
   evaluated as boolean "false", even when the negation operator
   ('!') was not present.

 * Fixed a bug introduced in sudo 1.9.14 that prevented LDAP
   netgroup queries using the NETGROUP_BASE setting from being
   performed.

 * Sudo will now transparently rename a user's lecture file from
   the older name-based path to the newer user-ID-based path.
   GitHub issue #342.

 * Fixed a bug introduced in sudo 1.9.15 that could cause a memory
   allocation failure if sysconf(_SC_LOGIN_NAME_MAX) fails.  Bug #1066.

PR:		276032
Approved by:	garga (maintainer)
MFH:		2024Q1

    82e608c

00:25 Cy Schubert (cy) 

security/sudo: Update to 1.9.15p4

Major changes between sudo 1.9.15p4 and 1.9.15p3:

 * Fixed a bug introduced in sudo 1.9.15 that could prevent a user's
   privileges from being listed by "sudo -l" if the sudoers entry
   in /etc/nsswitch.conf contains "[SUCCESS=return]".  This did not
   affect the ability to run commands via sudo.  Bug #1063.

PR:		275788
Approved by:	garga (maintainer)
MFH:		2023Q4

    fb89252

13:53 Cy Schubert (cy) 

security/sudo: Update to 1.9.15p3

Major changes between sudo 1.9.15p3 and 1.9.15p2:

 * Always disable core dumps when sudo sends itself a fatal signal.
   Fixes a problem where sudo could potentially dump core dump when
   it re-sends the fatal signal to itself.  This is only an issue
   if the command received a signal that would normally result in
   a core dump but the command did not actually dump core.

 * Fixed a bug matching a command with a relative path name when
   the sudoers rule uses shell globbing rules for the path name.
   Bug #1062.

 * Permit visudo to be run even if the local host name is not set.
   GitHub issue #332.

 * Fixed an editing error introduced in sudo 1.9.15 that could
   prevent sudoreplay from replaying sessions correctly.
   GitHub issue #334.

 * Fixed a bug introduced in sudo 1.9.15 where "sudo -l > /dev/null"
   could hang on Linux systems.  GitHub issue #335.

 * Fixed a bug introduced in sudo 1.9.15 where Solaris privileges
   specified in sudoers were not applied to the command being run.

PR:		275754
Approved by:	garga (maintainer)
MFH:		2023Q4

    003e8e2

18:00 Renato Botelho (garga) 

security/sudo: Update to 1.9.15p2

* Fixed a bug on BSD systems where sudo would not restore the
  terminal settings on exit if the terminal had parity enabled.
  GitHub issue #326.

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    d4203ee

11:19 Renato Botelho (garga) 

security/sudo: Update to 1.9.15p1

* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
  sudoers from being able to read the ldap.conf file.
  GitHub issue #325.

PR:		274960
Reported by:	Daniel Porsch <daniel.porsch@loopia.se>
Sponsored by:	Rubicon Communications, LLC ("Netgate")

    2c9adde

18:13 Renato Botelho (garga) 

security/sudo: Update to 1.9.15

While here:

- Prevent combination of SSSD and GSSAPI_HEIMDAL because sssd port
  requires MIT kerberos and it will conflict with heimdal
- Removed SSSD_DEVEL option because sssd-devel port requires sudo and it
  creates a circular dependency
- Fix OPIE on FreeBSD versions after it was removed from base

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    dd773c1

12:00 Renato Botelho (garga) 

security/sudo: Fix build with openssl from ports

Since SSL support is being changed and sudo can be built without it, add
a new SSL option, on by default.

When option is enabled, use --enable-openssl=${OPENSSLBASE} to make sure
it consumes desired OpenSSL implementation.  Also add pkgconfig
dependency because configure script rely on it to detect openssl
details.

PR:		274753
Reported by:	tburns@hrsd.com
Sponsored by:	Rubicon Communications, LLC ("Netgate")

    dbc4e4d

13:44 Cy Schubert (cy) 

security/sudo: Update to 1.9.14p3

Major changes between sudo 1.9.14p3 and 1.9.14p2:

 * Fixed a crash with Python 3.12 when the sudo Python python is
   unloaded.  This only affects "make check" for the Python plugin.

 * Adapted the sudo Python plugin test output to match Python 3.12.

PR:		272707
Approved by:	garga (maintainer)
MFH:		2023Q3

    2e3e2b5

14:20 Renato Botelho (garga) 

security/sudo: Update to 1.9.14p2

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    bc8853e

13:06 Dan Langille (dvl) 

security/sudo: add sssd-devel option

security/sudo already allows for the use of security/sssd (SSSD)

This patch allows for selecting security/sssd-devel (SSSD_DEVEL)
instead.

PR:		272488

    c90c4cc

12:46 Cy Schubert (cy) 

security/sudo: Update to 1.9.14p1

Major changes between sudo 1.9.14p1 and 1.9.14:

 * Fixed an "invalid free" bug in sudo_logsrvd that was introduced
   in version 1.9.14 which could cause sudo_logsrvd to crash.

 * The sudoers plugin no longer tries to send the terminal name
   to the log server when no terminal is present.  This bug was
   introduced in version 1.9.14.

PR:             272456
Approved by:    garga (maintainer)
MFH:            2023Q3

    7bc586a

12:44 Cy Schubert (cy) 

Revert "security/sudo: Update to 1.9.14p1"

I forgot to put the PR number in its placeholder.

This reverts commit af3f8976df6f16a1a2554537e9c35188db653d0f.

    c59ee60

12:42 Cy Schubert (cy) 

security/sudo: Update to 1.9.14p1

Major changes between sudo 1.9.14p1 and 1.9.14:

 * Fixed an "invalid free" bug in sudo_logsrvd that was introduced
   in version 1.9.14 which could cause sudo_logsrvd to crash.

 * The sudoers plugin no longer tries to send the terminal name
   to the log server when no terminal is present.  This bug was
   introduced in version 1.9.14.

PR:             NNNNNN
Approved by:    garga (maintainer)
MFH:            2023Q3

    af3f897

13:28 Cy Schubert (cy) 

security/sudo: Update to 1.9.14

PR:		272255
Approved by:	garga (maintainer)
MFH"		2023Q2

    20ef9f7

11:28 Renato Botelho (garga) 

security/sudo: Ignore portscout

It doesn't understand sudo versioning scheme and keep giving false
alerts.

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    8f55892

11:27 Renato Botelho (garga) 

security/sudo: Pacify portclippy

No functional changes intended

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    0601dee

03:48 Cy Schubert (cy)  Author: Yasuhiro Kimura

security/sudo: Update to 1.9.13p3

PR		270002
Approved by:	garga (maintainer - private email to myself, implicit)
		message-id: 816dd4b5-0a0d-3dd2-4bcc-c9b3b1a4ddfd@FreeBSD.org
MFH:		2023Q1
ChangeLog:	https://www.sudo.ws/releases/stable/#1.9.13p3

    6ab8398

23:58 Cy Schubert (cy) 

security/sudo: Update to 1.9.13p2

Major changes between sudo 1.9.13p2 and 1.9.13p1:

 * Fixed the --enable-static-sudoers option, broken in sudo 1.9.13.
   GitHub issue #245.

 * Fixed a potential double-free bug when matching a sudoers rule
   that contains a per-command chroot directive (CHROOT=dir).  This
   bug was introduced in sudo 1.9.8.

PR:		269854
Approved by:	garga
MFH:		2023Q1

    e974396

14:23 Renato Botelho (garga) 

security/sudo: Upgrade to 1.9.13p1

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    375637c

19:29 Cy Schubert (cy) 

security/sudo: Update to 1.9.13

Major changes between sudo 1.9.13 and 1.9.12p2:

 * Fixed a bug running relative commands via sudo when "log_subcmds"
   is enabled.  GitHub issue #194.

 * Fixed a signal handling bug when running sudo commands in a shell
   script.  Signals were not being forwarded to the command when
   the sudo process was not run in its own process group.

 * Fixed a bug in cvtsudoers' LDIF parsing when the file ends without
   a newline and a backslash is the last character of the file.

 * Fixed a potential use-after-free bug with cvtsudoers filtering.
   GitHub issue #198.

 * Added a reminder to the default lecture that the password will
   not echo. This line is only displayed when the pwfeedback option
   is disabled. GitHub issue #195.

 * Fixed potential memory leaks in error paths.  GitHub issues #199,
   #202.

 * Fixed potential NULL dereferences on memory allocation failure.
   GitHub issues #204, #211.

 * Sudo now uses C23-style attributes in function prototypes instead
   of gcc-style attributes if supported.

 * Added a new "list" pseudo-command in sudoers to allow a user to
   list another user's privileges.  Previously, only root or a user
   with the ability to run any command as either root or the target
   user on the current host could use the -U option.  This also
   includes a fix to the log entry when a user lacks permission to
   run "sudo -U otheruser -l command".  Previously, the logs would
   indicate that the user tried to run the actual command, now the
   log entry includes the list operation.

 * JSON logging now escapes control characters if they happen to
   appear in the command or environment.

 * New Albanian translation from translationproject.org.

 * Regular expressions in sudoers or logsrvd.conf may no longer
   contain consecutive repetition operators.  This is implementation-
   specific behavior according to POSIX, but some implementations
   will allocate excessive amounts of memory.  This mainly affects
   the fuzzers.

 * Sudo now builds AIX-style shared libraries and dynamic shared
   objects by default instead of svr4-style. This means that the
   default sudo plugins are now .a (archive) files that contain a
   .so shared object file instead of bare .so files.  This was done
   to improve compatibility with the AIX Freeware ecosystem,
   specifically, the AIX Freeware build of OpenSSL.  Sudo will still
   load svr4-style .so plugins and if a .so file is requested,
   either via sudo.conf or the sudoers file, and only the .a file
   is present, sudo will convert the path from plugin.so to
   plugin.a(plugin.so) when loading it.  This ensures compatibility
   with existing configurations.  To restore the old, pre-1.9.13
   behavior, run configure using the --with-aix-soname=svr4 option.

 * Sudo no longer checks the ownership and mode of the plugins that
   it loads.  Plugins are configured via either the sudo.conf or
   sudoers file which are trusted configuration files.  These checks
   suffered from time-of-check vs. time-of-use race conditions and
   complicate loading plugins that are not simple paths.  Ownership
   and mode checks are still performed when loading the sudo.conf
   and sudoers files, which do not suffer from race conditions.
   The sudo.conf "developer_mode" setting is no longer used.

 * Control characters in sudo log messages and "sudoreplay -l"
   output are now escaped in octal format.  Space characters in the
   command path are also escaped.  Command line arguments that
   contain spaces are surrounded by single quotes and any literal
   single quote or backslash characters are escaped with a backslash.
   This makes it possible to distinguish multiple command line
   arguments from a single argument that contains spaces.

 * Improved support for DragonFly BSD which uses a different struct
   procinfo than either FreeBSD or 4.4BSD.

 * Fixed a compilation error on Linux arm systems running older
   kernels that may not define EM_ARM in linux/elf-em.h.
   GitHub issue #232.

 * Fixed a compilation error when LDFLAGS contains -Wl,--no-undefined.
   Sudo will now link using -Wl,--no-undefined by default if possible.
   GitHub issue #234.

 * Fixed a bug executing a command with a very long argument vector
   when "log_subcmds" or "intercept" is enabled on a system where
   "intercept_type" is set to "trace".  GitHub issue #194.

 * When sudo is configured to run a command in a pseudo-terminal
   but the standard input is not connected to a terminal, the command
   will now be run as a background process.  This works around a
   problem running sudo commands in the background from a shell
   script where changing the terminal to raw mode could interfere
   with the interactive shell that ran the script.
   GitHub issue #237.

 * A missing include file in sudoers is no longer a fatal error
   unless the error_recovery plugin argument has been set to false.

PR:		269563
Submitted by:	cy
Reported by:	cy
Approved by:	garga
MFH:		2023Q1

    8bd6398

10:53 Muhammad Moinur Rahman (bofh) 

Mk/**ldap.mk: Convert USE_LDAP to USES=ldap

Convert the USE_LDAP=yes to USES=ldap and adds the following features:

- Adds the argument USES=ldap:server to add openldap2{4|5|6}-server as
  RUN_DEPENDS
- Adds the argument USES=ldap<version> and replaces WANT_OPENLDAP_VER
- Adds OPENLDAP versions in bsd.default-versions.mk
- Adds USE_OPENLDAP/WANT_OPENLDAP_VER in Mk/bsd.sanity.mk
- Changes consumers to use the features

Reviewed by:	delphij
Approved by:	portmgr
Differential Revision: https://reviews.freebsd.org/D38233

    6e1233b

17:08 Cy Schubert (cy) 

security/sudo: Update to 1.9.12p2

Major changes between sudo 1.9.12p2 and 1.9.12p1:

 * Fixed a compilation error on Linux/aarch64.  GitHub issue #197.

 * Fixed a potential crash introduced in the fix for GitHub issue #134.
   If a user's sudoers entry did not have any RunAs user's set,
   running "sudo -U otheruser -l" would dereference a NULL pointer.

 * Fixed a bug introduced in sudo 1.9.12 that could prevent sudo
   from creating a I/O files when the "iolog_file" sudoers setting
   contains six or more Xs.

 * Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit)
   that coud allow a malicious user with sudoedit privileges to
   edit arbitrary files.

PR:		269030
Submitted by:	cy
Reported by:	cy
Approved by:	garga
MFH:		2023Q1
Security:	CVE-2023-22809

    8f8bd81

15:33 Cy Schubert (cy) 

security/sudo: Update to 1.9.12p1

This release includes fixes to minor bugs, including a fix for
CVE-2022-43995, a non-exploitable potential out-of-bounds write on
systems that do not use PAM, AIX authentication or BSD authentication.

PR:		267617
Approved by:	garga (Maintainer)
MFH:		2022Q4
Security:	CVE-2022-43995

    271b349

15:30 Renato Botelho (garga) 

security/sudo: Update to 1.9.12

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    8885a02

21:10 Stefan Eßer (se) 

Add WWW entries to port Makefiles

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.

There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.

The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.

Approved by:		portmgr (tcberner)

    b7f0544

14:22 Tobias C. Berner (tcberner) 

security: remove 'Created by' lines

A big Thank You to the original contributors of these ports:

