| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type; q=dns; s=default; b=CdKqan | |
| SaAbDxTe9wR4R9H7GFCTuVTpf6cmViQGdzWU4tQ3BmyKISkhlQpSeBIUQIPeJrQY | |
| eus6FZINTsFCODunS3iJ5BAIDDOMBspSrVHT7wWWp6bdPBCk7oePxLGweuYcoI0S | |
| UiyXloiv1N6W0rzJYpsHvRFseVgjWYYEERl9Y= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:message-id:date:from:mime-version:to:subject | |
| :references:in-reply-to:content-type; s=default; bh=AyAGY8cqOvw9 | |
| mfQL8lGR/RxOFv4=; b=BZ/v9l2rfAVlvlscbgQm4sFae8OiIQh2x66t16H+vImk | |
| JUsRAqKDKgNFIZbbsWcXZrqZPykyBWfh0w86oGyp18JnrUwJ9LRue8/foi4A7yRB | |
| HvtZ/vYh/C7bOcRBB4aaxhh38nNAidJeC8n2tNlKJyyHj/5JwZs6Q/LMi2Vhrzw= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-2.4 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 |
| X-HELO: | mx1.redhat.com |
| Message-ID: | <542570B0.30601@redhat.com> |
| Date: | Fri, 26 Sep 2014 07:57:04 -0600 |
| From: | Eric Blake <eblake AT redhat DOT com> |
| User-Agent: | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 |
| MIME-Version: | 1.0 |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: [ANNOUNCEMENT] Updated: bash-4.1.12-5 |
| References: | <announce DOT 54230EFF DOT 3020202 AT byu DOT net> <loom DOT 20140926T153410-469 AT post DOT gmane DOT org> |
| In-Reply-To: | <loom.20140926T153410-469@post.gmane.org> |
| OpenPGP: | url=http://people.redhat.com/eblake/eblake.gpg |
| X-IsSubscribed: | yes |
--4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 09/26/2014 07:36 AM, Mohammad Yaqoob wrote: > When are you releasing 4.1.12-6 >=20 Today. It may be numbered 4.1.13-6, depending on what upstream does in the meantime (Chet has already prepared patch 13 [fixing a parser state leak], but not yet published it), but even without waiting for upstream, I'm already in the middle of building bash with the same patches in use by Fedora (which includes Chet's patch 13, but also an additional patch that Chet is still debating about [avoiding namespace collisions with function exports]), so as to plug CVE-2014-7169. I'm not sure yet if the build will include CVE-2014-7186 and CVE-2014-7187 fixes [both of them a parser buffer overflow], or if there will be a -7 next week. And given the high publicity of the initial CVE-2014-6271, I suspect there may be further fixes coming; needless to say I'm closely following the upstream developments. But I also stand by the Red Hat analysis - the worst exploits are those due to CVE-2014-6271, which is already fixed in 4.1.12-5; the remaining three CVEs are worth fixing, but do not have the same severity, so it is okay to wait a bit longer and get it right than it is to prematurely push something only have to repeat the exercise a day later. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg iQEcBAEBCAAGBQJUJXCwAAoJEKeha0olJ0NqHNQH/0fz53eWvVpum5H65ewUwVR5 37Jso9s0Jl8H4JYwFrPBNIE29ABP9dvFg7ds1VNy3CbbKfRlfrEqi1IPMmI9R8y6 DLglWkhI29h50MKqCmmtrV2J/OzK+T75H8KKUc+//JqC6sRA6/kv68v4ZR1dxdaS 0bSlP23qGMDUfDfOn5dM908XQGo/ah31WLzO/Ca92syq86XeIh+IdbFXFmPROMtz RegHRT3KKFloNL2cDwbVbX6z/CApTKR2sH/mNkU7oYj3R0kYKFJMkc7o+fjmwlx0 exRZhUySStrjCnrFirwUQoOmA33G9qYrZV+7V5d34Uf/LzTfwgEUIRH1XQ54Zcw= =w9WS -----END PGP SIGNATURE----- --4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |