[ANNOUNCEMENT] Updated: bash-4.1.12-5

Peter Rosin peda@lysator.liu.se
Sat Sep 27 03:48:00 GMT 2014

On 2014-09-24 20:35, Eric Blake (cygwin) wrote:
> A new release of bash, 4.1.12-5, has been uploaded and will soon reach a
> mirror near you; leaving the previous version of 4.1.10-4 on 32-bit, and
> 4.1.11-2 on 64-bit.
> =====
> This is a minor rebuild which picks up an upstream patch to fix
> CVE-2014-6271.  Left unpatched, a vulnerable version of bash could allow
> arbitrary code execution via specially crafted environment variables,
> and was exploitable through a number of remote services, so it is highly
> recommended that you upgrade.
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> I also hope to have a build of bash 4.3 available soon, but wanted to
> get the CVE fixed as soon as possible due to its severity.  And I just
> noticed while preparing this announcement that $BASH_VERSION reports
> itself as 4.1.11 instead of 4.1.12, so I may do a quick 4.1.12-6 just to
> make sure things are clean for people going by version number tests
> instead of feature probes.

Hi Eric!

I haven't checked out 4.1.12-5 yet, so I don't know if I need to remind
you of the wordexp situation in 4.1.10-4? I wanted to get this mail sent
as quickly as possible...



Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list