Sudo 1.9.17p2

• Fixed a bug introduced in sudo 1.9.16 that could result in sudo sending SIGHUP to all processes on the system in certain rare cases. The bug could manifest if sudo is running a command in a pseudo-terminal, sudo terminates the command due to an internal error, and the user's terminal is revoked. GitHub issue #458.

• Fixed a bug introduced in sudo 1.9.12 that caused sudo to abort when the intercept and intercept_verify options are enabled in sudoers and either the command line arguments or the environment contains a string larger than the page size (usually 4096). This only Linux affects systems that support the ptrace_readv_string() function. GitHub issue #453.

• Fixed a bug in sudo's configure script introduced in sudo 1.9.17 that prevented mdoc-format man pages from being used on systems without the mandoc utility. Bug #1077.

Sudo 1.9.17p1

• Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified when running a command or editing a file. This could enable a local privilege escalation attack if the sudoers file allows the user to run commands on a different host. For more information, see Local Privilege Escalation via host option.

• Fixed CVE-2025-32463. An attacker can leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. The chroot support has been deprecated an will be removed entirely in a future release. For more information, see Local Privilege Escalation via chroot option.

Sudo 1.9.17

• Sudo now uses the NODEV macro consistently. Bug #1074.

• Fixed a bug where the ALL command in a sudoers rule would override a previous NOSETENV tag. Command tags are inherited from previous Cmnds in a Cmnd_Spec_List. There is a special case for the SETENV tag with the ALL command, where SETENV is implied if no explicit SETENV or NOSETENV tag is specified. This special case did not take into account that a NOSETENV tag that was inherited should override this behavior.

• If sudo is run via ssh without a terminal and a password is required, it now suggest using ssh's -t option.

• Fixed the display of timeout values in the sudo -V output on systems without a C99-compliant snprintf() function.

• Quieted a number of minor Coverity warnings.

• Fixed a problem running sudo from a serial console on Linux when the command is run in a pseudo-terminal (the default).

• Fixed a crash in sudo which could occur if there was a fatal error after the user was validated but before the command was actually run.

• Fixed a number of man page style warnings. The "lint" make target in the docs directory will now run groff with warnings enabled if it is available. Bug #1075.

• The ignore_dot sudoers setting is now on by default. There is now a --disable-ignore-dot configure option to disable it. The --with-ignore-dot configure option has been deprecated.

• Fixed a problem with the pwfeedback option where an initial backspace would reduce the maximum length allowed for the password. GitHub issue #439.

• Fixed minor grammar and spelling problems in the man pages.

• Fixed a bug where a user could avoid entering a password for sudo -l command if they specified their own user or group name via the -u or -g options.

• Avoid potential password guessing based on timing attacks on the strcmp() function on systems without PAM or a crypt() function where plaintext passwords are stored in the shadow password file.

• Fixed a potential information leak where sudo -l command could be used to determine whether an executable exists in a directory that they do not have search access to.

• Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once again. A long time ago sudo changed from using TCSAFLUSH to TCSADRAIN due to some systems having bugs related to TCSAFLUSH. That should no longer be a concern. Using TCSAFLUSH ensures that password input that has been received by the kernel, but not yet read by sudo, will be discarded and not echoed.

• Added the SUDO_TTY environment variable if the user has a terminal. This can be used to find the user's original tty device when sudo runs the command in its own pseudo-terminal. GitHub issue #447.

• New Cantonese translation for sudo.

Sudo 1.9.16p2

• Sudo now passes the terminal device number to the policy plugin even if it cannot resolve it to a path name. This allows sudo to run without warnings in a chroot jail when the terminal device files are not present. GitHub issue #421.

• On Linux systems, sudo will now attempt to use the symbolic links in /proc/self/fd/{0,1,2} when resolving the terminal device number. This can allow sudo to map a terminal device to its path name even when /dev/pts is not mounted in a chroot jail.

• Fixed compilation errors with gcc and clang in C23 mode. C23 no longer supports functions with unspecified arguments. GitHub issue #420.

Sudo 1.9.16p1

• Fixed the test for cross-compiling when checking for C99 snprintf(). The changes made to the test in sudo 1.9.16 resulted in a different problem. GitHub issue #386.

• Fixed the date used by the exit record in sudo-format log files. This was a regression introduced in sudo 1.9.16 and only affected file-based logs, not syslog. GitHub issue #405.

• Fixed the root cause of the "unable to find terminal name for device" message when running sudo on AIX when no terminal is present. In sudo 1.9.16 this was turned from a debug message into a warning. GitHub issue #408.

• When a duplicate alias is found in the sudoers file, the warning message now includes the file and line number of the previous definition.

