Summary: Allows restricted root access for specified users

Name: sudo

Version: 1.9.5p2

Release: 9%{?dist}

License: ISC

URL: https://www.sudo.ws

Source0: %{url}/dist/%{name}-%{version}.tar.gz

Source1: sudoers

Source2: sudo-ldap.conf

Requires: pam

Requires(post): coreutils

BuildRequires: make

BuildRequires: pam-devel

BuildRequires: groff

BuildRequires: openldap-devel

BuildRequires: flex

BuildRequires: bison

BuildRequires: automake autoconf libtool

BuildRequires: audit-libs-devel libcap-devel

BuildRequires: libselinux-devel

BuildRequires: sendmail

BuildRequires: gettext

BuildRequires: zlib-devel

Patch1: sudo-conf.patch

Patch2: sudo-1.9.5-undefined-symbol.patch

Patch3: sudo-1.9.5-selinux-t.patch

Patch4: sudo-1.9.5-sesh-bad-condition.patch

Patch5: sudo-1.9.5-utmp-leak.patch

Patch6: covscan.patch

Patch7: sha-digest-calc.patch

Patch8: sudo-1.9.12-CVE-2023-22809.patch

%description

Sudo (superuser do) allows a system administrator to give certain

users (or groups of users) the ability to run some (or all) commands

as root while logging all commands and arguments. Sudo operates on a

per-command basis.  It is not a replacement for the shell.  Features

include: the ability to restrict what commands a user may run on a

per-host basis, copious logging of each command (providing a clear

audit trail of who did what), a configurable timeout of the sudo

command, and the ability to use the same configuration file (sudoers)

on many different machines.

%package        devel

Summary:        Development files for %{name}

Requires:       %{name} = %{version}-%{release}

%description    devel

The %{name}-devel package contains header files developing sudo

plugins that use %{name}.

%package        python-plugin

Summary:        Python plugin for %{name}

Requires:       %{name} = %{version}-%{release}

BuildRequires:  python3-devel

%description    python-plugin

%{name}-python-plugin allows using sudo plugins written in Python.

%prep

%setup -q

%patch1 -p1 -b .sudo-conf

%patch2 -p1 -b .undefined

%patch3 -p1 -b .selinux-t

%patch4 -p1 -b .bad-cond

%patch5 -p1 -b .utmp-leak

%patch6 -p1 -b .covscan

%patch7 -p1 -b .sha-digest

%patch8 -p1 -b .cve-fix

%build

# Remove bundled copy of zlib

rm -rf zlib/

autoreconf -I m4 -fv --install

%ifarch s390 s390x sparc64

F_PIE=-fPIE

%else

F_PIE=-fpie

%endif

export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"

%configure \

        --prefix=%{_prefix} \

        --sbindir=%{_sbindir} \

        --libdir=%{_libdir} \

        --docdir=%{_pkgdocdir} \

        --disable-openssl \

        --disable-root-mailer \

        --disable-log-server \

        --disable-log-client \

        --with-logging=syslog \

        --with-logfac=authpriv \

        --with-pam \

        --with-pam-login \

        --with-editor=/bin/vi \

        --with-env-editor \

        --with-ignore-dot \

        --with-tty-tickets \

        --with-ldap \

        --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \

        --with-selinux \

        --with-passprompt="[sudo] password for %p: " \

        --enable-python \

        --with-linux-audit \

        --with-sssd

#       --without-kerb5 \

#       --without-kerb4

make

%check

make check

%install

rm -rf $RPM_BUILD_ROOT

# Update README.LDAP (#736653)

sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP

make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*

install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo

install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured

install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d

install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers

install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf

# create sudo-ldap.conf man

echo ".so man5/sudoers.ldap.5" > sudo-ldap.conf.5

gzip sudo-ldap.conf.5

install -p -c -m 0644 sudo-ldap.conf.5.gz $RPM_BUILD_ROOT/%{_mandir}/man5/sudo-ldap.conf.5.gz

rm -f sudo-ldap.conf.5.gz

# we are not building sendlog so we don't need this

rm -rf $RPM_BUILD_ROOT/%{_mandir}/man8/sudo_sendlog.8

# add sudo to protected packages

install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/

touch sudo.conf

echo sudo > sudo.conf

install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/

rm -f sudo.conf

chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files

# Don't package LICENSE as a doc

rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE

# Remove examples; Examples can be found in man pages too.

rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo

#Remove all .la files

find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'

# Remove sudoers.dist

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist

%find_lang sudo

%find_lang sudoers

cat sudo.lang sudoers.lang > sudo_all.lang

rm sudo.lang sudoers.lang

mkdir -p $RPM_BUILD_ROOT/etc/pam.d

cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF

#%%PAM-1.0

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    include      system-auth

EOF

cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF

#%%PAM-1.0

auth       include      sudo

account    include      sudo

password   include      sudo

session    optional     pam_keyinit.so force revoke

session    include      sudo

EOF

%files -f sudo_all.lang

%defattr(-,root,root)

%attr(0440,root,root) %config(noreplace) /etc/sudoers

%attr(0640,root,root) %config(noreplace) /etc/sudo.conf

%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf

%attr(0750,root,root) %dir /etc/sudoers.d/

%config(noreplace) /etc/pam.d/sudo

%config(noreplace) /etc/pam.d/sudo-i

%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf

%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf

%dir /var/db/sudo

%dir /var/db/sudo/lectured

%attr(4111,root,root) %{_bindir}/sudo

%{_bindir}/sudoedit

%{_bindir}/cvtsudoers

%attr(0111,root,root) %{_bindir}/sudoreplay

%attr(0755,root,root) %{_sbindir}/visudo

%dir %{_libexecdir}/sudo

%attr(0755,root,root) %{_libexecdir}/sudo/sesh

%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so

%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so

%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so

%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so

%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so

%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so

%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?

%{_libexecdir}/sudo/libsudo_util.so.?

%{_libexecdir}/sudo/libsudo_util.so

%{_mandir}/man5/sudoers.5*

%{_mandir}/man5/sudoers.ldap.5*

%{_mandir}/man5/sudo-ldap.conf.5*

%{_mandir}/man5/sudo.conf.5*

%{_mandir}/man8/sudo.8*

%{_mandir}/man8/sudoedit.8*

%{_mandir}/man8/sudoreplay.8*

%{_mandir}/man8/visudo.8*

%{_mandir}/man1/cvtsudoers.1*

%{_mandir}/man5/sudoers_timestamp.5*

%dir %{_pkgdocdir}/

%{_pkgdocdir}/*

%{!?_licensedir:%global license %%doc}

%license doc/LICENSE

%exclude %{_pkgdocdir}/ChangeLog

# Make sure permissions are ok even if we're updating

%post

/bin/chmod 0440 /etc/sudoers || :

%files devel

%doc plugins/sample/sample_plugin.c

%{_includedir}/sudo_plugin.h

%{_mandir}/man8/sudo_plugin.8*

%files python-plugin

%{_mandir}/man8/sudo_plugin_python.8.gz

%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so

%changelog

* Thu Jan 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-9

RHEL 9.2.0 ERRATUM

- CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user

Resolves: rhbz#2161225

* Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-8

RHEL 9.2.0 ERRATUM

- sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384)

Resolves: rhbz#2115789

* Fri Aug 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-7

- utmp resource leak in sudo

Resolves: rhbz#1986579

- sudo does not list /etc/dnf/protected.d/sudo.conf in the rpm config files listing

Resolves: rhbz#1997030

- sudo uses Recommends for sudo-python-plugin(x86-64) = 1.9.5p2-2.el9 and vim-minimal

Resolves: rhbz#1947908

- review of important potential issues detected by static analyzers in sudo-1.9.5p2-2.el9