  *  <ports@c0decafe.net>
  *  Aaron Dalton <aaron@FreeBSD.org>
  *  Adam Weinberger <adamw@FreeBSD.org>
  *  Ade Lovett <ade@FreeBSD.org>
  *  Aldis Berjoza <aldis@bsdroot.lv>
  *  Alex Dupre <ale@FreeBSD.org>
  *  Alex Kapranoff <kappa@rambler-co.ru>
  *  Alex Samorukov <samm@freebsd.org>
  *  Alexander Botero-Lowry <alex@foxybanana.com>
  *  Alexander Kriventsov <avk@vl.ru>
  *  Alexander Leidinger <netchild@FreeBSD.org>
  *  Alexander Logvinov <ports@logvinov.com>
  *  Alexander Y. Grigoryev <alexander.4mail@gmail.com>
  *  Alexey Dokuchaev <danfe@FreeBSD.org>
  *  Alfred Perlstein
  *  Alfred Perlstein <alfred@FreeBSD.org>
  *  Anders Nordby <anders@FreeBSD.org>
  *  Anders Nordby <anders@fix.no>
  *  Andreas Klemm <andreas@klemm.gtn.com>
  *  Andrew Lewis <freeghb@gmail.com>
  *  Andrew Pantyukhin <infofarmer@FreeBSD.org>
  *  Andrew St. Jean <andrew@arda.homeunix.net>
  *  Anes Mukhametov <anes@anes.su>
  *  Antoine Brodin <antoine@FreeBSD.org>
  *  Anton Berezin <tobez@FreeBSD.org>
  *  Antonio Carlos Venancio Junior (<antonio@inf.ufsc.br>)
  *  Antonio Carlos Venancio Junior <antonio@inf.ufsc.br>
  *  Ashish SHUKLA <ashish@FreeBSD.org>
  *  Attila Nagy <bra@fsn.hu>
  *  Autrijus Tang <autrijus@autrijus.org>
  *  Axel Rau <axel.rau@chaos1.de>
  *  Babak Farrokhi <farrokhi@FreeBSD.org>
  *  Ben Woods <woodsb02@FreeBSD.org>
  *  Bernard Spil <brnrd@FreeBSD.org>
  *  Bernard Spil <brnrd@freebsd.org>
  *  Blaz Zupan <blaz@si.FreeBSD.org>
  *  Bob Hockney <zeus@ix.netcom.com>
  *  Boris Kochergin <spawk@acm.poly.edu>
  *  Brendan Molloy <brendan+freebsd@bbqsrc.net>
  *  Bruce M Simpson
  *  Bruce M Simpson <bms@FreeBSD.org>
  *  Bruce M. Simpson <bms@FreeBSD.org>
  *  Carlo Strub
  *  Carlo Strub <cs@FreeBSD.org>
  *  Carlos J Puga Medina <cpm@FreeBSD.org>
  *  Carlos J Puga Medina <cpm@fbsd.es>
  *  Charlie Root <se@FreeBSD.org>
  *  Cheng-Lung Sung <clsung@FreeBSD.org>
  *  Cheng-Lung Sung <clsung@dragon2.net>
  *  Chie Taguchi <taguchi.ch@gmail.com>
  *  Chris Cowart <ccowart@rescomp.berkeley.edu>
  *  Chris D. Faulhaber <jedgar@FreeBSD.org>
  *  Christer Edwards <christer.edwards@gmail.com>
  *  Christian Lackas
  *  Christopher Hall <hsw@bitmark.com>
  *  Clement Laforet <sheepkiller@cultdeadsheep.org>
  *  Clive Lin <clive@CirX.ORG>
  *  Colin Percival
  *  Cory McIntire (loon@noncensored.com)
  *  Craig Leres <leres@FreeBSD.org>
  *  Cristiano Deana <cris@gufi.org>
  *  Cy Schubert (Cy.Schubert@uumail.gov.bc.ca)
  *  Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
  *  Cy Schubert <cy@FreeBSD.org>
  *  Damian Gerow <dgerow@afflictions.org>
  *  Damien Bobillot
  *  Dan Langille
  *  Dan Langille <dan@freebsddiary.org>
  *  Dan Langille <dvl@FreeBSD.org>
  *  Dan Langille <dvl@freebsd.org>
  *  Dan Langille <dvl@sourcefire.com>
  *  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  *  Daniel Roethlisberger <daniel@roe.ch>
  *  Danilo Egea Gondolfo <danilo@FreeBSD.org>
  *  Danton Dorati <urisso@bsd.com.br>
  *  Dave McKay <dave@mu.org>
  *  David E. Thiel <lx@FreeBSD.org>
  *  David O'Brien (obrien@NUXI.com)
  *  David O'Brien <obrien@FreeBSD.org>
  *  David Thiel <lx@redundancy.redundancy.org>
  *  Dean Hollister <dean@odyssey.apana.org.au>
  *  Denis Shaposhnikov <dsh@vlink.ru>
  *  Dereckson <dereckson@gmail.com>
  *  Dirk Froemberg <dirk@FreeBSD.org>
  *  Ditesh Shashikant Gathani <ditesh@gathani.org>
  *  Dom Mitchell <dom@happygiraffe.net>
  *  Dominic Marks <dominic.marks@btinternet.com>
  *  Don Croyle <croyle@gelemna.org>
  *  Douglas Thrift <douglas@douglasthrift.net>
  *  Edson Brandi <ebrandi@fugspbr.org>
  *  Edwin Groothuis <edwin@mavetju.org>
  *  Ekkehard 'Ekki' Gehm <gehm@physik.tu-berlin.de>
  *  Emanuel Haupt <ehaupt@FreeBSD.org>
  *  Emanuel Haupt <ehaupt@critical.ch>
  *  Eric Crist <ecrist@secure-computing.net>
  *  Erwin Lansing <erwin@FreeBSD.org>
  *  Eugene Grosbein <eugen@FreeBSD.org>
  *  Fabian Keil <fk@fabiankeil.de>
  *  Felix Palmen <felix@palmen-it.de>
  *  Florent Thoumie <flz@xbsd.org>
  *  Foxfair Hu <foxfair@FreeBSD.org>
  *  Frank Laszlo <laszlof@vonostingroup.com>
  *  Frank Wall <fw@moov.de>
  *  Franz Bettag <franz@bett.ag>
  *  Gabor Kovesdan
  *  Gabor Kovesdan <gabor@FreeBSD.org>
  *  Gabriel M. Dutra <0xdutra@gmail.com>
  *  Gary Hayers <Gary@Hayers.net>
  *  Gasol Wu <gasol.wu@gmail.com>
  *  Gea-Suan Lin <gslin@gslin.org>
  *  George Reid <greid@ukug.uk.freebsd.org>
  *  George Reid <services@nevernet.net>
  *  Greg Larkin <glarkin@FreeBSD.org>
  *  Greg V <greg@unrelenting.technology>
  *  Gregory Neil Shapiro <gshapiro@FreeBSD.org>
  *  Grzegorz Blach <gblach@FreeBSD.org>
  *  Guangyuan Yang <ygy@FreeBSD.org>
  *  Hakisho Nukama <nukama@gmail.com>
  *  Hammurabi Mendes <hmendes@brturbo.com>
  *  Henk van Oers <hvo.pm@xs4all.nl>
  *  Horia Racoviceanu <horia@racoviceanu.com>
  *  Hung-Yi Chen <gaod@hychen.org>
  *  Jaap Akkerhuis <jaap@NLnetLabs.nl>
  *  Jaap Boender <jaapb@kerguelen.org>
  *  Jacek Serwatynski <tutus@trynet.eu.org>
  *  James FitzGibbon <jfitz@FreeBSD.org>
  *  James Thomason <james@divide.org>
  *  Jan-Peter Koopmann <Jan-Peter.Koopmann@seceidos.de>
  *  Janky Jay <ek@purplehat.org>
  *  Janos Mohacsi
  *  Janos Mohacsi <janos.mohacsi@bsd.hu>
  *  Jean-Yves Lefort <jylefort@brutele.be>
  *  Jim Geovedi <jim@corebsd.or.id>
  *  Jim Ohlstein <jim@ohlste.in>
  *  Joe Clarke <marcus@marcuscom.com>
  *  Joe Marcus Clarke <marcus@FreeBSD.org>
  *  Johann Visagie <johann@egenetics.com>
  *  Johann Visagie <wjv@FreeBSD.org>
  *  John Ferrell <jdferrell3@yahoo.com>
  *  John Hixson <jhixson@gmail.com>
  *  John Polstra <jdp@polstra.com>
  *  John W. O'Brien <john@saltant.com>
  *  John-Mark Gurney <jmg@FreeBSD.org>
  *  Jose Alonso Cardenas Marquez <acardenas@bsd.org.pe>
  *  Joseph Benden <joe@thrallingpenguin.com>
  *  Joshua D. Abraham <jabra@ccs.neu.edu>
  *  Jov <amutu@amutu.com>
  *  Jui-Nan Lin <jnlin@freebsd.cs.nctu.edu.tw>
  *  Ka Ho Ng <khng300@gmail.com>
  *  Kay Lehmann <kay_lehmann@web.de>
  *  Keith J. Jones <kjones@antihackertoolkit.com>
  *  Kevin Zheng <kevinz5000@gmail.com>
  *  Kimura Fuyuki <fuyuki@hadaly.org>
  *  Kimura Fuyuki <fuyuki@mj.0038.net>
  *  Klayton Monroe <klm@uidzero.org>
  *  Konstantin Menshikov <kostjnspb@yandex.ru>
  *  Koop Mast <kwm@FreeBSD.org>
  *  Kris Kennaway <kris@FreeBSD.org>
  *  Kubilay Kocak <koobs@FreeBSD.org>
  *  Kurt Jaeger <fbsd-ports@opsec.eu>
  *  LEVAI Daniel <leva@ecentrum.hu>
  *  Lars Engels <lme@FreeBSD.org>
  *  Lars Thegler <lth@FreeBSD.org>
  *  Laurent LEVIER <llevier@argosnet.com>
  *  Luiz Eduardo R. Cordeiro
  *  Lukas Slebodnik <lukas.slebodnik@intrak.sk>
  *  Lukasz Komsta
  *  Mageirias Anastasios <anastmag@gmail.com>
  *  Marcel Prisi <marcel.prisi@virtua.ch>
  *  Marcello Coutinho
  *  Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
  *  Mark Felder <feld@FreeBSD.org>
