sudo-1.9.7

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

What's new in Sudo 1.9.7

• The "fuzz" Makefile target now runs all the fuzzers for 8192 passes (can be overridden via the FUZZ_RUNS variable). This makes it easier to run the fuzzers in-tree. To run a fuzzer indefinitely, set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".

• Fixed fuzzing on FreeBSD where the ld.lld linker returns an error by default when a symbol is multiply-defined.

• Added support for determining local IPv6 addresses on systems that lack the getifaddrs() function. This now works on AIX, HP-UX and Solaris (at least).

• Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to report a usage error. Also, when invoked as sudoedit, sudo now allows a more restricted set of options that matches the usage statement and documentation.

• Fixed a crash in sudo_sendlog when the specified certificate or key does not exist or is invalid.

• Fixed a compilation error when sudo is configured with the --disable-log-client option.

• Sudo's limited support for SUCCESS=return entries in nsswitch.conf is now documented.

• Sudo now requires autoconf 2.70 or higher to regenerate the configure script.

• sudo_logsrvd now has a relay mode which can be used to create a hierarchy of log servers. By default, when a relay server is defined, messages from the client are forwarded immediately to the relay. However, if the "store_first" setting is enabled, the log will be stored locally until the command completes and then relayed.

• Sudo now links with OpenSSL by default if it is available unless the --disable-openssl configure option is used or both the --disable-log-client and --disable-log-server configure options are specified.

• Fixed configure's Python version detection when the version minor number is more than a single digit, for example Python 3.10.

• The sudo Python module tests now pass for Python 3.10.

• Sudo will now avoid changing the datasize resource limit as long as the existing value is at least 1GB. This works around a problem on 64-bit HP-UX where it is not possible to exactly restore the original datasize limit.

• Fixed a race condition that could result in a hang when sudo is executed by a process where the SIGCHLD handler is set to SIG_IGN.

• Fixed an out-of-bounds read in sudoedit and visudo when the EDITOR, VISUAL or SUDO_EDITOR environment variables end in an unescaped backslash. Also fixed the handling of quote characters that are escaped by a backslash.

• Fixed a bug that prevented the "log_server_verify" sudoers option from taking effect.

• The sudo_sendlog utility has a new -s option to cause it to stop sending I/O records after a user-specified elapsed time. This can be used to test the I/O log restart functionality of sudo_logsrvd.

• Fixed a crash introduced in sudo 1.9.4 in sudo_logsrvd when attempting to restart an interrupted I/O log transfer.

• The TLS connection timeout in the sudoers log client was previously hard-coded to 10 seconds. It now uses the value of log_server_timeout.

• The configure script now outputs a summary of the user-configurable options at the end, separate from output of configure script tests.

• Corrected the description of which groups may be specified via the -g option in the Runas_Spec section.

[Bruce Dubbs]

327a2630f9 Update to sudo-1.9.7 and libXfixes-6.0.0 (Xorg Library)
6d2b973748 Update to Jinja2-3.0.0 and MarkupSafe-2.0.0 (Python modules)

[Bruce Dubbs]

Milestone renamed