Resolves: rhbz#1938879

* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-6

- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags

  Related: rhbz#1991688

* Fri Jul 09 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-5

RHEL 9 BETA

- sync with rhel8 spec

Resolves: rhbz#1908882

Resolves: rhbz#1942383

Resolves: rhbz#1946707

Resolves: rhbz#1946709

Resolves: rhbz#1981278

* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-4

- Rebuilt for RHEL 9 BETA for openssl 3.0

  Related: rhbz#1971065

* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.5p2-3

- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

* Tue Feb 09 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.9.5p2-2

- change ldap.conf to sudo-ldap.conf

Resolves: rhbz#1908882

- remove /usr/local/* from secure_path

Resolves: rhbz#1908923

- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit

Resolves: rhbz#1916655

- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit

Resolves: rhbz#1917039

- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing

Resolves: rhbz#1917735

* Tue Jan 26 2021 Matthew Miller <mattdm@fedoraproject.org> - 1.9.5p2-1

- rebase to 1.9.5p2

Resolves: rhbz#1920611

- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing

Resolves: rhbz#1920618

* Mon Jan 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p1-1

- rebase to 1.9.5p1

Resolves: rhbz#1902758

- fixed double free in sss_to_sudoers

Resolves: rhbz#1885874

- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit

Resolves: rhbz#1915055

- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit

Resolves: rhbz#1915054

* Wed Jan 13 2021 Jonathan Lebon <jonathan@jlebon.com> - 1.9.3p1-2

- split out Python modules into separate subpackage

Resolves: rhbz#1909299

* Mon Oct 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.3p1-1

- rebase to 1.9.3p1

- enable python modules

Resolves: rhbz#1881112

* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1

- rebase to 1.9.2

Resolves: rhbz#1859577

- added logsrvd subpackage

- added openssl-devel buildrequires

Resolves: rhbz#1860653

- fixed sudo runstatedir path

- it was generated as /sudo instead of /run/sudo

Resolves: rhbz#1868215

- added /var/lib/snapd/snap/bin to secure_path variable

Resolves: rhbz#1691996

* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-3

- Second attempt - Rebuilt for

  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Wed Jul 08 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.1-1

- rebase to 1.9.1

Resolves: rhbz#1848788

- fix rpmlint errors

Resolves: rhbz#1817139

* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4

- update to latest development version 1.9.0b4

Resolves: rhbz#1816593

- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix

Resolves: rhbz#1773148

* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1

- update to latest development version 1.9.0b1

- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages

Resolves: rhbz#1787823

- Stack based buffer overflow in when pwfeedback is enabled

Resolves: rhbz#1796945

- fixes: CVE-2019-18634

- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account

Resolves: rhbz#1786709

- fixes CVE-2019-19234

- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user

Resolves: rhbz#1786705

- fixes CVE-2019-19232

* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-1

- rebase to 1.8.29

Resolves: rhbz#1766233

* Tue Oct 22 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1

- rebase to 1.8.28p1

Resolves: rhbz#1762350

* Tue Oct 15 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28-1

- rebase to 1.8.28

Resolves: rhbz#1761533

- set always_set_home by default

Resolves: rhbz#1728687

- Sync sudoers options from rhel8 to fedora

Resolves: rhbz#1761781

- CVE-2019-14287

Resolves: rhbz#1761584

* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.27-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Sun Mar 31 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.27-2

- resolves rhbz#1676925

- Removed PS1, PS2 from sudoers

* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> 1.8.27-1

- rebase sudo to 1.8.27

* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.25p1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Mon Oct 01 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25p1-1

- rebase sudo to 1.8.25p1

* Mon Sep 10 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25-1

- rebase sudo to latest stawble version

- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo (1626968)

* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.23-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Tue Jul 03 2018 Matthew Miller <mattdm@fedoraproject.org> - 1.8.23-2

- remove defattr, as default is now sane

* Wed May 09 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-1

- update to 1.8.23

* Wed Apr 18 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-0.1.b3

- update to 1.8.23b3

* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.22-0.2.b1

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Thu Dec 14 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.22b1-1

- update to 1.8.22b1

- Added /usr/local/sbin and /usr/local/bin to secure path rhbz#1166185

* Thu Sep 21 2017 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.21p2-1

- update to 1.8.21p2

- Moved libsudo_util.so from the -devel sub-package to main package (1481225)

* Wed Sep 06 2017 Matthew Miller <mattdm@fedoraproject.org> - 1.8.20p2-4

- replace file-based requirements with package-level ones:

- /etc/pam.d/system-auth to 'pam'

- /bin/chmod to 'coreutils' (bug #1488934)

- /usr/bin/vi to vim-minimal

- ... and make vim-minimal "recommends" instead of "requires", because

  other editors can be configured.

