Log Message:
security/sudo: update to 1.9.5p1

Update sudo package to 1.9.5p1.  CHanges from 1.8.31p2 are too many to
write here.  Please refer <https://www.sudo.ws/stable.html>.

1.9.5 fixes these security problems:

* Fixed CVE-2021-23239, a potential information leak in sudoedit that
  could be used to test for the existence of directories not normally
  accessible to the user in certain circumstances.  When creating a new
  file, sudoedit checks to make sure the parent directory of the new file
  exists before running the editor.  However, a race condition exists if
  the invoking user can replace (or create) the parent directory. If a
  symbolic link is created in place of the parent directory, sudoedit will
  run the editor as long as the target of the link exists.  If the target
  of the link does not exist, an error message will be displayed.  The
  race condition can be used to test for the existence of an arbitrary
  directory.  However, it cannot be used to write to an arbitrary
  location.

* Fixed CVE-2021-23240, a flaw in the temporary file handling of
  sudoedit's SELinux RBAC support.  On systems where SELinux is enabled, a
  user with sudoedit permissions may be able to set the owner of an
  arbitrary file to the user-ID of the target user.  On Linux kernels that
  support protected symlinks setting /proc/sys/fs/protected_symlinks to 1
  will prevent the bug from being exploited.  For more information, see
  Symbolic link attack in SELinux-enabled sudoedit.

Quote from 1.9.0 features:

* The maximum length of a conversation reply has been increased from 255
  to 1023 characters.  This allows for longer user passwords. Bug #860.

* Sudo now includes a logging daemon, sudo_logsrvd, which can be used to
  implement centralized logging of I/O logs.  TLS connections are
  supported when sudo is configured with the --enable-openssl option.  For
  more information, see the sudo_logsrvd, sudo_logsrvd.conf and
  sudo_logsrv.proto manuals as well as the log_servers setting in the
  sudoers manual.

* The --disable-log-server and --disable-log-client configure options can
  be used to disable building the I/O log server and/or remote I/O log
  support in the sudoers plugin.

* The new sudo_sendlog utility can be used to test sudo_logsrvd or send
  existing sudo I/O logs to a centralized server.

* It is now possible to write sudo plugins in Python 4 when sudo is
  configured with the --enable-python option.  See the sudo_plugin_python
  manual for details.

  Sudo 1.9.0 comes with several Python example plugins that get installed
  sudo's examples directory.

  The sudo blog article What's new in sudo 1.9: Python includes a simple
  tutorial on writing python plugins.

* Sudo now supports an audit plugin type.  An audit plugin receives
  accept, reject, exit and error messages and can be used to implement
  custom logging that is independent of the underlying security policy.
  Multiple audit plugins may be specified in the sudo.conf file.  A sample
  audit plugin is included that writes logs in JSON format.

* Sudo now supports an approval plugin type.  An approval plugin is run
  only after the main security policy (such as sudoers) accepts a command
  to be run.  The approval policy may perform additional checks,
  potentially interacting with the user.  Multiple approval plugins may be
  specified in the sudo.conf file.  Only if all approval plugins succeed
  will the command be allowed.

* Sudo's -S command line option now causes the sudo conversation function
  to write to the standard output or standard error instead of the
  terminal device.