- major changes & fixes:
- when running a command in the background, sudo will now forward
SIGINFO to the command
- the passwords in ldap.conf and ldap.secret may now be encoded in base64.
- SELinux role changes are now audited. For sudoedit, we now audit
the actual editor being run, instead of just the sudoedit command.
- it is now possible to match an environment variable's value as well as
its name using env_keep and env_check
- new files created via sudoedit as a non-root user now have the proper group id
- sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
- it is now possible to disable network interface probing in sudo.conf by
changing the value of the probe_interfaces setting
- when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
for the user's password even if the targetpw, rootpw or runaspw options are set.
- the new use_netgroups sudoers option can be used to explicitly enable or disable
netgroups support
- visudo can now export a sudoers file in JSON format using the new -x flag
- added patch to read ldap.conf more closely to nss_ldap
- require /usr/bin/vi instead of vim-minimal
- include pam.d/system-auth in PAM session phase from pam.d/sudo
- include pam.d/sudo in PAM session phase from pam.d/sudo-i
- major changes & fixes:
- LDAP SASL support now works properly with Kerberos
- root may no longer change its SELinux role without entering a password
- user messages are now always displayed in the user's locale, even when
the same message is being logged or mailed in a different locale.
- log files created by sudo now explicitly have the group set to group
ID 0 rather than relying on BSD group semantics
- sudo now stores its libexec files in a sudo subdirectory instead of in
libexec itself
- system_group and group_file sudoers group provider plugins are now
installed by default
- the paths to ldap.conf and ldap.secret may now be specified as arguments
to the sudoers plugin in the sudo.conf file
- ...and many new features and settings. See the upstream ChangeLog for the
full list.
- several sssd support fixes
- added patch to make uid/gid specification parsing more strict (don't accept
an invalid number as uid/gid)
- use the _pkgdocdir macro
(see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs)
- fixed several bugs found by the clang static analyzer
- added %post dependency on chmod
- fixes CVE-2013-1775 and CVE-2013-1776
- fixed several packaging issues (thanks to ville.skytta@iki.fi)
- build with system zlib.
- let rpmbuild strip libexecdir/*.so.
- own the %{_docdir}/sudo-* dir.
- fix some rpmlint warnings (spaces vs tabs, unescaped macros).
- fix bogus %changelog dates.
- added upstream patch for a regression
- don't include arch specific files in the -devel subpackage
- ship only one sample plugin in the -devel subpackage
