Mail Archives: cygwin/2016/08/06/01:27:19
| X-Recipient: | archive-cygwin AT delorie DOT com
|
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:reply-to:from:subject:reply-to:to:message-id
|
| :date:mime-version:content-type; q=dns; s=default; b=AmXY2aeGODu
|
| 73BcaGy/FWnnXkC8abO23OslDkIpC06m8a5Y9SBCgsXItvP9UMbrAMYmzEbeEB3g
|
| 8QHfqipROuxxnbGb9B0r3nyQGiQc+2r9QkEg9rqbMgPro44ls4Oj6INmVNOOhFf/
|
| NfXyxjIB2sORdMDSS2mscYspUeC4pDr8=
|
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:reply-to:from:subject:reply-to:to:message-id
|
| :date:mime-version:content-type; s=default; bh=yq8m8cL+Nt08DS1uk
|
| 1zYAL55nbM=; b=LQuhPBYUSWndwQi1MJjtq199gsiKsOZKFihn9t4m6pGsb0Pfu
|
| H/w+EVP+Ttbfldvyl9/328Du55BRVJoIywPe6icHTcvIB3TCLk682CKNH4/eW7TR
|
| yzgcdDCRPWXfnzC8lRQLwLwLrTGBLXXAGTgGlU0ykJhKeOQVfU0o3AV4wM=
|
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm
|
| List-Id: | <cygwin.cygwin.com>
|
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com>
|
| List-Archive: | <http://sourceware.org/ml/cygwin/>
|
| List-Post: | <mailto:cygwin AT cygwin DOT com>
|
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
|
| Sender: | cygwin-owner AT cygwin DOT com
|
| Mail-Followup-To: | cygwin AT cygwin DOT com
|
| Delivered-To: | mailing list cygwin AT cygwin DOT com
|
| Authentication-Results: | sourceware.org; auth=none
|
| X-Virus-Found: | No
|
| X-HELO: | localhost.localdomain
|
| Reply-To: | cygwin AT cygwin DOT com
|
| Authentication-Results: | sourceware.org; auth=none
|
| X-Virus-Found: | No
|
| X-Spam-SWARE-Status: | No, score=-0.2 required=5.0 tests=AWL,BAYES_50,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=dan, fastest, convince, mounting
|
| From: | "Eric Blake (cygwin)" <eblake AT redhat DOT com>
|
| Subject: | [ANNOUNCEMENT] Updated: bash-4.3.43-5
|
| Reply-To: | cygwin AT cygwin DOT com
|
| To: | cygwin AT cygwin DOT com
|
| Openpgp: | url=http://people.redhat.com/eblake/eblake.gpg
|
| X-Enigmail-Draft-Status: | N1110
|
| Message-Id: | <announce.57A55FE0.4000500@redhat.com>
|
| Date: | Fri, 5 Aug 2016 21:56:16 -0600
|
| User-Agent: | Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
|
| MIME-Version: | 1.0
|
| X-CMAE-Envelope: | MS4wfGNK9iOb4Jx00X/Z2PrlWSNbZjtARMzpq1TWMYnQHruUqcqVNlc/5xRyaorq86fp5aqfGBaZMOxw9uIT4OTC+ls5tzKBPJmXjP2r3Cn6+z7FfpZAuuMb vhLyjX1JP5bcUqPMa5EPeFJzjb54/0fnue06Sb0ariFDYXJdwxIMtcmaE3TSpNEDJ1aQEQo962gxfA==
|
| X-IsSubscribed: | yes
|
--ANTKVsQnWvFlwqgCRlUjuxeVbLFwoADg5
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
A new release of bash, 4.3.43-5, has been uploaded and will soon reach a
mirror near you. It leaves 4.3.42-4 as the previous version.
NEWS:
=3D=3D=3D=3D=3D
This is a minor build that incorporates an upstream bug fix, as well as
disables some old cruft in upstream code that tries to use O_TEXT in the
'read' builtin, but instead ends up eating the character after a
carriage return that is not followed by a newline, even when full binary
operation is desired [1]. With this build, the read builtin now honors
the Cygwin-specific 'igncr' shell option, just like has previously been
done in command substitution and script reading, meaning that you get
binary behavior by default, but enabling 'set -o igncr' makes it
impossible for 'read' to see a carriage return.
[1] https://lists.gnu.org/archive/html/bug-bash/2016-03/msg00045.html
This build of bash is immune to the ShellShock vulnerabilities (although
unpatched bash 4.3 is vulnerable, the official upstream patches solve
the issue). By now, you should no longer be running a vulnerable bash,
but to double check you can run the following test to make sure you are
not subject to arbitrary remote code execution due to ShellShock:
$ env 'bad=3D() { echo vulnerable; }' bash -c bad
If it prints "bash: bad: command not found", your version of bash is
safe and not subject to remote exploits. If it prints "vulnerable", you
need to upgrade now.
There are a few things you should be aware of before using this version:
1. When using binary mounts, cygwin programs try to emulate Linux. Bash
on Linux does not understand \r\n line endings, but interprets the \r
literally, which leads to syntax errors or odd variable assignments.
Therefore, you will get the same behavior on Cygwin binary mounts by
default.
2. d2u is your friend. You can use it to convert any problematic script
into binary line endings.
