X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:from:subject:reply-to:to:message-id :date:mime-version:content-type; q=dns; s=default; b=DQNTczwLB1f T25pSEL7keh6tTXbCAOu9/rZo6joPgeJIQRV4OA6Er7/nkFnOuIWhvN0srC32LKc 6X5Dz7QOe0tJ42KrrsGOYRR/9n4PPCAbdSRuD9HgN6NNQveUW6bPhdxXSXOxPmC8 Rro83+3+zFoGqc0YOooUc8hRECmPlJYY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:from:subject:reply-to:to:message-id :date:mime-version:content-type; s=default; bh=+ZebDVG6IFqJB/Fdr yMhGUgV8e4=; b=wfOLY3qznER4cVnTjqw5TKLFo+MU6VzFc3t6ttsSqgbHelP4P HQHDfUKXry54OVt3RzMpNZwZi4Zsz0eHKfOWcYRrvwKR76m/hotoSi8CJJZd4LQU qTtuOdx2STzsSy9IijVigDx3sUN/jWtTAsXs+FU+k3vfcveZRH8cv1is0E= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-HELO: localhost.localdomain Reply-To: cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=death, offers, click, friend From: "Eric Blake (cygwin)" Subject: [ANNOUNCEMENT] Updated: bash-4.3.46-6 Reply-To: The Cygwin Mailing List To: cygwin AT cygwin DOT com Message-Id: Date: Sat, 6 Aug 2016 07:13:11 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tEpU5RVKBuEeERougDfXuu2Pe4PPtbUHo" X-CMAE-Envelope: MS4wfC+FhyYuHbO9ZXIOwfrRMybWyXDAh5ENH/UCxK0Afs3eC9EQmtpO6VaAsnq1+P0BlHvNxApYlHc34W3uvdBAbH4u53ry25jR+CQV9pTkfkSBvGzkPWKu eYhBSLwfk4W+vGkteFicwqkGsFeuxQBAc5VTdw9kcnERjGFkTztHC6I4hCeXVU1qDuGY2IgUUHXT3g== X-IsSubscribed: yes --tEpU5RVKBuEeERougDfXuu2Pe4PPtbUHo Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable A new release of bash, 4.3.46-6, has been uploaded and will soon reach a mirror near you. It replaces 4.3.43-5, and leaves 4.3.42-4 as the previous version. NEWS: =3D=3D=3D=3D=3D This is a minor build that incorporates a couple more upstream bug fixes that I missed in the previous build. Since 4.3.43-5 was short-lived, I'll repeat the change made there: this build disables some old cruft in upstream code that tries to use O_TEXT in the 'read' builtin, but instead ends up eating the character after a carriage return that is not followed by a newline, even when full binary operation is desired [1]. With this build, the read builtin now honors the Cygwin-specific 'igncr' shell option, just like has previously been done in command substitution and script reading, meaning that you get binary behavior by default, but enabling 'set -o igncr' makes it impossible for 'read' to see a carriage return. [1] https://lists.gnu.org/archive/html/bug-bash/2016-03/msg00045.html This build of bash is immune to the ShellShock vulnerabilities (although unpatched bash 4.3 is vulnerable, the official upstream patches solve the issue). By now, you should no longer be running a vulnerable bash, but to double check you can run the following test to make sure you are not subject to arbitrary remote code execution due to ShellShock: $ env 'bad=3D() { echo vulnerable; }' bash -c bad If it prints "bash: bad: command not found", your version of bash is safe and not subject to remote exploits. If it prints "vulnerable", you need to upgrade now. There are a few things you should be aware of before using this version: 1. When using binary mounts, cygwin programs try to emulate Linux. Bash on Linux does not understand \r\n line endings, but interprets the \r literally, which leads to syntax errors or odd variable assignments. Therefore, you will get the same behavior on Cygwin binary mounts by default. 2. d2u is your friend. You can use it to convert any problematic script into binary line endings. 3. Cygwin text mounts automatically work with either line ending style, because the \r is stripped before bash reads the file. If you absolutely must use files with \r\n line endings, consider mounting the directory where those files live as a text mount. However, text mounts are not as well tested or supported on the cygwin mailing list, so you may encounter other problems with other cygwin tools in those directories. 