Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11]) by www.NetBSD.org (Postfix) with ESMTP id 23CDE63BA2A for ; Sat, 5 Jun 2010 06:16:45 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 0) id 91B2E63B2E2; Sat, 5 Jun 2010 06:16:44 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 4D35963B12F for ; Sat, 5 Jun 2010 06:16:43 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 3B138175DD; Sat, 5 Jun 2010 06:16:43 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain Date: Sat, 5 Jun 2010 06:16:43 +0000 From: "S.P.Zeidler" Subject: CVS commit: [pkgsrc-2010Q1] pkgsrc/security/sudo To: pkgsrc-changes@NetBSD.org Reply-To: spz@netbsd.org X-Mailer: log_accum Message-Id: <20100605061643.3B138175DD@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: list Module Name: pkgsrc Committed By: spz Date: Sat Jun 5 06:16:43 UTC 2010 Modified Files: pkgsrc/security/sudo [pkgsrc-2010Q1]: Makefile distinfo Log Message: Pullup ticket 3137 - requested by kefren security update Revisions pulled up: - pkgsrc/security/sudo/Makefile 1.121 - pkgsrc/security/sudo/distinfo 1.63 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Jun 3 14:53:14 UTC 2010 Modified Files: pkgsrc/security/sudo: Makefile distinfo Log Message: Update security/sudo package to 1.7.2p7. For more detail: http://www.sudo.ws/sudo/alerts/secure_path.html Summary: Sudo "secure path" feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the --with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the "secure path" restrictions. Sudo versions affected: Sudo 1.3.1 through 1.6.9p22 and Sudo 1.7.0 through 1.7.2p6. To generate a diff of this commit: cvs rdiff -u -r1.120 -r1.121 pkgsrc/security/sudo/Makefile cvs rdiff -u -r1.62 -r1.63 pkgsrc/security/sudo/distinfo To generate a diff of this commit: cvs rdiff -u -r1.119.2.1 -r1.119.2.2 pkgsrc/security/sudo/Makefile cvs rdiff -u -r1.61.2.1 -r1.61.2.2 pkgsrc/security/sudo/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.