sudo (1.8.16-0ubuntu1.7) xenial-security; urgency=medium

  * debian/patches/terminate-with-commands-signal.patch: re-enable patch
    that got dropped by mistake in previous upload. (LP: #1832257)

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 10 Jun 2019 15:42:44 -0400

sudo (1.8.16-0ubuntu1.6) xenial-security; urgency=medium

  [ Steve Beattie ]
  * SECURITY UPDATE: /proc/self/stat parsing newline confusion
    - debian/patches/CVE-2017-1000368.patch: read all lines of
      /proc/self/stat
    - CVE-2017-1000368
  * debian/patches/avoid_sign_extension_tty_nr.patch: hardening to
    ensure sign extension doesn't occur when parsing /proc/self/stat

  [ Marc Deslauriers ]
  * SECURITY UPDATE: sudo noexec bypass
    - debian/patches/CVE-2016-7076-*.patch: wrap wordexp, add seccomp
      filter.
    - CVE-2016-7076

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 01 May 2019 11:30:39 -0400

sudo (1.8.16-0ubuntu1.5) xenial; urgency=medium

  * Terminate with the same signal as the command (LP: #1686803)
    This fixes a regression introduced in sudo 1.8.15 changeset
    10229:153f016db8f1.

 -- Balint Reczey <rbalint@ubuntu.com>  Tue, 13 Jun 2017 11:10:50 +0200

sudo (1.8.16-0ubuntu1.4) xenial-security; urgency=medium

  * SECURITY UPDATE: /proc/self/stat parsing confusion
    - debian/patches/CVE-2017-1000367.patch: adjust parsing to
      find ttyname
    - CVE-2017-1000367

 -- Steve Beattie <sbeattie@ubuntu.com>  Mon, 29 May 2017 03:17:46 -0700

sudo (1.8.16-0ubuntu1.3) xenial; urgency=medium

  * sssd-doesnt-handle-netgroups.diff, sssd-fix-matching-loop.diff:
    Only check username as part of the netgroup when netgroup_tuple is enabled.
    (LP: #1607666)

 -- Timo Aaltonen <tjaalton@debian.org>  Sat, 14 Jan 2017 01:54:21 +0200

sudo (1.8.16-0ubuntu1.2) xenial; urgency=medium

  * debian/sudoers:
    - include /snap/bin in the secure_path (LP: #1595558)

 -- Michael Vogt <michael.vogt@ubuntu.com>  Mon, 15 Aug 2016 18:10:18 +0200

sudo (1.8.16-0ubuntu1.1) xenial; urgency=medium

  * debian/patches/lp1565567.patch: fix crash when looking up a negative
    cached entry which is stored as a NULL passwd or group struct pointer
    in plugins/sudoers/pwutil.c. (LP: #1565567)

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 04 May 2016 11:36:54 -0400

sudo (1.8.16-0ubuntu1) xenial; urgency=medium

  * Update to new upstream version 1.8.16. (LP: #1563825)
    - Dropped patches no longer needed:
      + CVE-2015-5602-6.patch
      + CVE-2015-5602-7.patch
  * Merge from Debian unstable. Remaining changes:
    - Use tmpfs location to store timestamp files
      + debian/rules: change --with-rundir to /var/run/sudo
      + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
        shipping init script and service file, as they are no longer
        necessary.
      + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
        init script with dpkg-maintscript-helper.
      + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
        transition code, remove old /var/lib/sudo/ts timestamp directory.
    - debian/rules:
      + compile with --without-lecture --with-tty-tickets --enable-admin-flag
      + install man/man8/sudo_root.8 in both flavours
      + install apport hooks
    - debian/sudoers:
      + also grant admin group sudo access
    - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
      + add usr/share/apport/package-hooks
    - debian/sudo.pam:
      + Use pam_env to read /etc/environment and /etc/default/locale
        environment files. Reading ~/.pam_environment is not permitted due to
        security reasons.
    - debian/control:
      + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command
    - Remaining patches:
      + keep_home_by_default.patch: Keep HOME in the default environment
      + debian/patches/also_check_sudo_group.diff: also check the sudo group
        in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
        admin group check for backwards compatibility.
    - Dropped patches no longer needed:
      + debian/patches/pam_check_untranslated_prompt.patch: upstream.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 30 Mar 2016 08:03:52 -0400

sudo (1.8.15-1.1) unstable; urgency=medium

  * Non-maintainer upload
  * Disable editing of files via user-controllable symlinks
    (Closes: #804149) (CVE-2015-5602)
    - Fix directory writability checks for sudoedit
    - Enable sudoedit directory writability checks by default

 -- Ben Hutchings <ben@decadent.org.uk>  Mon, 04 Jan 2016 23:36:50 +0000

sudo (1.8.15-1) unstable; urgency=low

  * new upstream version, closes: #804149
  * use --with-exampledir to deliver example files more cleanly

 -- Bdale Garbee <bdale@gag.com>  Wed, 23 Dec 2015 11:15:22 -0700

# For older changelog entries, run 'apt-get changelog sudo'