DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:message-id:date:from:reply-to
	:mime-version:to:subject:content-type; q=dns; s=default; b=DDtLK
	/YzoUITgc6qO7MYfbZUGovDjWrxjQ4g0NNiyGZ4L79vtOze6wSY2WL1UTFwGOJLv
	0m215EYiAK/BhT1CSRLqKl6GXJQjeJ38dGNwh5foOQYs+CWZ9OUd8F+f0RKqixRQ
	qyYgTOmM0utIwx4Us8Nlg3bIWlAjzzh7+LW0fE=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Reply-To: cygwin AT cygwin DOT com
Message-Id: <announce.542E1B8C.7070807@byu.net>
Date: Thu, 02 Oct 2014 21:44:12 -0600
From: "Eric Blake (cygwin)" <ebb9 AT byu DOT net>
Reply-To: The Cygwin Mailing List <cygwin AT cygwin DOT com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: [ANNOUNCEMENT] Updated: bash-4.1.16-8
OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="m8wHAqdRVaUdgbUgxg4bdvdQoCAE11P1W"

--m8wHAqdRVaUdgbUgxg4bdvdQoCAE11P1W
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

A new release of bash, 4.1.16-8, has been uploaded and will soon reach a
mirror near you; leaving the previous version at 4.1.14-7.

NEWS:
=3D=3D=3D=3D=3D
This is a minor rebuild which picks up two upstream patches to fix some
parser bugs (CVE-2014-7186, CVE-2014-7187, CVE-2014-6277). These bugs
were found as a result of studying the extent of ShellShock attacks, but
all cygwin builds since 4.1.13-6 have already protected bash to avoid
the interpretation of arbitrary environment variables causing a bad
parse turning into an exploit.  There may still be further parser fixes
down the pipeline, but I'm pushing this build now rather than waiting
for more upstream patches, since some of the sites related to detecting
ShellShock have offered poor advice that incorrectly claims that local
vulnerability to a parser bug is evidence of a remaining weakness to
remote exploits.

To avoid confusion, the following test unambiguously tests if you are
vulnerable to ShellShock:
$ env 'x=3D() { echo vulnerable; }' bash -c x

If it prints "x: command not found", your version of bash is safe and
not subject to remote exploits.  If it prints "vulnerable", you need to
upgrade now.

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environme=
nt-variables-code-injection-attack/
https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about=
-the-shellshock-bash-flaws/
https://access.redhat.com/articles/1200223
https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00238.html

I also hope to have a build of bash 4.3 available soon, but wanted to
get the CVE fixed as soon as possible due to its severity.

There are a few things you should be aware of before using this version:
1. When using binary mounts, cygwin programs try to emulate Linux.  Bash
on Linux does not understand \r\n line endings, but interprets the \r
literally, which leads to syntax errors or odd variable assignments.
Therefore, you will get the same behavior on Cygwin binary mounts by
default.
2. d2u is your friend.  You can use it to convert any problematic script
into binary line endings.
3. Cygwin text mounts automatically work with either line ending style,
because the \r is stripped before bash reads the file.  If you
absolutely must use files with \r\n line endings, consider mounting the
directory where those files live as a text mount.  However, text mounts
are not as well tested or supported on the cygwin mailing list, so you
may encounter other problems with other cygwin tools in those directories.
4. This version of bash has a cygwin-specific set option, named "igncr",
to force bash to ignore \r, independently of cygwin's mount style.  As
of bash-3.2.3-5, it controls regular scripts, command substitution, and
sourced files.  I hope to convince the upstream bash maintainer to
accept this patch into a future bash release even on Linux, rather than
keeping it a cygwin-specific patch, but only time will tell.  There are
several ways to activate this option:
4a. For a single affected script, add this line just after the she-bang:
 (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed
4b. For a single script, invoke bash explicitly with the option, as in
'bash -o igncr ./myscript' rather than the simpler './myscript'.
4c. To affect all scripts, export the environment variable BASH_ENV,
pointing to a file that sets the shell option as desired.  Bash will
source this file on startup for every script.
4d. Added in the bash-3.2-2 release: export the environment variable
SHELLOPTS with igncr included in it.  It is read-only from within bash,
but you can set it before invoking bash; once in bash, it auto-tracks
the current state of 'set -o igncr'.  If exported, then all bash child
processes inherit the same option settings; with the exception added in
3.2.9-11 that certain interactive options are not inherited in
non-interactive use.
4e. bash-4.1.9-1 dropped support for 'shopt -s igncr'; it did not make
sense to support the option through both set and shopt, and SHELLOPTS
proved to be more powerful.
5. You can also experiment with the IFS variable for controlling how
bash will treat \r during variable expansion.
6. There are varying levels of speed at which bash operates.  The
fastest is on a binary mount with igncr disabled (the default behavior).
 Next would be text mounts with igncr disabled and no \r in the
underlying file. Next would be binary mounts with igncr enabled.  And
the slowest that bash will operate is on text mounts with igncr enabled.
7. As additional cygwin extensions, this version of bash includes:
7a. EXECIGNORE - a colon-separated list of glob patterns to ignore
when completing on executables.  EXECIGNORE=3D*.dll is common.
7b. completion_strip_exe - using 'shopt -s completion_strip_exe'
makes completion strip .exe suffixes
8. This version of bash is immune to ShellShock (CVE-2014-6271 and
friends) because it exports functions via 'BASH_FUNC_foo%%=3D' rather than
'foo=3D' environment variables.  However, doing this has exposed
weaknesses in some other utilities like 'ksh' or 'at' that fail to scrub
their environment to exclude what is not a valid name for them.
9. If you don't like how bash behaves, then propose a patch, rather than
proposing idle ideas.  This turn of events has already been talked to
death on the mailing lists by people with many ideas, but few patches.
Thanks to Dan Colascione for providing the EXECIGNORE and
completion_strip_exe patches.

Remember, you must not have any bash or /bin/sh instances running when
you upgrade the bash package.  This release requires cygwin-1.7.32-1 or
later; and it requires libreadline7-6.1.2-2 or later.  See also the
upstream documentation in /usr/share/doc/bash/.

DESCRIPTION:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Bash is an sh-compatible shell that incorporates useful features from
the Korn shell (ksh) and C shell (csh).  It is intended to conform to
the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard.  It offers
functional improvements over sh for both programming and interactive
use. In addition, most sh scripts can be run by Bash without modification.

As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash,
similar to some Linux distributions (although /bin/sh may swap to dash
at some future time).

UPDATE:
=3D=3D=3D=3D=3D=3D=3D
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system. Save it and run setup, answer the questions and pick up 'bash'
in the 'Base' category (it should already be selected).

DOWNLOAD:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Note that downloads from cygwin.com aren't allowed due to bandwidth
limitations.  This means that you will need to find a mirror which has
this update, please choose the one nearest to you:
http://cygwin.com/mirrors.html

QUESTIONS:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.

--=20
Eric Blake
volunteer cygwin bash package maintainer

CYGWIN-ANNOUNCE UNSUBSCRIBE INFO:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
To unsubscribe to the cygwin-announce mailing list, look at the
"List-Unsubscribe: " tag in the email header of this message.  Send
email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-YOU=3DYOURDOMAIN DOT COM AT cygwin DOT com

If you need more information on unsubscribing, start reading here:

http://sourceware.org/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.


--m8wHAqdRVaUdgbUgxg4bdvdQoCAE11P1W
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg

iQEcBAEBCAAGBQJULhuMAAoJEKeha0olJ0Nqcp0IAK8YQJNzZwTHJRw2o5JuJqQr
uOUUBqCMscI1LvY6c6J4k3lxweaKD8j5EHHQsuyI5xbrlLuxpcc8bYqwA5u8xn/p
R0zCHS7jsfpa9Yj3EB/d3bG46hA1fZabDzV3RiUqiBtlMM0eHuxFvQBXJ47nqckR
/uZ1kdMsIDEzzYO9h1cFwdKBRgb1CtpAG0pQHxGRvph52RPAJO97HJ78z61CYeEB
k0WmGdpny4e3Rb/X+JU1hsQOnhQpPiLQAWqZmJsHjAsQWs3/7XxHkunRA2NRaIFR
WuivOes4D4VsdUjIakTNp43QEwJ3i9+W2pZGNT7fX1vo2ply/6rHKQFz/e13yxA=
=ADQi
-----END PGP SIGNATURE-----

--m8wHAqdRVaUdgbUgxg4bdvdQoCAE11P1W--