+What's new in Sudo 1.8.5?
+
+ * When "noexec" is enabled, sudo_noexec.so will now be prepended
+ to any existing LD_PRELOAD variable instead of replacing it.
+
+ * The sudo_noexec.so shared library now wraps the execvpe(),
+ exect(), posix_spawn() and posix_spawnp() functions.
+
+ * The user/group/mode checks on sudoers files have been relaxed.
+ As long as the file is owned by the sudoers uid, not world-writable
+ and not writable by a group other than the sudoers gid, the file
+ is considered OK. Note that visudo will still set the mode to
+ the value specified at configure time.
+
+ * It is now possible to specify the sudoers path, uid, gid and
+ file mode as options to the plugin in the sudo.conf file.
+
+ * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese
+ translations from translationproject.org.
+
+ * /etc/environment is no longer read directly on Linux systems
+ when PAM is used. Sudo now merges the PAM environment into the
+ user's environment which is typically set by the pam_env module.
+
+ * The initial evironment created when env_reset is in effect now
+ includes the contents of /etc/environment on AIX systems and the
+ "setenv" and "path" entries from /etc/login.conf on BSD systems.
+
+ * The plugin API has been extended in three ways. First, options
+ specified in sudo.conf after the plugin pathname are passed to
+ the plugin's open function. Second, sudo has limited support
+ for hooks that can be used by plugins. Currently, the hooks are
+ limited to environment handling functions. Third, the init_session
+ policy plugin function is passed a pointer to the user environment
+ which can be updated during session setup. The plugin API version
+ has been incremented to version 1.2. See the sudo_plugin manual
+ for more information.
+
+ * The policy plugin's init_session function is now called by the
+ parent sudo process, not the child process that executes the
+ command. This allows the PAM session to be open and closed in
+ the same process, which some PAM modules require.
+
+ * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf,
+ which was broken in version 1.8.4.
+
+ * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
+ file is now uses to determine the controlling terminal, if possible.
+ This allows tty-based tickets to work properly even when, e.g.
+ standard input, output and error are redirected to /dev/null.
+
+ * The output of "sudoreplay -l" is now sorted by file name (or
+ sequence number). Previously, entries were displayed in the
+ order in which they were found on the file system.
+
+ * Sudo now behaves properly when I/O logging is enabled and the
+ controlling terminal is revoked (e.g. the running sshd is killed).
+ Previously, sudo may have exited without calling the I/O plugin's
+ close function which can lead to an incomplete I/O log.
+
+ * Sudo can now detect when a user has logged out and back in again
+ on Solaris 11, just like it can on Solaris 10.
+
+ * The built-in zlib included with Sudo has been upgraded to version
+ 1.2.6.
+
+ * Setting the SSL parameter to start_tls in ldap.conf now works
+ properly when using Mozilla-based SDKs that support the
+ ldap_start_tls_s() function.
+
+ * The TLS_CHECKPEER parameter in ldap.conf now works when the
+ Mozilla NSS crypto backend is used with OpenLDAP.
+
+ * A new group provider plugin, system_group, is included which
+ performs group look ups by name using the system groups database.
+ This can be used to restore the pre-1.7.3 sudo group lookup
+ behavior.
+
+What's new in Sudo 1.8.4p5?
+
+ * Fixed a bug when matching against an IP address with an associated
+ netmask in the sudoers file. In certain circumstances, this
+ could allow users to run commands on hosts they are not authorized
+ for.
+
+What's new in Sudo 1.8.4p4?
+
+ * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v"
+ from working.
+
+What's new in Sudo 1.8.4p3?
+
+ * Fixed a crash on FreeBSD when no tty is present.
+
+ * Fixed a bug introduced in Sudo 1.8.4 that allowed users to
+ specify environment variables to set on the command line without
+ having sudo "ALL" permissions or the "SETENV" tag.
+
+ * When visudo is run with the -c (check) option, the sudoers
+ file(s) owner and mode are now also checked unless the -f option
+ was specified.
