X-Spam-Check-By: sourceware.org Message-Id: Date: Tue, 19 Jun 2007 21:52:01 -0600 From: Eric Blake Reply-To: cygwin AT cygwin DOT com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070509 Thunderbird/1.5.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: [ANNOUNCEMENT] Updated: findutils-4.3.8-1 Content-Type: multipart/mixed; boundary="------------050407060409060201000608" Reply-To: The Cygwin Mailing List X-Mailer: Perl5 Mail::Internet v1.74 X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com --------------050407060409060201000608 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A new release of findutils, 4.3.8-1, is available for use, replacing 4.3.5-1. 4.2.27-1 remains the previous version. NEWS: ===== This is a new upstream release, fixing several issues as documented below, including a security fix. The release is marked beta upstream, but the 4.3 series has, in general, been enough of an improvement over the stable 4.2 series that I have focused on 4.3 releases as the primary cygwin release. Although the news file mentions the partial addition of birthtime support, it requires rebuilding from source against a cygwin snapshot to take advantage of this feature, since birthtime will not be supported officially until cygwin 1.7.0. See also /usr/share/doc/findutils-4.3.8/. DESCRIPTION: ============ The findutils package contains programs which will help you locate files on your system. The find utility searches through a hierarchy of directories looking for files which match a certain set of criteria (such as a filename pattern). The xargs utility builds and executes command lines from standard input arguments (usually lists of file names generated by the find command). The locate utility scans a database of filenames and displays matches. The updatedb utility builds the database for locate. UPDATE: ======= To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Save it and run setup, answer the questions and pick up 'findutils' from the 'Base' category (it should already be selected). DOWNLOAD: ========= Note that downloads from sources.redhat.com (aka cygwin.com) aren't allowed due to bandwidth limitations. This means that you will need to find a mirror which has this update, please choose the one nearest to you: http://cygwin.com/mirrors.html QUESTIONS: ========== If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. - -- Eric Blake volunteer cygwin findutils maintainer CYGWIN-ANNOUNCE UNSUBSCRIBE INFO: ================================= To unsubscribe to the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-YOU=YOURDOMAIN DOT COM AT cygwin DOT com If you need more information on unsubscribing, start reading here: http://sources.redhat.com/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGeKRh84KuGfSFAYARAlZkAKC1VEpO/guvRoeLv7HDiYplW1WRGQCdGu7w 3hCiBxNSC+rA66LcIuY7Grk= =8xOI -----END PGP SIGNATURE----- --------------050407060409060201000608 Content-Type: text/plain; name="NEWS.short" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="NEWS.short" * Major changes in release 4.3.8 ** Bug Fixes #20157: Avoid segfault in locate when run as root. This is caused by a buffer overrun, but at this time no explot mechanism is known. * Major changes in release 4.3.7 ** Functional changes Locate can now read old-format locate databases generated on machines with a different byte order. It does this by guessing the byte order, so the result is not completely reliable. If you need to share databases between machines of different architectures, you should use the LOCATE02 format (which has other advantages, as explained in the documentation). ** Security Fixes #20014: Findutils-4.3.7 includes a patch for a potential security problem in locate. When locate read an old-format database, it read file names into a fixed-length buffer allocated on the heap without checking for overflow. Although overflowing a heap buffer is often somewhat safer than overflowing a buffer on the stack, this bug still has potential security implications. This bug also affected the following previous findutils releases: - All releases prior to 4.2.31 - Findutils 4.3.0 to 4.3.6. This bug has been assigned CVE number CVE-2007-2452. ** Bug Fixes #20128: Fix compilation error of find/tree.c on AIX with GCC. #20005: Tests -mtime -n and -mtime +n incorrectly treated like -mtime n. #19983: include_next causes compilation failure in findutils 4.3.6 on non-GCC compilers #19981: Don't call setgroups if the function isn't available. This fixes Savannah bug# 19981. #19980: Don't use the functions putw() or getw() since these are not in current POSIX. Use the gnulib version of wcwidth() where the system does not provide it. #19979: Compilation errors on BeOS #19970: Cannot cast from pointer to bool using gnulib's #19967: Use of __attribute((__noreturn__)) makes compilation fail with some non-GCC compilers #19966: find should link against -lm for modf() and fabs() #19965: Compilation failure on OSF/1 4.0; non-declaration of uintmax_t #19948: Assertion failure O_NOFOLLOW != 0 on IRIX 6.5 #19871: Typos in find.1 #19596: Fixed this bug again, this time in the Texinfo manual (the discussion should compare %b with %s/512, not %s/1024). #19416: _FORTIFY_SOURCE warn_unused_result warnings * Major changes in release 4.3.6 ** Bug Fixes #19948: Fixed an assertion failure on IRIX 6.5 (O_NOFOLLOW is defined to 0 there). #19923: Fixed an array overrun in groups[] array of 'locate' when run by or as root. This bug appears not to be exploitable. If locate is not installed setuid, the bug is not exploitable. For setuid installations, it is concievable that there could be an information leak if the user uses the -d option or the -e option, though the maintainer has been unable to provoke this on an x86 system. #19871: Spurious .R directives in manpage produced error messages from GNU troff. This is now fixed (they are corrected to .B). #19416: The result of I/O operations in print-related actions is now checked, and failures are reported. Any failure will cause find's exit status to be nonzero. The predicate itself will continue to return true. ** Compilation Fixes A variety of changes were made to allow compilation to succeed on non-GNU systems. #19983: Now compiles on DEC C V5.9-005 on Digital UNIX V4.0 (or at least, should). #19970: Compile correctly on C89 systems where the "_Bool" type is not provided, taking into account the limitations of the gnulib replacement for stdbool.h. #19967: Build successfully with C compilers that don't support the GCC construct __attribute__((__noreturn__)). #19966: Findutils should now build on systems which have the modf() and fabs() functions in the maths library, -lm. This includes some versions of HP-UX and Solaris. #19965: Fixed a compilation failure on OSF/1 4.0 (no definition of the type uintmax_t). --------------050407060409060201000608 Content-Type: text/plain; charset=us-ascii -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ --------------050407060409060201000608--