X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; q=dns; s=default; b=CdKqan SaAbDxTe9wR4R9H7GFCTuVTpf6cmViQGdzWU4tQ3BmyKISkhlQpSeBIUQIPeJrQY eus6FZINTsFCODunS3iJ5BAIDDOMBspSrVHT7wWWp6bdPBCk7oePxLGweuYcoI0S UiyXloiv1N6W0rzJYpsHvRFseVgjWYYEERl9Y= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; s=default; bh=AyAGY8cqOvw9 mfQL8lGR/RxOFv4=; b=BZ/v9l2rfAVlvlscbgQm4sFae8OiIQh2x66t16H+vImk JUsRAqKDKgNFIZbbsWcXZrqZPykyBWfh0w86oGyp18JnrUwJ9LRue8/foi4A7yRB HvtZ/vYh/C7bOcRBB4aaxhh38nNAidJeC8n2tNlKJyyHj/5JwZs6Q/LMi2Vhrzw= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Message-ID: <542570B0.30601@redhat.com> Date: Fri, 26 Sep 2014 07:57:04 -0600 From: Eric Blake User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.12-5 References: In-Reply-To: OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA" X-IsSubscribed: yes --4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 09/26/2014 07:36 AM, Mohammad Yaqoob wrote: > When are you releasing 4.1.12-6 >=20 Today. It may be numbered 4.1.13-6, depending on what upstream does in the meantime (Chet has already prepared patch 13 [fixing a parser state leak], but not yet published it), but even without waiting for upstream, I'm already in the middle of building bash with the same patches in use by Fedora (which includes Chet's patch 13, but also an additional patch that Chet is still debating about [avoiding namespace collisions with function exports]), so as to plug CVE-2014-7169. I'm not sure yet if the build will include CVE-2014-7186 and CVE-2014-7187 fixes [both of them a parser buffer overflow], or if there will be a -7 next week. And given the high publicity of the initial CVE-2014-6271, I suspect there may be further fixes coming; needless to say I'm closely following the upstream developments. But I also stand by the Red Hat analysis - the worst exploits are those due to CVE-2014-6271, which is already fixed in 4.1.12-5; the remaining three CVEs are worth fixing, but do not have the same severity, so it is okay to wait a bit longer and get it right than it is to prematurely push something only have to repeat the exercise a day later. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg iQEcBAEBCAAGBQJUJXCwAAoJEKeha0olJ0NqHNQH/0fz53eWvVpum5H65ewUwVR5 37Jso9s0Jl8H4JYwFrPBNIE29ABP9dvFg7ds1VNy3CbbKfRlfrEqi1IPMmI9R8y6 DLglWkhI29h50MKqCmmtrV2J/OzK+T75H8KKUc+//JqC6sRA6/kv68v4ZR1dxdaS 0bSlP23qGMDUfDfOn5dM908XQGo/ah31WLzO/Ca92syq86XeIh+IdbFXFmPROMtz RegHRT3KKFloNL2cDwbVbX6z/CApTKR2sH/mNkU7oYj3R0kYKFJMkc7o+fjmwlx0 exRZhUySStrjCnrFirwUQoOmA33G9qYrZV+7V5d34Uf/LzTfwgEUIRH1XQ54Zcw= =w9WS -----END PGP SIGNATURE----- --4U2EuwAOteSPJd0NqpSIlUGdgOvh0g6lA--