+
+What's new in Sudo 1.8.4p2?
+
+ * Fixed a bug introduced in Sudo 1.8.4 where insufficient space
+ was allocated for group IDs in the LDAP filter.
+
+ * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf
+ was "/sudo.conf" instead of "/etc/sudo.conf".
+
+ * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang
+ when I/O logging is enabled and input is from a pipe or file.
+
+What's new in Sudo 1.8.4p1?
+
+ * Fixed a bug introduced in sudo 1.8.4 that broke adding to or
+ deleting from the env_keep, env_check and env_delete lists in
+ sudoers on some platforms.
+
+What's new in Sudo 1.8.4?
+
+ * The -D flag in sudo has been replaced with a more general debugging
+ framework that is configured in sudo.conf.
+
+ * Fixed a false positive in visudo strict mode when aliases are
+ in use.
+
+ * Fixed a crash with "sudo -i" when a runas group was specified
+ without a runas user.
+
+ * The line on which a syntax error is reported in the sudoers file
+ is now more accurate. Previously it was often off by a line.
+
+ * Fixed a bug where stack garbage could be printed at the end of
+ the lecture when the "lecture_file" option was enabled.
+
+ * "make install" now honors the LINGUAS environment variable.
+
+ * The #include and #includedir directives in sudoers now support
+ relative paths. If the path is not fully qualified it is expected
+ to be located in the same directory of the sudoers file that is
+ including it.
+
+ * Serbian and Spanish translations for sudo from translationproject.org.
+
+ * LDAP-based sudoers may now access by group ID in addition to
+ group name.
+
+ * visudo will now fix the mode on the sudoers file even if no changes
+ are made unless the -f option is specified.
+
+ * The "use_loginclass" sudoers option works properly again.
+
+ * On systems that use login.conf, "sudo -i" now sets environment
+ variables based on login.conf.
+
+ * For LDAP-based sudoers, values in the search expression are now
+ escaped as per RFC 4515.
+
+ * The plugin close function is now properly called when a login
+ session is killed (as opposed to the actual command being killed).
+ This can happen when an ssh session is disconnected or the
+ terminal window is closed.
+
+ * The deprecated "noexec_file" sudoers option is no longer supported.
+
+ * Fixed a race condition when I/O logging is not enabled that could
+ result in tty-generated signals (e.g. control-C) being received
+ by the command twice.
+
+ * If none of the standard input, output or error are connected to
+ a tty device, sudo will now check its parent's standard input,
+ output or error for the tty name on systems with /proc and BSD
+ systems that support the KERN_PROC_PID sysctl. This allows
+ tty-based tickets to work properly even when, e.g. standard
+ input, output and error are redirected to /dev/null.
+
+ * Added the --enable-kerb5-instance configure option to allow
+ people using Kerberos V authentication to specify a custom
+ instance so the principal name can be, e.g. "username/sudo"
+ similar to how ksu uses "username/root".
+
+ * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
+ the results, which would be incorrectly be interpreted as if the
+ sudoers file had specified a directory.
+
+ * "visudo -c" will now list any include files that were checked
+ in addition to the main sudoers file when everything parses OK.
+
+ * Users that only have read-only access to the sudoers file may
+ now run "visudo -c". Previously, write permissions were required
+ even though no writing is down in check-only mode.
+
+ * It is now possible to prevent the disabling of core dumps from
+ within sudo itself by adding a line to the sudo.conf file like
+ "Set disable_coredump false".
+
What's new in Sudo 1.8.3p2?
* Fixed a format string vulnerability when the sudo binary (or a
* Visudo now checks the contents of an alias and warns about cycles
when the alias is expanded.
- * If the user specifes a group via sudo's -g option that matches
+ * If the user specifies a group via sudo's -g option that matches
the target user's group in the password database, it is now
allowed even if no groups are present in the Runas_Spec.