What is package Xinuossudo-1.9.15p5, sudo 1.9.15p5? KEYWORDS: Xinuossudo-1.9.15p5 sudo 1.9.15p5 RELEASE: Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. ---------------------------------------------------------- Changes between Xinuossudo 1.9.15p5 and 1.9.12p2 * The sudoers plugin has been modified to make it more resilient to ROWHAMMER attacks on authentication and policy matching. This addresses CVE-2023-42465. * The sudoers plugin now constructs the user time stamp file path name using the user-ID instead of the user name. This avoids a potential problem with user names that contain a path separator ('/') being interpreted as part of the path name. A similar issue in sudo-rs has been assigned CVE-2023-42456. Changes between Xinuossudo 1.9.7p2 and 1.9.12p2 * Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit) that could allow a malicious user with sudoedit privileges to edit arbitrary files. * Fixed CVE-2022-43995, a potential out-of-bounds write for passwords smaller than 8 characters when passwd authentication is enabled. This does not affect configurations that use other authentication methods such as PAM, AIX authentication or BSD authentication. See the /opt/xinuos/share/doc/packages/sudo/NEWS file for a list of major changes in this release. For a complete list of changes, see the /opt/xinuos/share/doc/packages/sudo/ChangeLog. ---------------------------------------------------------- Notes on upgrading from an older release * Upgrading from a version prior to 1.9.10: Sudo now interprets a command line argument in sudoers that begins with a '^' character as a regular expression. To start a command argument with a literal '^' character, it must be escaped with a backslash ('\'). This may result in a syntax error after upgrading for existing sudoers rules where the command line arguments begin with a '^'. A user may now only run "sudo -U otheruser -l" if they have a "sudo ALL" privilege where the RunAs user contains either "root" or "otheruser". Previously, having "sudo ALL" was sufficient, regardless of the RunAs user. ---------------------------------------------------------- I. Software Notes and Recommendations Xinuossudo should only be installed on: UnixWare 7 Definitive D2M1 with MP1 or SCO OpenServer 6 Definitive D2M1 with oss726i or later. ---------------------------------------------------------- II. Installation Instructions To install sudo-1.9.15p5 follow these steps: 1. Login as root 2. Download the Xinuossudo-1.9.15p5-UnixWare-i386.pkg.xz file and optionally Xinuossudo-dev-1.9.15p5-UnixWare-i386.pkg.xz to the /tmp directory on your machine. 3. After the download is complete, change to /tmp and run the following to command(s) to verify the integrity of the download: sha256 Xinuossudo-1.9.15p5-UnixWare-i386.pkg.xz sha256 Xinuossudo-1.9.15p5-UnixWare-i386.pkg.xz The output should be: SHA256 (Xinuossudo-1.9.15p5-UnixWare-i386.pkg.xz) = a69b32ccdc9b8e08e1b00ffa6f81cff133cfedcf1af68e89fb264bf6a82fb082 SHA256 (Xinuossudo-dev-1.9.15p5-UnixWare-i386.pkg.xz) = 1496ee8c04788ad1a86178e802cd04b133e9451e06cfda260a77278cfe971f44 4. After verifying the sums match, As root, add the package to your system using these commands: $ su - Password: # xzcat Xinuossudo-1.9.15p5-UnixWare-i386.pkg.xz | pkgadd -d - Alternatively, this package may be installed in quiet mode by using these commands: $ su - Password: # xzcat Xinuossudo-1.9.15p5-UnixWare-i386.pkg.xz | pkgadd -qd - all If you are doing software development on sudo modules, repeat the steps for Xinuossudo-dev-1.9.15p5-UnixWare-i386.pkg.xz 5. Installation of package sudo-1.9.15p5 is now complete. 6. Once the installation has completed, you can remove or archive the sudo-1.9.15p5 file Xinuossudo-1.9.15p5-UnixWare-i386.pkg.xz downloaded in step 2. 7. There is no need to reboot the system after installing this package. However, if your system is running any libraries or commands that are contained in this package, then these programs will continue to run with the old versions of these libraries or commands until the system is rebooted. Note that when all necessary packages have been installed, it is good practice to reboot the system at the earlier opportunity. This will ensure that no programs continue to run with the old libraries or commands. ---------------------------------------------------------- III. Removal Instructions Note: Packages must be removed in the reverse order in which they were installed due to dependencies. 1. As root, remove the package using these commands: $ su - Password: # pkgrm Xinuossudo 2. There is no need to reboot the system after removing this package. However, if your system is running any libraries or commands that are contained in this package, then these programs will continue to run with the old versions of these libraries or commands until the system is rebooted. Note that when all necessary packages have been removed, it is good practice to reboot the system at the earlier opportunity. This will ensure that no programs continue to run with the old libraries or commands. If you have questions regarding this package, or the product on which it is installed, please contact your software supplier. ------------------------------------------------------------------------------- (C) Copyright 2024 Xinuos, Inc. All Rights Reserved.