This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: [ANNOUNCEMENT] Updated: bash-4.1.12-5
- From: Peter Rosin <peda at lysator dot liu dot se>
- To: cygwin at cygwin dot com
- Date: Fri, 26 Sep 2014 22:56:13 +0200
- Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.12-5
- Authentication-results: sourceware.org; auth=none
- References: <announce dot 54230EFF dot 3020202 at byu dot net>
On 2014-09-24 20:35, Eric Blake (cygwin) wrote:
> A new release of bash, 4.1.12-5, has been uploaded and will soon reach a
> mirror near you; leaving the previous version of 4.1.10-4 on 32-bit, and
> 4.1.11-2 on 64-bit.
>
> NEWS:
> =====
> This is a minor rebuild which picks up an upstream patch to fix
> CVE-2014-6271. Left unpatched, a vulnerable version of bash could allow
> arbitrary code execution via specially crafted environment variables,
> and was exploitable through a number of remote services, so it is highly
> recommended that you upgrade.
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>
> I also hope to have a build of bash 4.3 available soon, but wanted to
> get the CVE fixed as soon as possible due to its severity. And I just
> noticed while preparing this announcement that $BASH_VERSION reports
> itself as 4.1.11 instead of 4.1.12, so I may do a quick 4.1.12-6 just to
> make sure things are clean for people going by version number tests
> instead of feature probes.
Hi Eric!
I haven't checked out 4.1.12-5 yet, so I don't know if I need to remind
you of the wordexp situation in 4.1.10-4? I wanted to get this mail sent
as quickly as possible...
https://cygwin.com/ml/cygwin/2012-08/msg00434.html
Cheers,
Peter
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple