X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:message-id:date:from:reply-to :mime-version:to:subject:content-type; q=dns; s=default; b=RvS0Y T8hEPGQ5iEqkjnquSgsEFkmPNf4LjWuqN7TFxub8UcZ7AmPVkpjxF/xTWkkEAGvI EpRSoCtq7o5EV/OTQRKqZF2QNj8HlUf8q3VIvK97gGi8URTBWZfYadCf1QRweTHc Tx0oxUD3gybR6AIcJfK/tn2imj05DOQo1vwImk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:message-id:date:from:reply-to :mime-version:to:subject:content-type; s=default; bh=3nePq92D8xU 9xAoY39KjlrUkcE8=; b=ts/D5UUdI2gjR4j0hMwNfi4AOeJPk7jigpWNjxamSEp qxJcifn2k2P4O+BjlzJxU1NLv+awPJ6v5ienXA94x2vFG2DxTdkfG14A7aHG6l2L FD8cc5gwzRhaYwO0qCB3hZfdp0f+UwUk06zg0rQ13cFcjoOaUNCvAVuLxGpC8/j4 = Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-HELO: localhost.localdomain Reply-To: cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.7 required=5.0 tests=AWL,BAYES_20,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 Message-Id: Date: Wed, 03 Jun 2015 06:51:40 -0600 From: "Eric Blake (cygwin)" Reply-To: The Cygwin Mailing List User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: [ANNOUNCEMENT] Updated: bash-4.3.39-2 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="v9PI8adu7nbHi6niv0j0IITaqKj5g018n" X-IsSubscribed: yes --v9PI8adu7nbHi6niv0j0IITaqKj5g018n Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable A new release of bash, 4.3.39-2, has been uploaded and will soon reach a mirror near you; leaving 4.3.33-1 as the previous version. NEWS: =3D=3D=3D=3D=3D This is my second build of bash 4.3 for cygwin, incorporating several new upstream official patches and working around a change in make 4.1 VPATH behavior. I am aware of an issue reported with using bash on text mode mounts, but have not yet had time to investigate if the fault lies in bash or in cygwin1.dll; this build was done solely as a refresh to a newer patchlevel while I still investigate. This build of bash is immune to the ShellShock vulnerabilities (although unpatched bash 4.3 is vulnerable, the official upstream patches solve the issue). By now, you should no longer be running a vulnerable bash, but to double check you can run the following test to make sure you are not subject to arbitrary remote code execution due to ShellShock: $ env 'bad=3D() { echo vulnerable; }' bash -c bad If it prints "bash: bad: command not found", your version of bash is safe and not subject to remote exploits. If it prints "vulnerable", you need to upgrade now. There are a few things you should be aware of before using this version: 1. When using binary mounts, cygwin programs try to emulate Linux. Bash on Linux does not understand \r\n line endings, but interprets the \r literally, which leads to syntax errors or odd variable assignments. Therefore, you will get the same behavior on Cygwin binary mounts by default. 2. d2u is your friend. You can use it to convert any problematic script into binary line endings. 3. Cygwin text mounts automatically work with either line ending style, because the \r is stripped before bash reads the file. If you absolutely must use files with \r\n line endings, consider mounting the directory where those files live as a text mount. However, text mounts are not as well tested or supported on the cygwin mailing list, so you may encounter other problems with other cygwin tools in those directories. 4. This version of bash has a cygwin-specific set option, named "igncr", to force bash to ignore \r, independently of cygwin's mount style. As of bash-3.2.3-5, it controls regular scripts, command substitution, and sourced files. I hope to convince the upstream bash maintainer to accept this patch into a future bash release even on Linux, rather than keeping it a cygwin-specific patch, but only time will tell. There are several ways to activate this option: 4a. For a single affected script, add this line just after the she-bang: (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed 4b. For a single script, invoke bash explicitly with the option, as in 'bash -o igncr ./myscript' rather than the simpler './myscript'. 