<p dir="ltr"><br>
On Jan 17, 2016 5:20 PM, &quot;MacPorts&quot; &lt;<a href="mailto:noreply@macports.org">noreply@macports.org</a>&gt; wrote:<br>
&gt;<br>
&gt; #50356: sudo: Update to 1.8.15, CVE-2015-5602<br>
&gt; --------------------+-----------------------------<br>
&gt;  Reporter:  cal@…   |      Owner:  youvegotmoxie@…<br>
&gt;      Type:  update  |     Status:  new<br>
&gt;  Priority:  Normal  |  Milestone:<br>
&gt; Component:  ports   |    Version:  2.3.4<br>
&gt;  Keywords:          |       Port:  sudo<br>
&gt; --------------------+-----------------------------<br>
&gt;  Hi,<br>
&gt;<br>
&gt;  sudo has version 1.8.15 available. It attempts to fix CVE-2015-5602, but<br>
&gt;  the problem is actually still present after that ![1,2,3]. Please update<br>
&gt;  sudo to 1.8.15 and consider backporting the change that fixes the CVE and<br>
&gt;  has been committed for sudo 1.8.16 ![4].<br>
&gt;<br>
&gt;  Here&#39;s a patch that does the gruntwork, I haven&#39;t looked into backporting<br>
&gt;  the patch, though.<br>
&gt;<br>
&gt;  {{{<br>
&gt;  #!diff<br>
&gt;  Index: Portfile<br>
&gt;  ===================================================================<br>
&gt;  --- Portfile    (revision 144755)<br>
&gt;  +++ Portfile    (working copy)<br>
&gt;  @@ -5,8 +5,7 @@<br>
&gt;<br>
&gt;   name                sudo<br>
&gt;   epoch               1<br>
&gt;  -version             1.8.14p3<br>
&gt;  -revision            1<br>
&gt;  +version             1.8.15<br>
&gt;   categories          sysutils security<br>
&gt;   license             ISC<br>
&gt;   maintainers         gmail.com:youvegotmoxie<br>
&gt;  @@ -24,8 +23,8 @@<br>
&gt;   master_sites        ${homepage}dist/ \<br>
&gt;                       ${homepage}dist/OLD/<br>
&gt;<br>
&gt;  -checksums           rmd160  209554c44467da8ebeeecc2134edbf42fce2244e \<br>
&gt;  -                    sha256<br>
&gt;  a8a697cbb113859058944850d098464618254804cf97961dee926429f00a1237<br>
&gt;  +checksums           rmd160  676ee3249c2ddacd64de54d6555b820912b56f6f \<br>
&gt;  +                    sha256<br>
&gt;  4316381708324da8b6cb151f655c1a11855207c7c02244d8ffdea5104d7cc308<br>
&gt;<br>
&gt;   patchfiles          patch-sudoers.in.diff<br>
&gt;<br>
&gt;  }}}<br>
&gt;<br>
&gt;  I&#39;m leaving this at normal priority, since the CVE doesn&#39;t affect our<br>
&gt;  default installation.<br>
&gt;<br>
&gt;  ![1] <a href="https://www.debian.org/security/2016/dsa-3440">https://www.debian.org/security/2016/dsa-3440</a> [[BR]]<br>
&gt;  ![2] <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149</a> [[BR]]<br>
&gt;  ![3] <a href="https://bugzilla.sudo.ws/show_bug.cgi?id=707">https://bugzilla.sudo.ws/show_bug.cgi?id=707</a> [[BR]]<br>
&gt;  ![4] <a href="https://www.sudo.ws/repos/sudo/rev/c2e36a80a279">https://www.sudo.ws/repos/sudo/rev/c2e36a80a279</a><br>
&gt;<br>
&gt; --<br>
&gt; Ticket URL: &lt;<a href="https://trac.macports.org/ticket/50356">https://trac.macports.org/ticket/50356</a>&gt;<br>
&gt; MacPorts &lt;<a href="https://www.macports.org/">https://www.macports.org/</a>&gt;<br>
&gt; Ports system for OS X</p>
<p dir="ltr">Thank you, will do tomorrow when I return from holiday.</p>