DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; q=dns; s=default; b=CdKqan
	SaAbDxTe9wR4R9H7GFCTuVTpf6cmViQGdzWU4tQ3BmyKISkhlQpSeBIUQIPeJrQY
	eus6FZINTsFCODunS3iJ5BAIDDOMBspSrVHT7wWWp6bdPBCk7oePxLGweuYcoI0S
	UiyXloiv1N6W0rzJYpsHvRFseVgjWYYEERl9Y=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Message-ID: <542570B0.30601@redhat.com>
Date: Fri, 26 Sep 2014 07:57:04 -0600
From: Eric Blake <eblake AT redhat DOT com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.12-5
References: <announce DOT 54230EFF DOT 3020202 AT byu DOT net> <loom DOT 20140926T153410-469 AT post DOT gmane DOT org>
In-Reply-To: <loom.20140926T153410-469@post.gmane.org>
OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA"

--4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 09/26/2014 07:36 AM, Mohammad Yaqoob wrote:
> When are you releasing 4.1.12-6
>=20

Today.  It may be numbered 4.1.13-6, depending on what upstream does in
the meantime (Chet has already prepared patch 13 [fixing a parser state
leak], but not yet published it), but even without waiting for upstream,
I'm already in the middle of building bash with the same patches in use
by Fedora (which includes Chet's patch 13, but also an additional patch
that Chet is still debating about [avoiding namespace collisions with
function exports]), so as to plug CVE-2014-7169.  I'm not sure yet if
the build will include CVE-2014-7186 and CVE-2014-7187 fixes [both of
them a parser buffer overflow], or if there will be a -7 next week.  And
given the high publicity of the initial CVE-2014-6271, I suspect there
may be further fixes coming; needless to say I'm closely following the
upstream developments.

But I also stand by the Red Hat analysis - the worst exploits are those
due to CVE-2014-6271, which is already fixed in 4.1.12-5; the remaining
three CVEs are worth fixing, but do not have the same severity, so it is
okay to wait a bit longer and get it right than it is to prematurely
push something only have to repeat the exercise a day later.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg

iQEcBAEBCAAGBQJUJXCwAAoJEKeha0olJ0NqHNQH/0fz53eWvVpum5H65ewUwVR5
37Jso9s0Jl8H4JYwFrPBNIE29ABP9dvFg7ds1VNy3CbbKfRlfrEqi1IPMmI9R8y6
DLglWkhI29h50MKqCmmtrV2J/OzK+T75H8KKUc+//JqC6sRA6/kv68v4ZR1dxdaS
0bSlP23qGMDUfDfOn5dM908XQGo/ah31WLzO/Ca92syq86XeIh+IdbFXFmPROMtz
RegHRT3KKFloNL2cDwbVbX6z/CApTKR2sH/mNkU7oYj3R0kYKFJMkc7o+fjmwlx0
exRZhUySStrjCnrFirwUQoOmA33G9qYrZV+7V5d34Uf/LzTfwgEUIRH1XQ54Zcw=
=w9WS
-----END PGP SIGNATURE-----

--4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA--