[ANNOUNCEMENT] Updated: bash-4.1.12-5

Eric Blake eblake@redhat.com
Fri Sep 26 15:15:00 GMT 2014


On 09/26/2014 07:36 AM, Mohammad Yaqoob wrote:
> When are you releasing 4.1.12-6
> 

Today.  It may be numbered 4.1.13-6, depending on what upstream does in
the meantime (Chet has already prepared patch 13 [fixing a parser state
leak], but not yet published it), but even without waiting for upstream,
I'm already in the middle of building bash with the same patches in use
by Fedora (which includes Chet's patch 13, but also an additional patch
that Chet is still debating about [avoiding namespace collisions with
function exports]), so as to plug CVE-2014-7169.  I'm not sure yet if
the build will include CVE-2014-7186 and CVE-2014-7187 fixes [both of
them a parser buffer overflow], or if there will be a -7 next week.  And
given the high publicity of the initial CVE-2014-6271, I suspect there
may be further fixes coming; needless to say I'm closely following the
upstream developments.

But I also stand by the Red Hat analysis - the worst exploits are those
due to CVE-2014-6271, which is already fixed in 4.1.12-5; the remaining
three CVEs are worth fixing, but do not have the same severity, so it is
okay to wait a bit longer and get it right than it is to prematurely
push something only have to repeat the exercise a day later.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140926/7f5e6c4a/attachment.sig>


More information about the Cygwin mailing list