• Added support for the --with-secure-path-value=no configure option to allow packagers to ship the default sudoers file with the secure path line commented out.

• Sudo no longer sends mail when a user runs sudo -nv or sudo -nl, even if mail_badpass or mail_always are set. Sudo already avoids logging to a file or syslog in this case. Bug #1072.

Sudo 1.9.16

• Added the cmddenial_message sudoers option to provide additional information to the user when a command is denied by the sudoers policy. The default message is still displayed.

• The time stamp used for file-based logs is now more consistent with the time stamp produced by syslog. GitHub issue #327.

• Sudo will now warn the user if it can detect the user's terminal but cannot determine the path to the terminal device. The sudoers time stamp file will now use the terminal device number directly. GitHub issue #329.

• The embedded copy of zlib has been updated to version 1.3.1.

• Improved error handling if generating the list of signals and signal names fails at build time.

• Fixed a compilation issue on Linux systems without process_vm_readv().

• Fixed cross-compilation with WolfSSL.

• Added a json_compact value for the sudoers log_format option which can be used when logging to a file. The existing json value has been aliased to json_pretty. In a future release, json will be an alias for json_compact. GitHub issue #357.

• A new pam_silent sudoers option has been added which may be negated to avoid suppressing output from PAM authentication modules. GitHub issue #216.

• Fixed several cvtsudoers JSON output problems. GitHub issues #369, #370, #371, #373, #381.

• When sudo runs a command in a pseudo-terminal and the user's terminal is revoked, the pseudo-terminal's foreground process group will now receive SIGHUP before the terminal is revoked. This emulates the behavior of the session leader exiting and is consistent with what happens when, for example, an ssh session is closed. GitHub issue #367.

• Fixed make test with Python 3.12. GitHub issue #374.

• In schema.ActiveDirectory, fixed the quoting in the example command. GitHub issue #376.

• Paths specified via a Chdir_Spec or Chroot_Spec in sudoers may now be double-quoted.

• Sudo insults are now included by default, but disabled unless the --with-insults configure option is specified or the insults sudoers option is enabled.

• The default sudoers file now enables the secure_path option by default and preserves the EDITOR, VISUAL, and SUDO_EDITOR environment variables when running visudo. The new --with-secure-path-value configure option can be used to set the value of secure_path in the default sudoers file. GitHub issue #387.

• A sudoers schema for IBM Directory Server (aka IBM Tivoli Directory Server, IBM Security Directory Server, and IBM Security Verify Directory) is now included.

• When cross-compiling sudo, the configure script now assumes that the snprintf() function is C99-compliant if the C compiler supports the C99 standard. Previously, configure would use sudo's own snprintf() when cross-compiling. GitHub issue #386.

Sudo 1.9.15p5

• Fixed evaluation of the lecture, listpw, verifypw, and fdexec sudoers Defaults settings when used without an explicit value. Previously, if specified without a value they were evaluated as boolean false, even when the negation operator ('!') was not present.

• Fixed a bug introduced in sudo 1.9.14 that prevented LDAP netgroup queries using the NETGROUP_BASE setting from being performed.

• Sudo will now transparently rename a user's lecture file from the older name-based path to the newer user-ID-based path. GitHub issue #342.

• Fixed a bug introduced in sudo 1.9.15 that could cause a memory allocation failure if sysconf(_SC_LOGIN_NAME_MAX) fails. Bug #1066.

Sudo 1.9.15p4

• Fixed a bug introduced in sudo 1.9.15 that could prevent a user's privileges from being listed by sudo -l if the sudoers entry in /etc/nsswitch.conf contains [SUCCESS=return]. This did not affect the ability to run commands via sudo. Bug #1063.

Sudo 1.9.15p3

• Always disable core dumps when sudo sends itself a fatal signal. Fixes a problem where sudo could potentially dump core dump when it re-sends the fatal signal to itself. This is only an issue if the command received a signal that would normally result in a core dump but the command did not actually dump core.

• Fixed a bug matching a command with a relative path name when the sudoers rule uses shell globbing rules for the path name. Bug #1062.

• Permit visudo to be run even if the local host name is not set. GitHub issue #332.

• Fixed an editing error introduced in sudo 1.9.15 that could prevent sudoreplay from replaying sessions correctly. GitHub issue #334.

• Fixed a bug introduced in sudo 1.9.15 where "sudo -l > /dev/null" could hang on Linux systems. GitHub issue #335.

• Fixed a bug introduced in sudo 1.9.15 where Solaris privileges specified in sudoers were not applied to the command being run.

Sudo 1.9.15p2

• Fixed a bug on BSD systems where sudo would not restore the terminal settings on exit if the terminal had parity enabled. GitHub issue #326.