4c. To affect all scripts, export the environment variable BASH_ENV, pointing to a file that sets the shell option as desired. Bash will source this file on startup for every script. 4d. Added in the bash-3.2-2 release: export the environment variable SHELLOPTS with igncr included in it. It is read-only from within bash, but you can set it before invoking bash; once in bash, it auto-tracks the current state of 'set -o igncr'. If exported, then all bash child processes inherit the same option settings; with the exception added in 3.2.9-11 that certain interactive options are not inherited in non-interactive use. 4e. bash-4.1.9-1 dropped support for 'shopt -s igncr'; it did not make sense to support the option through both set and shopt, and SHELLOPTS proved to be more powerful. 5. You can also experiment with the IFS variable for controlling how bash will treat \r during variable expansion. 6. There are varying levels of speed at which bash operates. The fastest is on a binary mount with igncr disabled (the default behavior). Next would be text mounts with igncr disabled and no \r in the underlying file. Next would be binary mounts with igncr enabled. And the slowest that bash will operate is on text mounts with igncr enabled. 7. As additional cygwin extensions, this version of bash includes: 7a. EXECIGNORE - a colon-separated list of glob patterns to ignore when completing on executables. EXECIGNORE=3D*.dll is common. 7b. completion_strip_exe - using 'shopt -s completion_strip_exe' makes completion strip .exe suffixes 8. This version of bash is immune to ShellShock (CVE-2014-6271 and friends) because it exports functions via 'BASH_FUNC_foo%%=3D' rather than 'foo=3D' environment variables. However, doing this has exposed weaknesses in some other utilities like 'ksh' or 'at' that fail to scrub their environment to exclude what is not a valid name for them. 9. If you don't like how bash behaves, then propose a patch, rather than proposing idle ideas. This turn of events has already been talked to death on the mailing lists by people with many ideas, but few patches. Thanks to Dan Colascione for providing the EXECIGNORE and completion_strip_exe patches. Remember, you must not have any bash or /bin/sh instances running when you upgrade the bash package. This release requires cygwin-2.0.2-1 or later. See also the upstream documentation in /usr/share/doc/bash/. DESCRIPTION: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification. As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash, similar to some Linux distributions (although /bin/sh may swap to dash at some future time). UPDATE: =3D=3D=3D=3D=3D=3D=3D To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Save it and run setup, answer the questions and pick up 'bash' in the 'Base' category (it should already be selected). DOWNLOAD: =3D=3D=3D=3D=3D=3D=3D=3D=3D Note that downloads from cygwin.com aren't allowed due to bandwidth limitations. This means that you will need to find a mirror which has this update, please choose the one nearest to you: http://cygwin.com/mirrors.html QUESTIONS: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. --=20 Eric Blake volunteer cygwin bash package maintainer For more details on this list (including unsubscription), see: http://sourceware.org/lists.html --v9PI8adu7nbHi6niv0j0IITaqKj5g018n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJVbvhcAAoJEKeha0olJ0NqD+UH/3vbr55/O7Cz0mocWFMxAVfb sWUEJuSxdvEUzcJ1xvlAvhXqSrdA69rmUvqsjxt5w/j8sGT4nrLDT6ubaYc/DABz g/vgXJT5rGykfQpF04KdHzFQSbyVPiAqw+ClO3cMYUWFHI2LGCRBGGGhcuHWnVwj E1+NW2do/WWaeN4gb5g6YaGgRXqw2QwIk/YbmpsDgsdhN/qe1L92eNM9yPqKCnXy Ex60aD/6e2E8UVCSYi6001W02uCLjr4hWpsFeki4pyIZh5TjHVslTZiMyr+1vkOz rLkfiYTupectQ03VV6l2Y6epvMJRM5ruyrbtJaDSTLnK7mDEh6k9E/xqvxDQzN8= =G5+2 -----END PGP SIGNATURE----- --v9PI8adu7nbHi6niv0j0IITaqKj5g018n--