sudo (1.9.9-1ubuntu2.5) jammy-security; urgency=medium
* SECURITY UPDATE: Local Privilege Escalation via host option
- debian/patches/CVE-2025-32462.patch: only allow specifying a host
when listing privileges.
- CVE-2025-32462
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jun 2025 08:48:23 -0400
sudo (1.9.9-1ubuntu2.4) jammy-security; urgency=medium
* SECURITY UPDATE: does not escape control characters
- debian/patches/CVE-2023-2848x-1.patch: escape control characters in
log messages and sudoreplay output in docs/sudoers.man.in,
docs/sudoers.mdoc.in, docs/sudoreplay.man.in,
docs/sudoreplay.mdoc.in, include/sudo_lbuf.h,
lib/eventlog/eventlog.c, lib/iolog/iolog_json.c, lib/util/lbuf.c,
lib/util/util.exp.in, plugins/sudoers/sudoreplay.c.
- debian/patches/CVE-2023-2848x-2.patch: fix regression in
lib/eventlog/eventlog.c.
- CVE-2023-28486
- CVE-2023-28487
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Apr 2023 14:00:44 -0400
sudo (1.9.9-1ubuntu2.3) jammy-security; urgency=medium
* SECURITY UPDATE: double free with per-command chroot sudoers rules
- debian/patches/CVE-2023-27320.patch: don't free user_cmnd twice in
MANIFEST, plugins/sudoers/match_command.c,
plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
plugins/sudoers/regress/testsudoers/test20.out.ok,
plugins/sudoers/regress/testsudoers/test20.sh,
plugins/sudoers/testsudoers.c,
plugins/sudoers/visudo.c.
- CVE-2023-27320
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 01 Mar 2023 08:59:37 -0500
sudo (1.9.9-1ubuntu2.2) jammy-security; urgency=medium
* SECURITY UPDATE: arbitrary file overwrite via sudoedit
- debian/patches/CVE-2023-22809.patch: do not permit editor arguments
to include -- in plugins/sudoers/editor.c, plugins/sudoers/sudoers.c,
plugins/sudoers/visudo.c.
- CVE-2023-22809
* SECURITY UPDATE: DoS via invalid arithmetic shift in Protobuf-c
- debian/patches/CVE-2022-33070.patch: only shift unsigned values in
lib/protobuf-c/protobuf-c.c.
- CVE-2022-33070
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 16 Jan 2023 07:36:33 -0500
sudo (1.9.9-1ubuntu2.1) jammy; urgency=medium
* Add XDG_CURRENT_DESKTOP to initial_keepenv_table for Qt to determine the
correct theme (LP: #1958055)
-- Benjamin Drung <bdrung@ubuntu.com> Thu, 04 Aug 2022 12:35:21 +0200
sudo (1.9.9-1ubuntu2) jammy; urgency=medium
* d/t/control: skip 03-getroot-ldap autopkgtest on non-containers
-- Lukas Märdian <slyon@ubuntu.com> Mon, 14 Feb 2022 12:48:05 +0100
sudo (1.9.9-1ubuntu1) jammy; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
- debian/rules:
+ compile with --without-lecture --with-tty-tickets --enable-admin-flag
- debian/sudo[-ldap].manpages: install man/man8/sudo_root.8
- debian/sudo[-ldap].init: delete init scripts, as they are no longer
necessary.
- debian/etc/pam.d/sudo[-i]:
+ Use pam_env to read /etc/environment and /etc/default/locale
environment files. Reading ~/.pam_environment is not permitted due
to security reasons.
- debian/etc/sudoers:
+ also grant admin group sudo access
+ include /snap/bin in the secure_path
- debian/tests/control: 03-getroot-ldap:
+ allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)
* Dropped changes:
- debian/rules:
+ use dh-autoreconf (converted to using dh)
-- Lukas Märdian <slyon@ubuntu.com> Tue, 08 Feb 2022 12:01:45 +0100
sudo (1.9.9-1) unstable; urgency=medium
* new upstream version
* audit plugin now handles unresolvable hostname better
Thanks to Sven Mueller (Closes: #1001969)
* better document environment handling.
Thanks to Arnout Engelen (Closes: #659101)
* README files now come as markdown
* schemas are now in docs subdirectory
* LICENSE is now LICENSE.md
[ Marc Haber ]
* refresh patches
* mark paths-in-samples.diff expicitly as not forwarded
* have systemd-tmpfiles clean up /run/sudo on boot
* lintian overrides:
* improve 'em in various places
* give better explanations
* override long line warnings
* override typo warning for a literal film quote
* use correct lintian tag for override init script without unit
* init script / systemd units
* guarantee init script no-op on systemd systems
* mask sysv init script on systemd systems in postinst
instead of debian/rules
* actually remove masking of service in postrm
* maintainer scripts
* document when .dist file removal was added to that
it can be eventually removed
* document when alternative removal was added to that
it can be eventually removed
* add a test to check for presence of #1003969
* Standards-Version: 4.6.0 (no changes)
* use uscan version 4
* honor nocheck DEB_BUILD_OPTION
[ Hilko Bengen ]
* More improvement for Lintian overrides
* Convert debian/copyright to machine-readable format, using
information from upstream-provided LICENSE.md file
-- Marc Haber <mh+debian-packages@zugschlus.de> Mon, 31 Jan 2022 20:19:55 +0100
sudo (1.9.8p2-1) unstable; urgency=medium
* add more autopkgtests (especially for LDAP)
* improve existing autopkgtests
* debian/patches:
* Remove typo-in-classic-insults.diff, reflectinc upstream's decision
to not fix the typo as a way of remembering Evi Nemeth.
* remove unneeded sudo-success_return. patch
* mark debian/patches/sudo-ldap-docs as Forwarded: not-needed
* add DEP3 headers
* mention #1001858 in sudo.prerm
* comment some lintian-overrides with unclear results
-- Marc Haber <mh+debian-packages@zugschlus.de> Sat, 18 Dec 2021 14:55:08 +0100
sudo (1.9.8p2-1~exp1) experimental; urgency=medium
[ Marc Haber ]
* new upstream version 1.9.8p2-1
* this correctly handles double defined alases (Closes: #985412)
* improve sudoers.ldap.manpage. Thanks to Dennis Filder and
Eric Brun (Closes: #981190)
* refresh patches
* remove prompting for wrong sudo group id (Closes: #605576)
* give better docs for LDAP success behavior.
Thanks to Dennis Filder (Closes: 981190)
* remove unneeded mandoc from Build-Depends.
Thanks to Ingo Schwarze
* Restore inclusion of pam_limits.so PAM module.
Thanks to Salvatore Bonaccorso (Closes: 518464)
* Use @includedir in sudoers.d/README (Closes: #993815)
* Other improvements for sudoers.d/README.
Thanks to Josh Triplett (Closes: #994962)
* add some (simple) autopkgtests
* better short description for sudo-ldap
* use https in debian/watch
* some changes to patch headers for Lintian
* manually remove executable bit from shared libs
* explicitly write set -e in maintainer scripts
* debian/control: set Rules-Requires-Root: binary-targets
* add first/trivial autopkgtests
[ Hilko Bengen ]
* Update lintian-overrides files
* Remove group sudo / gid=27 check from postinst scripts
[ Otto Kekäläinen ]
* Add basic Salsa-CI for project quality assurance
-- Marc Haber <mh+debian-packages@zugschlus.de> Sun, 12 Dec 2021 22:45:15 +0100
# For older changelog entries, run 'apt-get changelog sudo'
Generated by dwww version 1.14 on Tue Aug 26 23:01:05 CEST 2025.