Resolved Bugs
1191144 – CVE-2014-9680 sudo: unsafe handling of TZ environment variable
1191145 – sudo: unsafe handling of TZ environment variable [fedora-all]
1065423 – -sesh replaces /path/to/myshell with /path/to-myshell instead of -myshell
979382 – sudo packages requires vim-minimal
1006611 – sudo: internal error, tried to erealloc3(0) on sudorule with hostgroup
1034533 – inclusion of system-auth for session hooks missing in sudo PAM snippets
917887 – sudo does not honour PAM environment set from PAM session hooks<br
– update to 1.8.12
– fixes CVE-2014-9680
Update to 1.8.11p2
Major upstream changes & fixes:
– when running a command in the background, sudo will now forward SIGINFO to the command
– the passwords in ldap.conf and ldap.secret may now be encoded in base64.
– SELinux role changes are now audited. For sudoedit, we now audit the actual editor being run, instead of just the sudoedit command.
– it is now possible to match an environment variable’s value as well as its name using env_keep and env_check
– new files created via sudoedit as a non-root user now have the proper group id
– sudoedit now works correctly in conjunction with sudo’s SELinux RBAC support
– it is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting
– when listing a user’s privileges (sudo -l), the sudoers plugin will now prompt for the user’s password even if the targetpw, rootpw or runaspw options are set.
– the new use_netgroups sudoers option can be used to explicitly enable or disable netgroups support
– visudo can now export a sudoers file in JSON format using the new -x flag
Distribution specific changes:
– added patch to read ldap.conf more closely to nss_ldap
– require /usr/bin/vi instead of vim-minimal
– include pam.d/system-auth in PAM session phase from pam.d/sudo
– include pam.d/sudo in PAM session phase from pam.d/sudo-i