4. This version of bash has a cygwin-specific set option, named "igncr", to force bash to ignore \r, independently of cygwin's mount style. As of bash-3.2.3-5, it controls regular scripts, command substitution, and sourced files; bash-4.3.43-5 adds the read builtin to the list. I hope to convince the upstream bash maintainer to accept this patch into a future bash release even on Linux, rather than keeping it a cygwin-specific patch, but only time will tell. There are several ways to activate this option: 4a. For a single affected script, add this line just after the she-bang: (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed 4b. For a single script, invoke bash explicitly with the option, as in 'bash -o igncr ./myscript' rather than the simpler './myscript'. 4c. To affect all scripts, export the environment variable BASH_ENV, pointing to a file that sets the shell option as desired. Bash will source this file on startup for every script. 4d. Added in the bash-3.2-2 release: export the environment variable SHELLOPTS with igncr included in it. It is read-only from within bash, but you can set it before invoking bash; once in bash, it auto-tracks the current state of 'set -o igncr'. If exported, then all bash child processes inherit the same option settings; with the exception added in 3.2.9-11 that certain interactive options are not inherited in non-interactive use. 4e. bash-4.1.9-1 dropped support for 'shopt -s igncr'; it did not make sense to support the option through both set and shopt, and SHELLOPTS proved to be more powerful. 5. You can also experiment with the IFS variable for controlling how bash will treat \r during variable expansion. 6. There are varying levels of speed at which bash operates. The fastest is on a binary mount with igncr disabled (the default behavior). Next would be text mounts with igncr disabled and no \r in the underlying file. Next would be binary mounts with igncr enabled. And the slowest that bash will operate is on text mounts with igncr enabled. 7. As additional cygwin extensions, this version of bash includes: 7a. EXECIGNORE - a colon-separated list of glob patterns to ignore when completing on executables. EXECIGNORE=3D*.dll is common. 7b. completion_strip_exe - using 'shopt -s completion_strip_exe' makes completion strip .exe suffixes 8. This version of bash is immune to ShellShock (CVE-2014-6271 and friends) because it exports functions via 'BASH_FUNC_foo%%=3D' rather than 'foo=3D' environment variables. However, doing this has exposed weaknesses in some other utilities like 'ksh' or 'at' that fail to scrub their environment to exclude what is not a valid name for them. 9. If you don't like how bash behaves, then propose a patch, rather than proposing idle ideas. This turn of events has already been talked to death on the mailing lists by people with many ideas, but few patches. Thanks to Dan Colascione for providing the EXECIGNORE and completion_strip_exe patches. Remember, you must not have any bash or /bin/sh instances running when you upgrade the bash package. This release requires cygwin-2.5.2-1 or later. See also the upstream documentation in /usr/share/doc/bash/. DESCRIPTION: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification. As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash, similar to some Linux distributions (although /bin/sh may swap to dash at some future time). UPDATE: =3D=3D=3D=3D=3D=3D=3D To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Save it and run setup, answer the questions and pick up 'bash' in the 'Base' category (it should already be selected). DOWNLOAD: =3D=3D=3D=3D=3D=3D=3D=3D=3D Note that downloads from cygwin.com aren't allowed due to bandwidth limitations. This means that you will need to find a mirror which has this update, please choose the one nearest to you: http://cygwin.com/mirrors.html QUESTIONS: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. --=20 Eric Blake volunteer cygwin bash package maintainer For more details on this list (including unsubscription), see: http://sourceware.org/lists.html --tEpU5RVKBuEeERougDfXuu2Pe4PPtbUHo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJXpeJnAAoJEKeha0olJ0NqYrAIAJ3xeWCZJeAImhJxDFu7G/Q2 HcTDKXUcL7GM7GliGWi/G2yrN+QoCisfC/pGcVeryGRDRkoqIiByb1XEcE4DkCEI Y7E591mmY6swfbMzLTp3uyhWOS+VaqCeAhI53Uqk1mCF6qsvLR91EQgX8Ohj/mLL 9VBBSBb7CO6NfVxr61iwQAmasuq/GxTKPwx1Qd2atdtKiLbUM3/Bx5nPmntrXx+m aG4jVS4Dt3YLq+6k7e2+V/G+Tw2gWhJ8Mscs1Z4vRREPm3qa+Yb90Tsr08muFfRi 3xou+oiuYQA2Z4A/JF4rCBJtHBOPbxLv314kibWpOSyDjh1GxTh03L8VP6dXYgc= =iVgX -----END PGP SIGNATURE----- --tEpU5RVKBuEeERougDfXuu2Pe4PPtbUHo--