November 14, 2004
Sudoscript 2.1.2 beta 1 Released
This point release features a new "-" switch to ss (like "su -") and three bug fixes, one of which is a moderately severe security bug.
The security bug only bites if you are enabling non-root access with sudoscript. But if you are, any member of the ssers group can send a SIGHUP signal to any process. Although this release is labled "beta," the changes are small. If you are in the class of users noted, you probably should upgrade right away. I'm going to leave the beta out there for just a week before going to an official release, assuming that no problems show up.
Longer term, I'm working on the session replay stuff, and thinking about rearchitecting the IPC mechanisms. This latter has been prompted by a bug report and patch from Conrad Link, among three he submitted, that pointed out the SIGHUP vulnerability. Conrad has some ideas on how to make the back-end more secure, which I'd like to mull over a bit before deciding how to proceed.
Posted by hbo at November 14, 2004 05:19 PM
Post a comment
Thanks for signing in, . Now you can comment. (sign out)(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)