On 2014-09-24 20:35, Eric Blake (cygwin) wrote: > A new release of bash, 4.1.12-5, has been uploaded and will soon reach a > mirror near you; leaving the previous version of 4.1.10-4 on 32-bit, and > 4.1.11-2 on 64-bit. > > NEWS: > ===== > This is a minor rebuild which picks up an upstream patch to fix > CVE-2014-6271. Left unpatched, a vulnerable version of bash could allow > arbitrary code execution via specially crafted environment variables, > and was exploitable through a number of remote services, so it is highly > recommended that you upgrade. > https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ > > I also hope to have a build of bash 4.3 available soon, but wanted to > get the CVE fixed as soon as possible due to its severity. And I just > noticed while preparing this announcement that $BASH_VERSION reports > itself as 4.1.11 instead of 4.1.12, so I may do a quick 4.1.12-6 just to > make sure things are clean for people going by version number tests > instead of feature probes.
Hi Eric! I haven't checked out 4.1.12-5 yet, so I don't know if I need to remind you of the wordexp situation in 4.1.10-4? I wanted to get this mail sent as quickly as possible... https://cygwin.com/ml/cygwin/2012-08/msg00434.html Cheers, Peter -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