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20p2-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20p2-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Thu Jun 01 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p2-1

- update to 1.8.20p2

* Wed May 31 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p1-1

- update to 1.8.20p1

- fixes CVE-2017-1000367

  Resolves: rhbz#1456884

* Fri Apr 07 2017 Jiri Vymazal <jvymazal@redhat.com> - 1.8.20-0.1.b1

- update to latest development version 1.8.20b1

- added sudo to dnf/yum protected packages

  Resolves: rhbz#1418756

* Mon Feb 13 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1

- update to 1.8.19p2

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.19-0.3.20161108git738c3cb

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.19-0.2.20161108git738c3cb

- update to latest development version

- fixes CVE-2016-7076

* Fri Sep 23 2016 Radovan Sroka <rsroka@redhat.com> 1.8.19-0.1.20160923git90e4538

- we were not able to update from rc and beta versions to stable one

- so this is a new snapshot package which resolves it

* Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1

- update to 1.8.18

* Fri Sep 16 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18rc4-1

- update to 1.8.18rc4

* Wed Sep 14 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18rc2-1

- update to 1.8.18rc2

- dropped sudo-1.8.14p1-ldapconfpatch.patch

  upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html

* Fri Aug 26 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18b2-1

- update to 1.8.18b2

- added --disable-root-mailer as configure option

  Resolves: rhbz#1324091

* Fri Jun 24 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.17p1-1

- update to 1.8.17p1

- install the /var/db/sudo/lectured

  Resolves: rhbz#1321414

* Tue May 31 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-4

- removed INPUTRC from env_keep to prevent a possible info leak

  Resolves: rhbz#1340701

* Fri May 13 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-3

- fixed upstream patch for rhbz#1328735

* Thu May 12 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-2

- fixed invalid sesh argument array construction

* Mon Apr 04 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-1

- update to 1.8.16

* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.15-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Nov  5 2015 Daniel Kopecek <dkopecek@redhat.com> 1.8.15-1

- update to 1.8.15

- fixes CVE-2015-5602

* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-3

- enable upstream test suite

* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-2

- add patch that resolves initialization problem before sudo_strsplit call

- add patch that resolves deadcode in visudo.c

- add patch that removes extra while in visudo.c and sudoers.c

* Mon Jul 27 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-1

- update to 1.8.14p3

* Mon Jul 20 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p1-1

- update to 1.8.14p1-1

- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch

- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch

* Tue Jul 14 2015 Radovan Sroka <rsroka@redhat.com> 1.8.12-2

- add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time

- Resolves: rhbz#1162070

* Fri Jul 10 2015 Radovan Sroka <rsroka@redhat.com> - 1.8.14b4-1

- Update to 1.8.14b4

- Add own %%{_tmpfilesdir}/sudo.conf

* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.12-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Wed Feb 18 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.12

- update to 1.8.12

- fixes CVE-2014-9680

* Mon Nov  3 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11p2-1

- update to 1.8.11p2

- added patch to fix upstream bug #671 -- exiting immediately

  when audit is disabled

* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1

- update to 1.8.11

- major changes & fixes:

  - when running a command in the background, sudo will now forward

    SIGINFO to the command

  - the passwords in ldap.conf and ldap.secret may now be encoded in base64.

  - SELinux role changes are now audited. For sudoedit, we now audit

    the actual editor being run, instead of just the sudoedit command.

  - it is now possible to match an environment variable's value as well as

    its name using env_keep and env_check

  - new files created via sudoedit as a non-root user now have the proper group id

  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support

  - it is now possible to disable network interface probing in sudo.conf by

    changing the value of the probe_interfaces setting

  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt

    for the user's password even if the targetpw, rootpw or runaspw options are set.