  *  Mark Hannon <markhannon@optusnet.com.au>
  *  Mark Murray <markm@FreeBSD.org>
  *  Mark Pulford <mark@kyne.com.au>
  *  Marko Njezic <sf@maxempire.com>
  *  Martin Matuska <martin@tradex.sk>
  *  Martin Matuska <mm@FreeBSD.org>
  *  Martin Mersberger
  *  Martin Wilke <miwi@FreeBSD.org>
  *  Martti Kuparinen <martti.kuparinen@ericsson.com>
  *  Mateusz Piotrowski <0mp@FreeBSD.org>
  *  Matt <matt@xtaz.net>
  *  Matt Behrens <matt@zigg.com>
  *  Matthias Andree <mandree@FreeBSD.org>
  *  Matthias Fechner <mfechner@FreeBSD.org>
  *  Matthieu BOUTHORS <matthieu@labs.fr>
  *  Maxim Sobolev <sobomax@FreeBSD.org>
  *  Meno Abels <meno.abels@adviser.com>
  *  Michael Haro <mharo@FreeBSD.org>
  *  Michael Johnson <ahze@FreeBSD.org>
  *  Michael Nottebrock <lofi@FreeBSD.org>
  *  Michael Reifenberger <mr@FreeBSD.org>
  *  Michael Schout <mschout@gkg.net>
  *  Michal Bielicki <m.bielicki@llizardfs.com>
  *  Michiel van Baak <michiel@vanbaak.eu
  *  Mij <mij@bitchx.it>
  *  Mike Heffner <mheffner@vt.edu>
  *  Mikhail T. <m.tsatsenko@gmail.com>
  *  Mikhail Teterin <mi@aldan.algebra.com>
  *  Milan Obuch
  *  Mosconi <mosconi.rmg@gmail.com>
  *  Muhammad Moinur Rahman <5u623l20@gmail.com>
  *  Mustafa Arif <ma499@doc.ic.ac.uk>
  *  Neil Booth
  *  Neil Booth <kyuupichan@gmail.com>
  *  Nick Barkas <snb@threerings.net>
  *  Nicola Vitale <nivit@FreeBSD.org>
  *  Niels Heinen
  *  Nikola Kolev <koue@chaosophia.net>
  *  Nobutaka Mantani <nobutaka@FreeBSD.org>
  *  Oliver Lehmann
  *  Oliver Lehmann <oliver@FreeBSD.org>
  *  Olivier Duchateau
  *  Olivier Duchateau <duchateau.olivier@gmail.com>
  *  Olli Hauer
  *  Patrick Li <pat@databits.net>
  *  Paul Chvostek <paul@it.ca>
  *  Paul Schmehl <pauls@utdallas.edu>
  *  Pavel I Volkov <pavelivolkov@googlemail.com>
  *  Pete Fritchman <petef@databits.net>
  *  Peter Ankerstal <peter@pean.org>
  *  Peter Haight <peterh@sapros.com>
  *  Peter Johnson <johnson.peter@gmail.com>
  *  Peter Pentchev <roam@FreeBSD.org>
  *  Petr Rehor <rx@rx.cz>
  *  Philippe Audeoud <jadawin@tuxaco.net>
  *  Philippe Rocques <phil@teaser.fr>
  *  Piotr Kubaj <pkubaj@FreeBSD.org>
  *  Piotr Kubaj <pkubaj@anongoth.pl>
  *  Po-Chuan Hsieh <sunpoet@FreeBSD.org>
  *  RaRa Rasputin <rasputin@submonkey.net>
  *  Radim Kolar
  *  Ralf Meister
  *  Remington Lang <MrL0Lz@gmail.com>
  *  Renaud Chaput <renchap@cocoa-x.com>
  *  Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl>
  *  Roland van Laar <roland@micite.net>
  *  Romain Tartiere <romain@blogreen.org>
  *  Roman Bogorodskiy
  *  Roman Bogorodskiy <novel@FreeBSD.org>
  *  Roman Shterenzon <roman@xpert.com>
  *  Rong-En Fan <rafan@FreeBSD.org>
  *  Ryan Steinmetz <zi@FreeBSD.org>
  *  Sahil Tandon <sahil@tandon.net>
  *  Sascha Holzleiter <sascha@root-login.org>
  *  SeaD
  *  Seamus Venasse <svenasse@polaris.ca>
  *  Sean Greven <sean.greven@gmail.com>
  *  Sebastian Schuetz <sschuetz@fhm.edu>
  *  Sergei Kolobov <sergei@FreeBSD.org>
  *  Sergei Kolobov <sergei@kolobov.com>
  *  Sergei Vyshenski
  *  Sergei Vyshenski <svysh.fbsd@gmail.com>
  *  Sergey Skvortsov <skv@protey.ru>
  *  Seth Kingsley <sethk@meowfishies.com>
  *  Shaun Amott <shaun@inerd.com>
  *  Simeon Simeonov <sgs@pichove.org>
  *  Simon Dick <simond@irrelevant.org>
  *  Sofian Brabez <sbrabez@gmail.com>
  *  Stanislav Sedov <ssedov@mbsd.msk.ru>
  *  Stefan Esser <se@FreeBSD.org>
  *  Stefan Grundmann
  *  Stefan Walter <sw@gegenunendlich.de>
  *  Stephon Chen <stephon@gmail.com>
  *  Steve Wills <steve@mouf.net>
  *  Steve Wills <swills@FreeBSD.org>
  *  Steven Kreuzer
  *  Steven Kreuzer <skreuzer@exit2shell.com>
  *  Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org>
  *  TAKAHASHI Kaoru <kaoru@kaisei.org>
  *  TAKATSU Tomonari <tota@FreeBSD.org>
  *  Tatsuki Makino <tatsuki_makino@hotmail.com>
  *  Thibault Payet <monwarez@mailoo.org>
  *  Thierry Thomas (<thierry@pompo.net>)
  *  Thierry Thomas <thierry@pompo.net>
  *  Thomas Hurst <tom@hur.st>
  *  Thomas Quinot <thomas@cuivre.fr.eu.org>
  *  Thomas Zander <riggs@FreeBSD.org>
  *  Thomas von Dein <freebsd@daemon.de>
  *  Tilman Linneweh <arved@FreeBSD.org>
  *  Tim Bishop <tim@bishnet.net>
  *  Tom Judge <tom@tomjudge.com>
  *  Tomoyuki Sakurai <cherry@trombik.org>
  *  Toni Viemerö <toni.viemero@iki.fi>
  *  Tony Maher
  *  Torsten Zuhlsdorff <ports@toco-domains.de>
  *  Travis Campbell <hcoyote@ghostar.org>
  *  Tsung-Han Yeh <snowfly@yuntech.edu.tw>
  *  Ulf Lilleengen
  *  Vaida Bogdan <vaida.bogdan@gmail.com>
  *  Valentin Zahariev <curly@e-card.bg>
  *  Valerio Daelli <valerio.daelli@gmail.com>
  *  Veniamin Gvozdikov <vg@FreeBSD.org>
  *  Victor Popov
  *  Victor Popov <v.a.popov@gmail.com>
  *  Vsevolod Stakhov
  *  Vsevolod Stakhov <vsevolod@FreeBSD.org>
  *  Wen Heping <wen@FreeBSD.org>
  *  Wen Heping <wenheping@gmail.com>
  *  Yarodin <yarodin@gmail.com>
  *  Yen-Ming Lee <leeym@FreeBSD.org>
  *  Yen-Ming Lee <leeym@cae.ce.ntu.edu.tw>
  *  Yen-Ming Lee <leeym@leeym.com>
  *  Ying-Chieh Liao <ijliao@FreeBSD.org>
  *  Yonatan <Yonatan@Xpert.com>
  *  Yonatan <onatan@gmail.com>
  *  Yoshisato YANAGISAWA
  *  Yuri Victorovich
  *  Yuri Victorovich <yuri@rawbw.com>
  *  Zach Thompson <hideo@lastamericanempire.com>
  *  Zane C. Bowers <vvelox@vvelox.net>
  *  Zeus Panchenko <zeus@gnu.org.ua>
  *  ache
  *  adamw
  *  ajk@iu.edu
  *  alex@FreeBSD.org
  *  allan@saddi.com
  *  alm
  *  andrej@ebert.su
  *  andrew@scoop.co.nz
  *  andy@fud.org.nz
  *  antoine@FreeBSD.org
  *  arved
  *  barner
  *  brix@FreeBSD.org
  *  buganini@gmail.com
  *  chinsan
  *  chris@still.whet.org
  *  clement
  *  clsung
  *  crow
  *  cy@FreeBSD.org
  *  dominik karczmarski <dominik@karczmarski.com>
  *  dwcjr@inethouston.net
  *  eivind
  *  erich@rrnet.com
  *  erwin@FreeBSD.org
  *  girgen@FreeBSD.org
  *  glen.j.barber@gmail.com
  *  hbo@egbok.com
  *  ijliao
  *  jesper
  *  jfitz
  *  johans
  *  joris
  *  kftseng@iyard.org
  *  kris@FreeBSD.org
  *  lx
  *  markm
  *  mharo@FreeBSD.org
  *  michaelnottebrock@gmx.net
  *  mnag@FreeBSD.org
  *  mp39590@gmail.com
  *  nbm
  *  nectar@FreeBSD.org
  *  nork@FreeBSD.org
  *  nork@cityfujisawa.ne.jp
  *  nsayer@FreeBSD.org
  *  nsayer@quack.kfu.com
  *  ntarmos@cs.uoi.gr
  *  oly
  *  onatan@gmail.com
  *  pandzilla
  *  patrick@mindstep.com
  *  pauls
  *  perl@FreeBSD.org
  *  petef@FreeBSD.org
  *  peter.thoenen@yahoo.com
  *  ports@c0decafe.net
  *  ports@rbt.ca
  *  roam@FreeBSD.org
  *  rokaz
  *  sada@FreeBSD.org
  *  scrappy
  *  se
  *  shane@freebsdhackers.net aka modsix@gmail.com
  *  snb@threerings.net
  *  sumikawa
  *  sviat
  *  teramoto@comm.eng.osaka-u.ac.jp
  *  thierry@pompo.net
  *  tobez@FreeBSD.org
  *  torstenb@FreeBSD.org
  *  trasz <trasz@pin.if.uz.zgora.pl>
  *  trevor
  *  truckman
  *  vanhu
  *  vanilla@
  *  wen@FreeBSD.org
  *  will

With hat:	portmgr

    857c05f

17:56 Renato Botelho (garga) 

security/sudo: Update to 1.9.11p3

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    c6a7564

14:05 Cy Schubert (cy) 

security/sudo: Update to 1.9.11p2 -- Fix regressions

Major changes between sudo 1.9.11p2 and 1.9.11p1:

 * Fixed a compilation error on Linux/x86_64 with the x32 ABI.

 * Fixed a regression introduced in 1.9.11p1 that caused a warning
   when logging to sudo_logsrvd if the command returned no output.

PR:		264643
Approved by:	garga (maintainer)

    7c653e8

20:41 Cy Schubert (cy) 

security/sudo: Update to 1.9.11p1

Major changes between sudo 1.9.11p1 and 1.9.11:

 * Correctly handle EAGAIN in the I/O read/right events.  This fixes
   a hang seen on some systems when piping a large amount of data
   through sudo, such as via rsync.  Bug #963.

 * Changes to avoid implementation or unspecified behavior when
   bit shifting signed values in the protobuf library.

 * Fixed a compilation error on Linux/aarch64.

 * Fixed the configure check for seccomp(2) support on Linux.

 * Corrected the EBNF specification for tags in the sudoers manual
   page.  GitHub issue #153.

Major changes between sudo 1.9.11 and 1.9.10:

 * Fixed a crash in the Python module with Python 3.9.10 on some
   systems.  Additionally, "make check" now passes for Python 3.9.10.

 * Error messages sent via email now include more details, including
   the file name and the line number and column of the error.
   Multiple errors are sent in a single message.  Previously, only
   the first error was included.

 * Fixed logging of parse errors in JSON format.  Previously,
   the JSON logger would not write entries unless the command and
   runuser were set.  These may not be known at the time a parse
   error is encountered.

 * Fixed a potential crash parsing sudoers lines larger than twice
   the value of LINE_MAX on systems that lack the getdelim() function.

 * The tests run by "make check" now unset the LANGUAGE environment
   variable.  Otherwise, localization strings will not match if
   LANGUAGE is set to a non-English locale.  Bug #1025.

 * The "starttime" test now passed when run under Debian faketime.
   Bug #1026.

 * The Kerberos authentication module now honors the custom password
   prompt if one has been specified.

 * The embedded copy of zlib has been updated to version 1.2.12.

 * Updated the version of libtool used by sudo to version 2.4.7.

 * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
   in the header files (currently only GNU libc).  This is required
   to allow the use of 64-bit time values on some 32-bit systems.

 * Sudo's "intercept" and "log_subcmds" options no longer force the
   command to run in its own pseudo-terminal.  It is now also
   possible to intercept the system(3) function.

 * Fixed a bug in sudo_logsrvd when run in store-first relay mode
   where the commit point messages sent by the server were incorrect
   if the command was suspended or received a window size change
   event.

 * Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
   configuration setting was used.

 * The "intercept" and "log_subcmds" functionality can now use
   ptrace(2) on Linux systems that support seccomp(2) filtering.
   This has the advantage of working for both static and dynamic
   binaries and can work with sudo's SELinux RBAC mode.  The following
   architectures are currently supported: i386, x86_64, aarch64,
   arm, mips (log_subcmds only), powerpc, riscv, and s390x.  The
   default is to use ptrace(2) where possible; the new "intercept_type"
   sudoers setting can be used to explicitly set the type.

 * New Georgian translation from translationproject.org.

 * Fixed creating packages on CentOS Stream.

 * Fixed a bug in the intercept and log_subcmds support where
   the execve(2) wrapper was using the current environment instead
   of the passed environment pointer.  Bug #1030.

 * Added AppArmor integration for Linux.  A sudoers rule can now
   specify an APPARMOR_PROFILE option to run a command confined by
   the named AppArmor profile.

 * Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
   Non-paths were being treated as paths and an actual path was
   treated as an error.

PR:		264554
Approved by:	garga (maintainer)

    7e42695

13:51 Cy Schubert (cy) 

security/sudo: Update to 1.9.11

Major changes between sudo 1.9.11 and 1.9.10:

 * Fixed a crash in the Python module with Python 3.9.10 on some
   systems.  Additionally, "make check" now passes for Python 3.9.10.

 * Error messages sent via email now include more details, including
   the file name and the line number and column of the error.
   Multiple errors are sent in a single message.  Previously, only
   the first error was included.

 * Fixed logging of parse errors in JSON format.  Previously,
   the JSON logger would not write entries unless the command and
   runuser were set.  These may not be known at the time a parse
   error is encountered.

 * Fixed a potential crash parsing sudoers lines larger than twice
   the value of LINE_MAX on systems that lack the getdelim() function.

 * The tests run by "make check" now unset the LANGUAGE environment
   variable.  Otherwise, localization strings will not match if
   LANGUAGE is set to a non-English locale.  Bug #1025.

 * The "starttime" test now passed when run under Debian faketime.
   Bug #1026.

 * The Kerberos authentication module now honors the custom password
   prompt if one has been specified.

 * The embedded copy of zlib has been updated to version 1.2.12.

 * Updated the version of libtool used by sudo to version 2.4.7.

 * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
   in the header files (currently only GNU libc).  This is required
   to allow the use of 64-bit time values on some 32-bit systems.

 * Sudo's "intercept" and "log_subcmds" options no longer force the
   command to run in its own pseudo-terminal.  It is now also
   possible to intercept the system(3) function.

 * Fixed a bug in sudo_logsrvd when run in store-first relay mode
   where the commit point messages sent by the server were incorrect
   if the command was suspended or received a window size change
   event.

 * Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
   configuration setting was used.

 * The "intercept" and "log_subcmds" functionality can now use
   ptrace(2) on Linux systems that support seccomp(2) filtering.
   This has the advantage of working for both static and dynamic
   binaries and can work with sudo's SELinux RBAC mode.  The following
   architectures are currently supported: i386, x86_64, aarch64,
   arm, mips (log_subcmds only), powerpc, riscv, and s390x.  The
   default is to use ptrace(2) where possible; the new "intercept_type"
   sudoers setting can be used to explicitly set the type.

 * New Georgian translation from translationproject.org.

 * Fixed creating packages on CentOS Stream.

 * Fixed a bug in the intercept and log_subcmds support where
   the execve(2) wrapper was using the current environment instead
   of the passed environment pointer.  Bug #1030.

 * Added AppArmor integration for Linux.  A sudoers rule can now
   specify an APPARMOR_PROFILE option to run a command confined by
   the named AppArmor profile.

 * Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
   Non-paths were being treated as paths and an actual path was
   treated as an error.

