---
- branch: MAIN
  date: Mon Jan 18 14:32:24 UTC 2021
  files:
  - new: '1.181'
    old: '1.180'
    path: pkgsrc/security/sudo/Makefile
    pathrev: pkgsrc/security/sudo/Makefile@1.181
    type: modified
  - new: '1.19'
    old: '1.18'
    path: pkgsrc/security/sudo/PLIST
    pathrev: pkgsrc/security/sudo/PLIST@1.19
    type: modified
  - new: '1.112'
    old: '1.111'
    path: pkgsrc/security/sudo/distinfo
    pathrev: pkgsrc/security/sudo/distinfo@1.112
    type: modified
  - new: '1.4'
    old: '1.3'
    path: pkgsrc/security/sudo/patches/patch-configure
    pathrev: pkgsrc/security/sudo/patches/patch-configure@1.4
    type: modified
  - new: '1.4'
    old: '1.3'
    path: pkgsrc/security/sudo/patches/patch-plugins_sudoers_Makefile.in
    pathrev: pkgsrc/security/sudo/patches/patch-plugins_sudoers_Makefile.in@1.4
    type: modified
  - new: '1.1'
    old: '0'
    path: pkgsrc/security/sudo/patches/patch-examples_Makefile.in
    pathrev: pkgsrc/security/sudo/patches/patch-examples_Makefile.in@1.1
    type: added
  - new: '1.1'
    old: '0'
    path: pkgsrc/security/sudo/patches/patch-logsrvd_Makefile.in
    pathrev: pkgsrc/security/sudo/patches/patch-logsrvd_Makefile.in@1.1
    type: added
  id: 20210118T143224Z.3c922095109cc379d13b4c206dc48b01e7e3b374
  log: |
    security/sudo: update to 1.9.5p1

    Update sudo package to 1.9.5p1.  CHanges from 1.8.31p2 are too many to
    write here.  Please refer <https://www.sudo.ws/stable.html>.

    1.9.5 fixes these security problems:

    * Fixed CVE-2021-23239, a potential information leak in sudoedit that
      could be used to test for the existence of directories not normally
      accessible to the user in certain circumstances.  When creating a new
      file, sudoedit checks to make sure the parent directory of the new file
      exists before running the editor.  However, a race condition exists if
      the invoking user can replace (or create) the parent directory. If a
      symbolic link is created in place of the parent directory, sudoedit will
      run the editor as long as the target of the link exists.  If the target
      of the link does not exist, an error message will be displayed.  The
      race condition can be used to test for the existence of an arbitrary
      directory.  However, it cannot be used to write to an arbitrary
      location.

    * Fixed CVE-2021-23240, a flaw in the temporary file handling of
      sudoedit's SELinux RBAC support.  On systems where SELinux is enabled, a
      user with sudoedit permissions may be able to set the owner of an
      arbitrary file to the user-ID of the target user.  On Linux kernels that
      support protected symlinks setting /proc/sys/fs/protected_symlinks to 1
      will prevent the bug from being exploited.  For more information, see
      Symbolic link attack in SELinux-enabled sudoedit.

    Quote from 1.9.0 features:

    * The maximum length of a conversation reply has been increased from 255
      to 1023 characters.  This allows for longer user passwords. Bug #860.

    * Sudo now includes a logging daemon, sudo_logsrvd, which can be used to
      implement centralized logging of I/O logs.  TLS connections are
      supported when sudo is configured with the --enable-openssl option.  For
      more information, see the sudo_logsrvd, sudo_logsrvd.conf and
      sudo_logsrv.proto manuals as well as the log_servers setting in the
      sudoers manual.

    * The --disable-log-server and --disable-log-client configure options can
      be used to disable building the I/O log server and/or remote I/O log
      support in the sudoers plugin.

    * The new sudo_sendlog utility can be used to test sudo_logsrvd or send
      existing sudo I/O logs to a centralized server.

    * It is now possible to write sudo plugins in Python 4 when sudo is
      configured with the --enable-python option.  See the sudo_plugin_python
      manual for details.

      Sudo 1.9.0 comes with several Python example plugins that get installed
      sudo's examples directory.

      The sudo blog article What's new in sudo 1.9: Python includes a simple
      tutorial on writing python plugins.

    * Sudo now supports an audit plugin type.  An audit plugin receives
      accept, reject, exit and error messages and can be used to implement
      custom logging that is independent of the underlying security policy.
      Multiple audit plugins may be specified in the sudo.conf file.  A sample
      audit plugin is included that writes logs in JSON format.

    * Sudo now supports an approval plugin type.  An approval plugin is run
      only after the main security policy (such as sudoers) accepts a command
      to be run.  The approval policy may perform additional checks,
      potentially interacting with the user.  Multiple approval plugins may be
      specified in the sudo.conf file.  Only if all approval plugins succeed
      will the command be allowed.

    * Sudo's -S command line option now causes the sudo conversation function
      to write to the standard output or standard error instead of the
      terminal device.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/sudo'
  unixtime: '1610980344'
  user: taca