Mention eof-of-line terminator and plugin argument changes.

NEWS

@@ -14,10 +14,16 @@ What's new in Sudo 1.9.3
  * Fixed the libssl dependency in Debian packages on older releases
    that use libssl1.0.0.
 
- * Sudo (and visudo) now provide more detailed messages when there
+ * Sudo (and visudo) now provide more detailed messages when a
-   is a syntax error in sudoers.  The offending line and token
+   syntax error is detected in sudoers.  The offending line and
-   is now displayed.  If bison is used to generate the parser,
+   token are now displayed.  If the parser was generated by GNU
-   information about what token was expected is also displayed.
+   bison, additional information about what token was expected is
+   also displayed.
+
+ * Sudoers rules must now end in either a newline or the end-of-file.
+   Previously, it was possible to have multiple rules on a single
+   line, separated by white space.  The use of an end-of-line
+   terminator makes it possible to display accurate error messages.
 
  * Sudo no longer refuses to run if a syntax error in the sudoers
    file is encountered.  The entry with the syntax error will be
@@ -28,6 +34,14 @@ What's new in Sudo 1.9.3
  * Fixed the sample_approval plugin's symbol exports file for systems
    where the compiler doesn't support symbol hiding.
 
+ * Fixed a regression introduced in sudo 1.9.1 where arguments to
+   the "sudoers_policy" plugin in sudo.conf were not being applied.
+   The sudoers file is now parsed by the "sudoers_audit" plugin,
+   which is loaded implicitly when "sudoers_policy" is listed in
+   sudo.conf.  Starting with sudo 1.9.3, if there are plugin arguments
+   for "sudoers_policy" but "sudoers_audit" is not listed, those
+   arguments will be applied to "sudoers_audit" instead.
+
 What's new in Sudo 1.9.2
 
  * Fixed package builds on RedHat Enterprise Linux 8.

doc/UPGRADE

@@ -1,6 +1,33 @@
 Notes on upgrading from an older release
 ========================================
 
+o Upgrading from a version prior to 1.9.3:
+
+    Starting with version 1.9.3, sudoers rules must end in either
+    a newline or the end-of-file.  This makes it possible to provide
+    better error messages.  Previously, it was possible to include
+    multiple rules on a single line, separated by white space.
+
+    Starting with version 1.9.3, sudo will attempt to recover from
+    a syntax error in the sudoers file by discarding the portion
+    of the line that contains the error until the end of the line.
+    To restore the historic behavior of refusing to run when a
+    syntax error is encountered, add "error_recovery=false" as a
+    plugin option in sudo.conf for the "sudoers_audit" plugin, (or
+    "sudoers_policy" if there is no "sudoers_audit" plugin configured).
+
+o Upgrading from a version prior to 1.9.1:
+
+    Starting with version 1.9.1, sudoers plugin arguments in sudo.conf
+    should be specified for the "sudoers_audit" plugin, not
+    "sudoers_policy".  This is because the sudoers file is now
+    opened and parsed by the "sudoers_audit" plugin.  Previously,
+    this was done by the "sudoers_policy" plugin.  The use of an
+    audit plugin makes it possible for the sudoers module to detect
+    when a command has been rejected by an approval plugin and only
+    log commands that are allowed by both policy and approval
+    plugins.
+
 o Upgrading from a version prior to 1.8.30:
 
     Starting with version 1.8.30, sudo will no longer allow commands