PR:		264515
Approved by:	garga (maintainer)

    3ee710e

15:04 Cy Schubert (cy) 

security/sudo: Update to 1.9.10

PR:		262331
Approved by:	garga (maintainer)

    c003f33

11:04 Renato Botelho (garga)  Author: Yasuhiro Kimura

security/sudo: Update to 1.9.9

PR:		261529
Sponsored by:	Rubicon Communications, LLC ("Netgate")

    af389a6

13:51 Cy Schubert (cy) 

security/sudo: Update to 1.9.8p2

Major changes between sudo 1.9.8p2 and 1.9.8p1:

 * Fixed a potential out-of-bounds read with "sudo -i" when the
   target user's shell is bash.  This is a regression introduced
   in sudo 1.9.8.  Bug #998.

 * sudo_logsrvd now only sends a log ID for first command of a session.
   There is no need to send the log ID for each sub-command.

 * Fixed a few minor memory leaks in intercept mode.

 * Fixed a problem with sudo_logsrvd in relay mode if "store_first"
   was enabled when handling sub-commands.  A new zero-length journal
   file was created for each sub-command instead of simply using
   the existing journal file.

PR:		258666
Submitted by:	cy
Reported by:	cy
Approved by:	garga (maintainer)
MFH:		2021Q3

    3c5b4da

15:33 Cy Schubert (cy) 

security/sudo: Update to 1.9.8p1 to fix LDAP SEGFAULT

Sudo version 1.9.8 patchelevel 1 is now available which fixes a few
regressions introduced in sudo 1.9.8.

Source:
    https://www.sudo.ws/dist/sudo-1.9.8p1.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.8p1.tar.gz

SHA256 checksum:
    0939ee24df7095a92e0ca4aa3bd53b2a10965a7b921d51a26ab70cdd24388d69
MD5 checksum:
    ae9c8b32268f27d05bcdcb8f0c04d461

Binary packages:
    https://www.sudo.ws/download.html#binary
    https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_8

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.9.8p1 and 1.9.8:

 * Fixed support for passing a prompt (sudo -p) or a login class
   (sudo -c) on the command line.  This is a regression introduced
   in sudo 1.9.8.  Bug #993.

 * Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
   This is a regression introduced in sudo 1.9.8.  Bug #994.

 * Fixed a compilation error when the --enable-static-sudoers configure
   option was specified.  This is a regression introduced in sudo
   1.9.8 caused by a symbol clash with the intercept and log server
   protobuf functions.

PR:		258537
Submitted by:	cy
Reported by:	Adrian Waters <draenan _ gmail_com>
Approved by:	garga (maintainer)
MFH:		2021Q3

    549e87a

16:50 Cy Schubert (cy) 

securty/sudo: Update to 1.9.8

Major changes between sudo 1.9.8 and 1.9.7p2:

 * It is now possible to transparently intercepting sub-commands
   executed by the original command run via sudo.  Intercept support
   is implemented using LD_PRELOAD (or the equivalent supported by
   the system) and so has some limitations.  The two main limitations
   are that only dynamic executables are supported and only the
   execl, execle, execlp, execv, execve, execvp, and execvpe library
   functions are currently intercepted. Its main use case is to
   support restricting privileged shells run via sudo.

   To support this, there is a new "intercept" Defaults setting and
   an INTERCEPT command tag that can be used in sudoers.  For example:

    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
    Defaults!SHELLS intercept

   would cause sudo to run the listed shells in intercept mode.
   This can also be set on a per-rule basis.  For example:

    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
    chuck ALL = INTERCEPT: SHELLS

   would only apply intercept mode to user "chuck" when running one
   of the listed shells.

   In intercept mode, sudo will not prompt for a password before
   running a sub-command and will not allow a set-user-ID or
   set-group-ID program to be run by default.  The new
   intercept_authenticate and intercept_allow_setid sudoers settings
   can be used to change this behavior.

 * The new "log_subcmds" sudoers setting can be used to log additional
   commands run in a privileged shell.  It uses the same mechanism as
   the intercept support described above and has the same limitations.

 * Support for logging sudo_logsrvd errors via syslog or to a file.
   Previously, most sudo_logsrvd errors were only visible in the
   debug log.

 * Better diagnostics when there is a TLS certificate validation error.

 * Using the "+=" or "-=" operators in a Defaults setting that takes
   a string, not a list, now produces a warning from sudo and a
   syntax error from inside visudo.

 * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
   had no effect when creating I/O log parent directories if the I/O log
   file name ended with the string "XXXXXX".

 * Fixed a bug in the sudoers custom prompt code where the size
   parameter that was passed to the strlcpy() function was incorrect.
   No overflow was possible since the correct amount of memory was
   already pre-allocated.

 * The mksigname and mksiglist helper programs are now built with
   the host compiler, not the target compiler, when cross-compiling.
   Bug #989.

 * Fixed compilation error when the --enable-static-sudoers configure
   option was specified.  This was due to a typo introduced in sudo
   1.9.7.  GitHub PR #113.

Submitted by:	cy
PR:		258479
Approved by:	garga (maintainer)
MFH:		2021Q3

    c403b78

13:10 Renato Botelho (garga)  Author: Yasuhiro Kimura

security/sudo: Update to 1.9.7p2

Sponsored by:	Rubicon Communications, LLC ("Netgate")

    6aeff2e

16:04 Cy Schubert (cy) 

securty/sudo: Update to 1.9.7p1

Major changes between sudo 1.9.7p1 and 1.9.7

 * Fixed an SELinux sudoedit bug when the edited temporary file
   could not be opened.  The sesh helper would still be run even
   when there are no temporary files available to install.

 * Fixed a compilation problem on FreeBSD.

 * The sudo_noexec.so file is now built as a module on all systems
   other than macOS.  This makes it possible to use other libtool
   implementations such as slibtool.  On macOS shared libraries and
   modules are not interchangeable and the version of libtool shipped
   with sudo must be used.

 * Fixed a few bugs in the getgrouplist() emulation on Solaris when
   reading from the local group file.

 * Fixed a bug in sudo_logsrvd that prevented periodic relay server
   connection retries from occurring in "store_first" mode.

 * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
   due to a crash when the group source is set to "compat" in
   /etc/nsswitch.conf.  This is probably due to a mismatch between
   include/compat/nss_dbdefs.h and what HP-UX uses internally.  On
   HP-UX we now just cycle through groups the slow way using
   getgrent().  Bug #978.

PR:		256561
Submitted by:	cy
Reported by:	cy
Approved by:	garga (maintainer)
MFH:		2020Q2

    f34318c5

20:07 Cy Schubert (cy) 

security/sudo: update to 1.9.7

Among other changes this release fixes -fcommon errors. A complete list
of changes can be found at https://www.sudo.ws/stable.html/

PR:		255812
Submitted by:	Yasuhiro Kimura <yasu@utahime.org> (mostly)
Reported by:	Yasuhiro Kimura <yasu@utahime.org>
Tested by:	cy
Approved by:	garga (maintainer)
MFH:		2021Q2

    72d1eb1

14:31 Mathieu Arnold (mat) 

Remove # $FreeBSD$ from Makefiles.

    305f148

11:56 garga 

security/sudo: Update to 1.9.6p1

PR:		254260
Submitted by:	Yasuhiro Kimura <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC ("Netgate")

 

20:15 cy 

security/sudo - update 1.9.5p1 to 1.9.5p2

	(text/plain)
Sudo version 1.9.5p2 is now available which fixes CVE-2021-3156
(aka Baron Samedit), a severe security vulnerability in sudo versions
1.8.2 through 1.9.5p1.  For more details, see:
    https://www.sudo.ws/alerts/unescape_overflow.html
    https://www.openwall.com/lists/oss-security/2021/01/26/3

Source:
    https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.tar.gz
    SHA256 539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978
    MD5 e6bc4c18c06346e6b3431637a2b5f3d5

Patch:
    https://www.sudo.ws/dist/sudo-1.9.5p2.patch.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.patch.gz
    SHA256 0dd80809c4061670a0b393445b2807be452caf5d5988f279e736040cef1c14dc
    MD5 2816f5fa537c61fb913046ef20b88e3b

Binary packages:
    https://www.sudo.ws/download.html#binary
    https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.9.5p2 and 1.9.5p1

 * Fixed sudo's setprogname(3) emulation on systems that don't
   provide it.

 * Fixed a problem with the sudoers log server client where a partial
   write to the server could result the sudo process consuming large
   amounts of CPU time due to a cycle in the buffer queue. Bug #954.

 * Added a missing dependency on libsudo_util in libsudo_eventlog.
   Fixes a link error when building sudo statically.