  - the new use_netgroups sudoers option can be used to explicitly enable or disable

    netgroups support

  - visudo can now export a sudoers file in JSON format using the new -x flag

- added patch to read ldap.conf more closely to nss_ldap

- require /usr/bin/vi instead of vim-minimal

- include pam.d/system-auth in PAM session phase from pam.d/sudo

- include pam.d/sudo in PAM session phase from pam.d/sudo-i

* Tue Aug  5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6

- fix license handling

* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.8-4

- Drop ChangeLog, we ship NEWS

* Mon Mar 10 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-3

- remove bundled copy of zlib before compilation

- drop the requiretty Defaults setting from sudoers

* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 1.8.8-2

- Own the %%{_libexecdir}/sudo dir.

* Mon Sep 30 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-1

- update to 1.8.8

- major changes & fixes:

  - LDAP SASL support now works properly with Kerberos

  - root may no longer change its SELinux role without entering a password

  - user messages are now always displayed in the user's locale, even when

    the same message is being logged or mailed in a different locale.

  - log files created by sudo now explicitly have the group set to group

    ID 0 rather than relying on BSD group semantics

  - sudo now stores its libexec files in a sudo subdirectory instead of in

    libexec itself

  - system_group and group_file sudoers group provider plugins are now

    installed by default

  - the paths to ldap.conf and ldap.secret may now be specified as arguments

    to the sudoers plugin in the sudo.conf file

  - ...and many new features and settings. See the upstream ChangeLog for the

    full list.

- several sssd support fixes

- added patch to make uid/gid specification parsing more strict (don't accept

  an invalid number as uid/gid)

- use the _pkgdocdir macro

  (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs)

- fixed several bugs found by the clang static analyzer

- added %%post dependency on chmod

* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p7-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1

- update to 1.8.6p7

- fixes CVE-2013-1775 and CVE-2013-1776

- fixed several packaging issues (thanks to ville.skytta@iki.fi)

  - build with system zlib.

  - let rpmbuild strip libexecdir/*.so.

  - own the %%{_docdir}/sudo-* dir.

  - fix some rpmlint warnings (spaces vs tabs, unescaped macros).

  - fix bogus %%changelog dates.

* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Mon Nov 12 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-2

- added upstream patch for a regression

- don't include arch specific files in the -devel subpackage

- ship only one sample plugin in the -devel subpackage

* Tue Sep 25 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-1

- update to 1.8.6p3

- drop -pipelist patch (fixed in upstream)

* Thu Sep  6 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6-1

- update to 1.8.6

* Thu Jul 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-4

- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com)

- re-enabled SSSD support

- removed libsss_sudo dependency

* Tue Jul 24 2012 Bill Nottingham <notting@redhat.com> - 1.8.5-3

- flip sudoers2ldif executable bit after make install, not in setup

* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.5-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1

- update to 1.8.5

- fixed CVE-2012-2337

- temporarily disabled SSSD support

* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6

- fixed problems with undefined symbols (rhbz#798517)

* Wed Feb 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-5

- SSSD patch update

* Tue Feb  7 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-4

- added SSSD support

* Thu Jan 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-3

- added patch for CVE-2012-0809

* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1

- update to 1.8.3p1

- disable output word wrapping if the output is piped

* Wed Sep  7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2

- Remove execute bit from sample script in docs so we don't pull in perl

* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1

- rebase to 1.8.1p2

- removed .sudoi patch

- fixed typo: RELPRO -> RELRO

- added -devel subpackage for the sudo_plugin.h header file

- use default ldap configuration files again

* Fri Jun  3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4

- build with RELRO

* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-2

- rebase to 1.7.4p5

- fixed sudo-1.7.4p4-getgrouplist.patch

- fixes CVE-2011-0008, CVE-2011-0010

* Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5

- anybody in the wheel group has now root access (using password) (rhbz#656873)

- sync configuration paths with the nss_ldap package (rhbz#652687)

* Wed Sep 29 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-4

- added upstream patch to fix rhbz#638345

* Mon Sep 20 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-3

- added patch for #635250

- /var/run/sudo -> /var/db/sudo in .spec

* Tue Sep  7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-2

- sudo now uses /var/db/sudo for timestamps

* Tue Sep  7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1

- update to new upstream version

- new command available: sudoreplay