X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=bnCPmpOzfEvktCoJxlQIFQfwR5ZW9DZADFEN3XnZ0LY
	+vlNIeTe+nuAPCGxisk2sRxgTJMmsKHdE7CQ++4pFZ6M5GHVWKKUqsuBhndgI+qm
	BNS5Hc2mzGIUv/9cu/IkIARSFEDssWA6qTRdI4ZXRSrF4DVUOzwdThoEdt9m5JyA
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 s=default; bh=2EPyHgq2CINHl/2wFmApWg3dcDE=; b=EVHkebMgW6EBWbxa/
	eaiYB6vg6VLy/vgoDQPuQJrD3XBv3rFK6p+DnEcilGz635ExkzJZjdtszogeuMt5
	SZxkakpQltUcoxg9BzpdJWGCNR/XmqNyaHqDnT/yfQ2U5caDS4iQMjKMGl45AvMs
	j4T8zJrdiS8AdV7Sh2EIuLbJ5M=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_PASS autolearn=ham version=3.3.2
X-HELO: mail.lysator.liu.se
Message-ID: <5425D2ED.9060902@lysator.liu.se>
Date: Fri, 26 Sep 2014 22:56:13 +0200
From: Peter Rosin <peda AT lysator DOT liu DOT se>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.12-5
References: <announce DOT 54230EFF DOT 3020202 AT byu DOT net>
In-Reply-To: <announce.54230EFF.3020202@byu.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On 2014-09-24 20:35, Eric Blake (cygwin) wrote:
> A new release of bash, 4.1.12-5, has been uploaded and will soon reach a
> mirror near you; leaving the previous version of 4.1.10-4 on 32-bit, and
> 4.1.11-2 on 64-bit.
> 
> NEWS:
> =====
> This is a minor rebuild which picks up an upstream patch to fix
> CVE-2014-6271.  Left unpatched, a vulnerable version of bash could allow
> arbitrary code execution via specially crafted environment variables,
> and was exploitable through a number of remote services, so it is highly
> recommended that you upgrade.
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> 
> I also hope to have a build of bash 4.3 available soon, but wanted to
> get the CVE fixed as soon as possible due to its severity.  And I just
> noticed while preparing this announcement that $BASH_VERSION reports
> itself as 4.1.11 instead of 4.1.12, so I may do a quick 4.1.12-6 just to
> make sure things are clean for people going by version number tests
> instead of feature probes.

Hi Eric!

I haven't checked out 4.1.12-5 yet, so I don't know if I need to remind
you of the wordexp situation in 4.1.10-4? I wanted to get this mail sent
as quickly as possible...

https://cygwin.com/ml/cygwin/2012-08/msg00434.html

Cheers,
Peter

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple