- Package:
- release-notes
- Source:
- release-notes
- Submitter:
- Marc Haber
- Date:
- 2026-01-25 15:49:01 UTC
- Severity:
- normal
- Tags:
Hi, I would like to ask the release notes team whether we should, while a technical solution is pending, add language regarding #1126085 to the trixie release notes (and maybe also to the bookworm release notes) that the sudo in those stable releases won't read /etc/sudoers.d files that contain colons in their file name, like /etc/sudoers.d/10_dsa::util::sudo[dfsg-team-role] but instead wrongly report "no such file or directory". Adam correctly points out that this behavior of sudo might either cause system breakage or introduce security flaws because files that used to be processed in the past are not processed any more. I concur with his judgement that #1126085 is an RC bug. I am willing to provide a paragraph for the release notes if you indicate that this would be a good workaround while we wait for upstream to comment whether there might be a better technical solution for the issue. Greetings Marc
https://git.sudo.ws/sudo/commit/?id=ff0b6bebceec5c7d01fd296300125d51325c6ff4 so maybe no need for the release-notes to add and then delete it? i wasnt sure that bookworm was actually affected based on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126085 ? However, this seems to be something to do with : being interpreted as a list (sometimes?), which might make the release-notes on its own -- this seems missing from sudoers(5) in trixie (i wonder if this is going to cause other surprising changes, where the user asks for "A:B" but sudo silently uses A and B. this all seems like needless complexity to me. and how can the user put a file with : in a list?)
https://git.sudo.ws/sudo/commit/?id=ff0b6bebceec5c7d01fd296300125d51325c6ff4 so maybe no need for the release-notes to add and then delete it? i wasnt sure that bookworm was actually affected based on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126085 ? However, this seems to be something to do with : being interpreted as a list (sometimes?), which might make the release-notes on its own -- this seems missing from sudoers(5) in trixie (i wonder if this is going to cause other surprising changes, where the user asks for "A:B" but sudo silently uses A and B. this all seems like needless complexity to me. and how can the user put a file with : in a list?)
Yes, right. The patch applies cleanly to what we have in Trixie, so I can go with a stable point release update. Unupdated trixie will still be affected, so it might make sense to have the release note anyway. At the moment I cannot comment on this. Greetings Marc