1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
sudo (1.9.15p2-1) unstable; urgency=medium
sudo-ldap has become a burden to maintain. This is mainly due to the fact
that the sudo team has neither the manpower nor the know-how to maintain
sudo-ldap adequately.
In practice, there are few installations that use sudo-ldap. Most
installations that use LDAP as a directory service and sudo have now opted
for sssd, sssd-ldap and libsss-sudo.
The Debian sudo team recommends the use of libsss-sudo for new
installations and the migration of existing installations from sudo-ldap
to libsss-sudo and sssd.
The combination of sudo and sssd is automatically tested in autopkgtest
of sudo.
This is also being discussed in #1033728 in the Debian BTS.
Debian 13, "trixie", will be the last version of Debian that supports
sudo-ldap. Please use the bookworm and trixie release cycles to migrate
your installation away from sudo-ldap.
Please make sure that you do not upgrade from Debian 13 to Debian 14
while you're still using sudo-ldap. This is not going to work and
will probably leave you without intended privilege escalation.
-- Marc Haber <mh+debian-packages@zugschlus.de> Mon, 20 Nov 2023 10:07:57 +0100
sudo (1.9.5p2-3) unstable; urgency=medium
We have added "Defaults use_pty" to the default configuration. This fixes
CVE-2005-4890 which has been lingering around for more then a decade.
If you would like the old behavior back, please remove the respective line
from /etc/sudoers.
-- Marc Haber <mh+debian-packages@zugschlus.de> Wed, 24 Feb 2021 17:59:22 +0100
sudo (1.8.2-1) unstable; urgency=low
The sudo package is no longer configured using --with-secure-path.
Instead, the provided sudoers file now contains a line declaring
'Defaults secure_path=' with the same path content that was previously
hard-coded in the binary. A consequence of this change is that if you
do not have such a definition in sudoers, the PATH searched for commands
by sudo may be empty.
Using explicit paths for each command you want to run with sudo will work
well enough to allow the sudoers file to be updated with a suitable entry
if one is not already present and you choose to not accept the updated
version provided by the package.
-- Bdale Garbee <bdale@gag.com> Wed, 24 Aug 2011 13:33:11 -0600
sudo (1.7.4p4-2) unstable; urgency=low
The HOME and MAIL environment variables are now reset based on the
target user's password database entry when the env_reset sudoers option
is enabled (which is the case in the default configuration). Users
wishing to preserve the original values should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
The change in handling of HOME is known to affect programs like pbuilder.
-- Bdale Garbee <bdale@gag.com> Wed, 08 Sep 2010 14:29:16 -0600
sudo (1.6.8p12-5) unstable; urgency=low
The sudo package is no longer configured --with-exempt=sudo. If you
depend on members of group sudo being able to run sudo without needing
a password, you will need to put "%sudo ALL=NOPASSWD: ALL" in
/etc/sudoers to preserve equivalent functionality.
-- Bdale Garbee <bdale@gag.com> Tue, 3 Apr 2007 21:13:39 -0600
|
