-
sudo (1.7.0-1ubuntu2.6) karmic-security; urgency=low
* SECURITY UPDATE: privilege escalation via -g when using group Runas_List
- pwutil.c, sudo.h: add user_in_group(), backported from upstream commits
48ca8c2eddf8, 72df368a8a0e and 6ebc55d4716b. This is intended to be used
only with check.c to fix CVE-2011-0010 instead of doing the refactoring.
Going forward, will need to look at this code also if a flaw is found in
this refactored code. If needed, the refactoring work is in 48ca8c2eddf8
and 6ebc55d4716b.
- check.c: prompt for password when the user is running sudo as himself
but as a different group. Based on fe8a94f96542.
- CVE-2011-0010
-- Jamie Strandboge <email address hidden> Wed, 19 Jan 2011 10:46:05 -0600
-
sudo (1.7.0-1ubuntu2.5) karmic-security; urgency=low
* SECURITY UPDATE: privilege escalation via '-g' option when using
'user:group' in Runas_Spec
- update match.c to verify both user and group match sudoers when using
'-g'. Based on patch from upstream.
- CVE-2010-2956
-- Jamie Strandboge <email address hidden> Tue, 31 Aug 2010 15:55:00 -0500
-
sudo (1.7.0-1ubuntu2.4) karmic-security; urgency=low
* SECURITY UPDATE: properly handle multiple PATH variables when using
secure_path in env.c
- Adapted http://www.sudo.ws/repos/sudo/raw-rev/a09c6812eaec
- CVE-2010-1646
-- Jamie Strandboge <email address hidden> Mon, 28 Jun 2010 16:41:06 -0500
-
sudo (1.7.0-1ubuntu2.2) karmic-security; urgency=low
* SECURITY UPDATE: properly verify path in find_path.c for the 'sudoedit'
pseudo-command when running from the current working directory and
secure_path is disabled
- CVE-2010-XXXX
-- Jamie Strandboge <email address hidden> Wed, 07 Apr 2010 15:06:51 -0500
-
sudo (1.7.0-1ubuntu2.1) karmic-security; urgency=low
* SECURITY UPDATE: properly verify path for the 'sudoedit' pseudo-command
in match.c
- http://sudo.ws/repos/sudo/rev/88f3181692fe
- CVE-2010-0426
-- Jamie Strandboge <email address hidden> Wed, 24 Feb 2010 16:59:51 -0600
-
sudo (1.7.0-1ubuntu2) karmic; urgency=low
* env.c: add logic similar to pam_env's stripping of single and double
quotes around /etc/environment env vars; fixes literal quotes in LANG when
using sudo -i; LP: #387262.
-- Loic Minier <email address hidden> Mon, 22 Jun 2009 18:03:45 +0200
-
sudo (1.7.0-1ubuntu1) karmic; urgency=low
* Merge from debian unstable, remaining changes:
- debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu
specific)
- Add debian/sudo_root.8: Explanation of root handling through sudo.
Install it in debian/rules. (Ubuntu specific)
- sudo.c: If the user successfully authenticated and he is in the 'admin'
group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
profile checks for this and displays a short intro about sudo if the
flag is not present. (Ubuntu specific)
- env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept
for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at
some point)
- debian/{rules,postinst,sudo-ldap.postinst}: Disable init script
installation. Debian reintroduced it because /var/run tmpfs is not the
default there, but has been on Ubuntu for ages.
sudo (1.7.0-1) unstable; urgency=low
* new upstream version, closes: #510179, #128268, #520274, #508514
* fix ldap config file path for sudo-ldap package, including creating
a symlink in postinst and cleaning it up in postrm for the sudo-ldap
package, closes: #430826
* fix NOPASSWD entry location in default config file for the sudo-ldap
instance too, closes: #479616
-- Martin Pitt <email address hidden> Mon, 11 May 2009 18:07:03 +0200
-
sudo (1.6.9p17-1ubuntu3) jaunty; urgency=low
* SECURITY UPDATE: privilege escalation via non-default system groups.
- parse.c: upstream fix for CVE-2009-0034:
http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c?r1=1.160.2.21&r2=1.160.2.22
-- Kees Cook <email address hidden> Mon, 16 Feb 2009 12:13:47 -0800