This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [ANNOUNCEMENT] Updated: bash-4.1.12-5

On 09/26/2014 07:36 AM, Mohammad Yaqoob wrote:
> When are you releasing 4.1.12-6

Today.  It may be numbered 4.1.13-6, depending on what upstream does in
the meantime (Chet has already prepared patch 13 [fixing a parser state
leak], but not yet published it), but even without waiting for upstream,
I'm already in the middle of building bash with the same patches in use
by Fedora (which includes Chet's patch 13, but also an additional patch
that Chet is still debating about [avoiding namespace collisions with
function exports]), so as to plug CVE-2014-7169.  I'm not sure yet if
the build will include CVE-2014-7186 and CVE-2014-7187 fixes [both of
them a parser buffer overflow], or if there will be a -7 next week.  And
given the high publicity of the initial CVE-2014-6271, I suspect there
may be further fixes coming; needless to say I'm closely following the
upstream developments.

But I also stand by the Red Hat analysis - the worst exploits are those
due to CVE-2014-6271, which is already fixed in 4.1.12-5; the remaining
three CVEs are worth fixing, but do not have the same severity, so it is
okay to wait a bit longer and get it right than it is to prematurely
push something only have to repeat the exercise a day later.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library

Attachment: signature.asc
Description: OpenPGP digital signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]