3. Cygwin text mounts automatically work with either line ending style,
because the \r is stripped before bash reads the file. If you
absolutely must use files with \r\n line endings, consider mounting the
directory where those files live as a text mount. However, text mounts
are not as well tested or supported on the cygwin mailing list, so you
may encounter other problems with other cygwin tools in those directories.
4. This version of bash has a cygwin-specific set option, named "igncr",
to force bash to ignore \r, independently of cygwin's mount style. As
of bash-3.2.3-5, it controls regular scripts, command substitution, and
sourced files; bash-4.3.43-5 adds the read builtin to the list. I hope
to convince the upstream bash maintainer to accept this patch into a
future bash release even on Linux, rather than keeping it a
cygwin-specific patch, but only time will tell. There are several ways
to activate this option:
4a. For a single affected script, add this line just after the she-bang:
(set -o igncr) 2>/dev/null && set -o igncr; # comment is needed
4b. For a single script, invoke bash explicitly with the option, as in
'bash -o igncr ./myscript' rather than the simpler './myscript'.
4c. To affect all scripts, export the environment variable BASH_ENV,
pointing to a file that sets the shell option as desired. Bash will
source this file on startup for every script.
4d. Added in the bash-3.2-2 release: export the environment variable
SHELLOPTS with igncr included in it. It is read-only from within bash,
but you can set it before invoking bash; once in bash, it auto-tracks
the current state of 'set -o igncr'. If exported, then all bash child
processes inherit the same option settings; with the exception added in
3.2.9-11 that certain interactive options are not inherited in
non-interactive use.
4e. bash-4.1.9-1 dropped support for 'shopt -s igncr'; it did not make
sense to support the option through both set and shopt, and SHELLOPTS
proved to be more powerful.
5. You can also experiment with the IFS variable for controlling how
bash will treat \r during variable expansion.
6. There are varying levels of speed at which bash operates. The
fastest is on a binary mount with igncr disabled (the default behavior).
Next would be text mounts with igncr disabled and no \r in the
underlying file. Next would be binary mounts with igncr enabled. And
the slowest that bash will operate is on text mounts with igncr enabled.
7. As additional cygwin extensions, this version of bash includes:
7a. EXECIGNORE - a colon-separated list of glob patterns to ignore
when completing on executables. EXECIGNORE=3D*.dll is common.
7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
makes completion strip .exe suffixes
8. This version of bash is immune to ShellShock (CVE-2014-6271 and
friends) because it exports functions via 'BASH_FUNC_foo%%=3D' rather than
'foo=3D' environment variables. However, doing this has exposed
weaknesses in some other utilities like 'ksh' or 'at' that fail to scrub
their environment to exclude what is not a valid name for them.
9. If you don't like how bash behaves, then propose a patch, rather than
proposing idle ideas. This turn of events has already been talked to
death on the mailing lists by people with many ideas, but few patches.
Thanks to Dan Colascione for providing the EXECIGNORE and
completion_strip_exe patches.
Remember, you must not have any bash or /bin/sh instances running when
you upgrade the bash package. This release requires cygwin-2.5.2-1 or
later. See also the upstream documentation in /usr/share/doc/bash/.
DESCRIPTION:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Bash is an sh-compatible shell that incorporates useful features from
the Korn shell (ksh) and C shell (csh). It is intended to conform to
the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers
functional improvements over sh for both programming and interactive
use. In addition, most sh scripts can be run by Bash without modification.
As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash,
similar to some Linux distributions (although /bin/sh may swap to dash
at some future time).
UPDATE:
=3D=3D=3D=3D=3D=3D=3D
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page. This downloads setup.exe to your
system. Save it and run setup, answer the questions and pick up 'bash'
in the 'Base' category (it should already be selected).
DOWNLOAD:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Note that downloads from cygwin.com aren't allowed due to bandwidth
limitations. This means that you will need to find a mirror which has
this update, please choose the one nearest to you:
http://cygwin.com/mirrors.html
QUESTIONS:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.
--=20
Eric Blake
volunteer cygwin bash package maintainer
For more details on this list (including unsubscription), see:
http://sourceware.org/lists.html
--ANTKVsQnWvFlwqgCRlUjuxeVbLFwoADg5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBCAAGBQJXpV/gAAoJEKeha0olJ0NqOIAH/0l03z+QXHRO2XbJDQIZgjH/
XWjTr1tmSIn7HrRnOrKN3/COQXZXzO/2WGgzfGNrE+3z3ti8BzXuZ7nKb+gFk0Ac
YF0VEqML7L5KYx+sYgngPE9H/S1hD4H4QWao7yPl3pqCsCXtRsg6FJA8r3OL64k2
w8oNIbhmWB0sf7RqsFvVSavU4ohDzei87Bocp/446OjNZcml2FFfYYfGk58fYzKl
DGFl1rSu30XleRAjbq2GIShBV2eKxMm5ogy/EoDNFzZXB4EszhPiH6UFRHB1B/Ud
Gmij2Q/SNZPD1ca4Wwtg2/YXKL+NF9lUwMCn5IHl6XO9CA/sLtt2uU25MMWw07Y=
=2IAC
-----END PGP SIGNATURE-----
--ANTKVsQnWvFlwqgCRlUjuxeVbLFwoADg5--
- Raw text -