 * The user's KRB5CCNAME environment variable is now preserved when
   performing PAM authentication.  This fixes GSSAPI authentication
   when the user has a non-default ccache.

 * When invoked as sudoedit, the same set of command line options
   are now accepted as for "sudo -e".  The -H and -P options are
   now rejected for sudoedit and "sudo -e" which matches the sudo
   1.7 behavior.  This is part of the fix for CVE-2021-3156.

 * Fixed a potential buffer overflow when unescaping backslashes
   in the command's arguments.  Normally, sudo escapes special
   characters when running a command via a shell (sudo -s or sudo
   -i).  However, it was also possible to run sudoedit with the -s
   or -i flags in which case no escaping had actually been done,
   making a buffer overflow possible.  This fixes CVE-2021-3156.

Major changes between sudo 1.9.5p1 and 1.9.5

 * Fixed a regression introduced in sudo 1.9.5 where the editor run
   by sudoedit was set-user-ID root unless SELinux RBAC was in use.
   The editor is now run with the user's real and effective user-IDs.

Major changes between sudo 1.9.5 and 1.9.4p2

 * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
   unknown user.  This is related to but distinct from Bug #948.

 * If the "lecture_file" setting is enabled in sudoers, it must now
   refer to a regular file or a symbolic link to a regular file.

 * Fixed a potential use-after-free bug in sudo_logsrvd when the
   server shuts down if there are existing connections from clients
   that are only logging events and not session I/O data.

 * Fixed a buffer size mismatch when serializing the list of IP
   addresses for configured network interfaces.  This bug is not
   actually exploitable since the allocated buffer is large enough
   to hold the list of addresses.

 * If sudo is executed with a name other than "sudo" or "sudoedit",
   it will now fall back to "sudo" as the program name.  This affects
   warning, help and usage messages as well as the matching of Debug
   lines in the /etc/sudo.conf file.  Previously, it was possible
   for the invoking user to manipulate the program name by setting
   argv[0] to an arbitrary value when executing sudo.

 * Sudo now checks for failure when setting the close-on-exec flag
   on open file descriptors.  This should never fail but, if it
   were to, there is the possibility of a file descriptor leak to
   a child process (such as the command sudo runs).

 * Fixed CVE-2021-23239, a potential information leak in sudoedit
   that could be used to test for the existence of directories not
   normally accessible to the user in certain circumstances.  When
   creating a new file, sudoedit checks to make sure the parent
   directory of the new file exists before running the editor.
   However, a race condition exists if the invoking user can replace
   (or create) the parent directory.  If a symbolic link is created
   in place of the parent directory, sudoedit will run the editor
   as long as the target of the link exists.  If the target of the
   link does not exist, an error message will be displayed.  The
   race condition can be used to test for the existence of an
   arbitrary directory.  However, it _cannot_ be used to write to
   an arbitrary location.

 * Fixed CVE-2021-23240, a flaw in the temporary file handling of
   sudoedit's SELinux RBAC support.  On systems where SELinux is
   enabled, a user with sudoedit permissions may be able to set the
   owner of an arbitrary file to the user-ID of the target user.
   On Linux kernels that support "protected symlinks", setting
   /proc/sys/fs/protected_symlinks to 1 will prevent the bug from
   being exploited.  For more information see
   https://www.sudo.ws/alerts/sudoedit_selinux.html.

 * Added writability checks for sudoedit when SELinux RBAC is in use.
   This makes sudoedit behavior consistent regardless of whether
   or not SELinux RBAC is in use.  Previously, the "sudoedit_checkdir"
   setting had no effect for RBAC entries.

 * A new sudoers option "selinux" can be used to disable sudo's
   SELinux RBAC support.

 * Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
   Added suppression annotations for PVS Studio false positives.

PR:		253034
Submitted by:	cy
Reported by:	cy
Reviewed by:	emaste
Approved by:	emaste
MFH:		2020Q1
Security:	CVE-2021-3156, CVE-2021-3156
Differential Revision:	https://reviews.freebsd.org/D28363

 

12:40 garga 

security/sudo: Update to 1.9.5p1

This version fixes a regression introduced by 1.9.5

Changelog: https://www.sudo.ws/stable.html#1.9.5p1

PR:		252598
Submitted by:	cy
MFH:		2021Q1
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

20:06 cy 

Update 1.9.4p2 --> 1.9.5

PR:		252583
Submitted by:	cy
Reported by:	cy
Approved by:	garga (maintainer)
MFH:		2021Q1
Security:	CVE-2021-23239

 

16:54 garga 

security/sudo: Fix version

Use PORTVERSION here to end up with 1.9.4p2, which is considered newer than
previous one (1.9.4_1)

Reported by:	ohauer <ohauer@gmx.de>

 

12:44 garga 

security/sudo: Update to 1.9.4p2

PR:		251930
Submitted by:	Yasuhiro Kimura <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

12:43 garga 

security/sudo: Fix build without sendmail

PR:		251582
Reported by:	Alexander Kuznetsov <alex@kuznetcoff.ru>
Obtained from:	https://www.sudo.ws/repos/sudo/raw-rev/41db1aad85bb
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

12:32 garga 

security/sudo: Update to 1.9.4

PR:		251488
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

12:22 rene 

security/sudo: readd option for SSSD, reverting r553505

 

22:17 rene 

security/sudo: remove optional expired dependency on security/sssd

 

18:53 garga 

security/sudo: Update to 1.9.3p1

PR:		249566
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

13:25 garga 

security/sudo: Update to 1.9.3

PR:		249511
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

17:17 cy 

Update 1.9.1 --> 1.9.2

Major changes between sudo 1.9.2 and 1.9.1

 * The configure script now uses pkg-config to find the openssl
   cflags and libs where possible.

 * The contents of the log.json I/O log file is now documented in
   the sudoers manual.

 * The sudoers plugin now properly exports the sudoers_audit symbol
   on systems where the compiler lacks symbol visibility controls.
   This caused a regression in 1.9.1 where a successful sudo command
   was not logged due to the missing audit plugin.  Bug #931.

 * Fixed a regression introduced in 1.9.1 that can result in crash
   when there is a syntax error in the sudoers file.  Bug #934.

PR:		248179
Submitted by:	cy
Reported by:	cy
Approved by:	garga
Obtained from:	sudo-announce mailing list
MFH:		2020Q3 (because of regression fix)

 

14:22 garga 

security/sudo: Update to 1.9.1

* Add new option PYTHON that enables python plugin support

PR:		246472
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

14:01 garga 

security/sudo: Update to 1.8.31p1

Sponsored by:	Rubicon Communications, LLC (Netgate)

 

13:59 cy 

security/sudo update 1.8.30 --> 1.8.31

PR:		243745
Submitted by:	cy@
Reported by:	cy@
Approved by:	garga@
MFH:		2020Q1
Security:	 CVE-2019-18634

 

18:18 cy 

Update 1.8.29 --> 1.8.30

PR:		243009
Submitted by:	cy
Approved by:	garga (maintainer)
MFH:		2020Q1

 

18:42 garga 

security/sudo: Update to 1.8.29

Sponsored by:	Rubicon Communications, LLC (Netgate)

 

18:52 garga 

security/sudo: Fix wrong version added in r514607 using PORTVERSION

Reported by:	Herbert J. Skuhra <herbert@gojira.at>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

18:37 garga 

security/sudo: Update to 1.8.28p1

MFH:		2019Q4
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

16:46 garga 

security/sudo: Update to 1.8.28

Sponsored by:	Rubicon Communications, LLC (Netgate)

 

13:51 garga 

security/sudo: Fix listpw=never

When listpw=never is set, 'sudo -l' is expected to run without asking for a
password.

PR:		234756
Reported by:	vas@mpeks.tomsk.su
Obtained from:	https://bugzilla.sudo.ws/show_bug.cgi?id=869
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

12:52 cy 

Update 1.8.26 --> 1.8.27

Notable changes:

 * Fixes and clarifications to the sudo plugin documentation.

 * The sudo manuals no longer require extensive post-processing to
   hide system-specific features.  Conditionals in the roff source
   are now used instead.  This fixes corruption of the sudo manual
   on systems without BSD login classes.  Bug #861.

 * If an I/O logging plugin is configured but the plugin does not
   actually log any I/O, sudo will no longer force the command to
   be run in a pseudo-tty.

 * The fix for bug #843 in sudo 1.8.24 was incomplete.  If the
   user's password was expired or needed to be updated, but no sudo
   password was required, the PAM handle was freed too early,
   resulting in a failure when processing PAM session modules.

 * In visudo, it is now possible to specify the path to sudoers
   without using the -f option.  Bug #864.

 * Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx)
   file would not be updated when a command was run in a pseudo-tty.
   Bug #865.

 * Sudo now sets the silent flag when opening the PAM session except
   when running a shell via "sudo -s" or "sudo -i".  This prevents
   the pam_lastlog module from printing the last login information
   for each sudo command.  Bug #867.

PR:		234904
Submitted by:	cy@
Approved by:	garga@
MFH:		2019Q1

 

15:33 garga 

security/sudo: Update to 1.8.26

PR:		233206 (based on)
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

16:49 garga 

Update security/sudo to 1.8.25p1

Sponsored by:	Rubicon Communications, LLC (Netgate)

 

11:42 garga 

security/sudo: Update to 1.8.25

Sponsored by:	Rubicon Communications, LLC (Netgate)

 

14:23 garga 

security/sudo: Update to 1.8.24

PR:		230739
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

18:57 garga 

Add --rundir definition to CONFIGURE_ARGS to make sure configure script uses
/var/run/sudo. Without it, on a system that has /run directory, configure
will by default define rundir to /run/sudo

Reported by:	Walter Schwarzenfeld <w.schwarzenfeld@utanet.at>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

12:36 garga 

Fix PLIST without LDAP

PR:		227926
Reported by:	O. Hartmann
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

13:09 garga 

Update security/sudo to 1.8.23

PR:		227900
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

16:52 garga 

Add a new version of the patch committed in r468197 that fixes a regression
introduced by that version.

PR:		223587
Submitted by:	Todd C. Miller <Todd.Miller@sudo.ws>
Reported by:	vas@mpeks.tomsk.su
Obtained from:	https://bugzilla.sudo.ws/show_bug.cgi?id=831
MFH:		2018Q2
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

11:07 garga 

Add a patch to fix cryptographic digest in command specification for shell
scripts and other interpreted files. Error happens because fexecve() requires
/dev/fd to be mounted. This patch detects if /dev/fd/N exists before attempt
to use fexecve and workaround the issue.

PR:		223587
Submitted by:	Todd C. Miller <Todd.Miller@sudo.ws>
Reported by:	vas@mpeks.tomsk.su
Obtained from:	https://bugzilla.sudo.ws/show_bug.cgi?id=831
MFH:		2018Q2
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

18:43 garga 

Last commit was supposed to be a local change for testing. Patch was not yet
ready for production. Reverting it for now.

 

18:40 garga 

Add a patch to fix cryptographic digest in command specification for shell
scripts and other interpreted files. Error happens because fexecve() requires
/dev/fd to be mounted. This patch detects if /dev/fd/N exists before attempt
to use fexecve and workaround the issue.

PR:		223587
Submitted by:	Todd C. Miller <Todd.Miller@sudo.ws>
Reported by:	vas@mpeks.tomsk.su
Obtained from:	https://www.sudo.ws/repos/sudo/rev/30f7c5d64104
MFH:		2018Q2
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

13:11 garga 

- Add new options to security/sudo to make it possible to build it with
  kerberos support.
- Bump PORTREVISION

PR:		225498
Submitted by:	Cullum Smith <cullum@c0ffee.net>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

15:07 garga 

Update security/sudo to 1.8.22

Sponsored by:	Rubicon Communications, LLC (Netgate)

 

16:58 brd 

Pull in an upstream patch for security/sudo to not coredump if the hostname is
not set.

PR:		222510
Approved by:	garga

 

16:47 garga 

Update security/sudo to 1.8.21p2

PR:		222194
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

17:15 garga 

Update security/sudo to 1.8.21p1

 

10:30 garga 

- Update security/sudo to 1.8.21

PR:		221874
Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
		bdrewery (SIGINFO fix)
Sponsored by:	Rubicon Communications, LLC (Netgate)

 

18:32 bdrewery 

- Fix sudo sending a 2nd SIGINFO on ^T to processes, which is already
  handled by the kernel sending it to the entire controlling terminal's
  process group.
  - This fixes ^T with 'sudo poudriere ...' showing a status log twice.
  - This is intended to be upstreamed.

Approved by:	garga (maintainer)
Tested by:	swills, bdrewery
Reviewed/Discussed with:	kib
Reported by:	kwm, swills, bapt, dim, kib, many others
MFH:		2017Q3

 

13:49 garga 

Fix the way ${PREFIX}/etc/sudoers.d is handled removing the workaround added in
r260609 and using @dir

PR:		220234
Submitted by:	Jose Luis Duran <jlduran@gmail.com>
Sponsored by:	Rubicon Communications (Netgate)

 

11:01 mat 

Starting in 1.8.20, the sample sudoers file has been installed twice,
once as sudoers.sample and once as sudoers.dist. Remove one of them.

PR:		219708
Submitted by:	mat
Approved by:	maintainer timeout
Sponsored by:	Absolight

 

14:10 garga 

Update security/sudo to 1.8.20p2

Sponsored by:	Rubicon Communications (Netgate)

 

12:42 cy 

Update 1.8.20 --> 1.8.20p1

This release fixes a potential security issue that may allow a user to
bypass the "tty_ticket" constraints or overwrite an arbitrary file.
The issue is reported to only be present on Linux systems but I don't
think it hurts to update the FreeBSD port at this time.

Approved by:		garga@ (maintainer)
MFH:			2017Q2
Differential Revision:	D10997

 

17:03 garga 

Update security/sudo to 1.8.20

Sponsored by:	Rubicon Communications (Netgate)

 

13:38 cy 

Update 1.8.19p1 --> 1.8.19p2.

Major changes between sudo 1.8.19p2 and 1.8.19p1:

 * Fixed a crash in visudo introduced in sudo 1.8.9 when an IP address
   or network is used in a host-based Defaults entry.  Bug #766

 * Added a missing check for the ignore_iolog_errors flag when
   the sudoers plugin generates the I/O log file path name.

 * Fixed a typo in sudo's vsyslog() replacement that resulted in
   garbage being logged to syslog.

Approved by:	garga (maintainer)
MFH:		2917Q1
Differential Revision:	D9181

 

21:11 cy 

Update 1.8.19 --> 1.8.19p1

As per sudo announcement:

 * Fixed a bug introduced in sudo 1.8.19 that resulted in the wrong
   syslog priority and facility being used.

PR:		215447
Submitted by:	myself (in pr 215447)
Approved by:	garga (maintainer)

 

23:59 cy 

Update 1.8.18p1 --> 1.8.19.

PR:		215434
Submitted by:	cy
Reviewed by:	garga (maintainer)

 

12:16 cy 

Update 1.8.18 --> 1.8.18p1

From the sudo announcment:

Depending on your sudoers file configuration, the bug fixed in
1.8.18p1 may have a security impact.  For more information, see
https://www.sudo.ws/alerts/noexec_wordexp.html

Approved by:		garga@ (maintainer)
MFH:			2016Q4
Differential Revision:	D8363

 

13:45 garga 

Update security/sudo to 1.8.18

Sponsored by:	Rubicon Communications (Netgate)

 

00:55 garga 

Update security/sudo to 1.8.17p1

MFH:		2016Q2
Sponsored by:	Rubicon Communications (Netgate)

 

14:03 cy 

Update 1.8.16 --> 1.8.17

PR:		210407
Submitted by:	cy@
Approved by:	garga@
MFH:		2016Q2

 

20:39 garga 

Add a patch to fix sudo bug #743 that causes a bug where it dereference
a NULL pointer when it looks up a negative cached entry which is stored
as a NULL passwd or group struct pointer

PR:		208198
Submitted by:	Fredrik Eriksson <fredrik.eriksson@loopia.se>
Obtained from:	https://www.sudo.ws/repos/sudo/rev/1d13341d53ec
Sponsored by:	Rubicon Communications (Netgate)

 

20:11 garga 

- Stop forcing -lssp_nonshared since libc already include it in every link.
  It should fix build when world is built with WITHOUT_SSP
- Bump PORTREVISION

PR:		203380
Submitted by:	Kenneth Salerno <kennethsalerno@yahoo.com>
Sponsored by:	Rubicon Communications (Netgate)

 

14:25 mat 

Remove ${PORTSDIR}/ from dependencies, categories r, s, t, and u.

With hat:	portmgr
Sponsored by:	Absolight