From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 9958 invoked by alias); 9 Feb 2015 15:30:42 -0000 Mailing-List: contact cygwin-announce-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-announce-owner@cygwin.com Reply-To: The Cygwin Mailing List Mail-Followup-To: cygwin-announce@cygwin.com Received: (qmail 29735 invoked by uid 89); 9 Feb 2015 14:02:05 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 X-HELO: resqmta-po-05v.sys.comcast.net Message-ID: <54D8BDD8.70305@redhat.com> Date: Mon, 09 Feb 2015 15:30:00 -0000 From: "Eric Blake (cygwin)" Reply-To: The Cygwin Mailing List User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: cygwin-announce@cygwin.com Subject: Updated [experimental]: bash-4.3.33-1 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="N578dOLjOW4ArB6UA0rsvtnNLuEESJUME" X-SW-Source: 2015-02/txt/msg00023.txt.bz2 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --N578dOLjOW4ArB6UA0rsvtnNLuEESJUME Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-length: 6904 A new release of bash, 4.3.33-1, has been uploaded as an experimental version, and will soon reach a mirror near you; the current version remains at 4.1.17-9. NEWS: =3D=3D=3D=3D=3D This is a long-awaited update to a new upstream version. Several patches that I had been carrying against 4.1 were accepted upstream and not required in 4.3, but part of my delay in packaging was tracking which downstream patches were still needed, and working around the fact that the upstream code base introduced regressions that caused it to no longer build out-of-the-box. As such, I will leave this version in experimental status for a week or so, and would appreciate any testing to make sure this build does not break your setups. This build of bash is immune to the ShellShock vulnerabilities (although unpatched bash 4.3 is vulnerable, the official upstream patches solve the issue). By now, you should no longer be running a vulnerable bash, but to double check you can run the following test to make sure you are not subject to arbitrary remote code execution due to ShellShock: $ env 'bad=3D() { echo vulnerable; }' bash -c bad If it prints "bash: bad: command not found", your version of bash is safe and not subject to remote exploits. If it prints "vulnerable", you need to upgrade now. There are a few things you should be aware of before using this version: 1. When using binary mounts, cygwin programs try to emulate Linux. Bash on Linux does not understand \r\n line endings, but interprets the \r literally, which leads to syntax errors or odd variable assignments. Therefore, you will get the same behavior on Cygwin binary mounts by default. 2. d2u is your friend. You can use it to convert any problematic script into binary line endings. 3. Cygwin text mounts automatically work with either line ending style, because the \r is stripped before bash reads the file. If you absolutely must use files with \r\n line endings, consider mounting the directory where those files live as a text mount. However, text mounts are not as well tested or supported on the cygwin mailing list, so you may encounter other problems with other cygwin tools in those directories. 4. This version of bash has a cygwin-specific set option, named "igncr", to force bash to ignore \r, independently of cygwin's mount style. As of bash-3.2.3-5, it controls regular scripts, command substitution, and sourced files. I hope to convince the upstream bash maintainer to accept this patch into a future bash release even on Linux, rather than keeping it a cygwin-specific patch, but only time will tell. There are several ways to activate this option: 4a. For a single affected script, add this line just after the she-bang: (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed 4b. For a single script, invoke bash explicitly with the option, as in 'bash -o igncr ./myscript' rather than the simpler './myscript'. 4c. To affect all scripts, export the environment variable BASH_ENV, pointing to a file that sets the shell option as desired. Bash will source this file on startup for every script. 4d. Added in the bash-3.2-2 release: export the environment variable SHELLOPTS with igncr included in it. It is read-only from within bash, but you can set it before invoking bash; once in bash, it auto-tracks the current state of 'set -o igncr'. If exported, then all bash child processes inherit the same option settings; with the exception added in 3.2.9-11 that certain interactive options are not inherited in non-interactive use. 4e. bash-4.1.9-1 dropped support for 'shopt -s igncr'; it did not make sense to support the option through both set and shopt, and SHELLOPTS proved to be more powerful. 5. You can also experiment with the IFS variable for controlling how bash will treat \r during variable expansion. 6. There are varying levels of speed at which bash operates. The fastest is on a binary mount with igncr disabled (the default behavior). Next would be text mounts with igncr disabled and no \r in the underlying file. Next would be binary mounts with igncr enabled. And the slowest that bash will operate is on text mounts with igncr enabled. 7. As additional cygwin extensions, this version of bash includes: 7a. EXECIGNORE - a colon-separated list of glob patterns to ignore when completing on executables. EXECIGNORE=3D*.dll is common. 7b. completion_strip_exe - using 'shopt -s completion_strip_exe' makes completion strip .exe suffixes 8. This version of bash is immune to ShellShock (CVE-2014-6271 and friends) because it exports functions via 'BASH_FUNC_foo%%=3D' rather than 'foo=3D' environment variables. However, doing this has exposed weaknesses in some other utilities like 'ksh' or 'at' that fail to scrub their environment to exclude what is not a valid name for them. 9. If you don't like how bash behaves, then propose a patch, rather than proposing idle ideas. This turn of events has already been talked to death on the mailing lists by people with many ideas, but few patches. Thanks to Dan Colascione for providing the EXECIGNORE and completion_strip_exe patches. Remember, you must not have any bash or /bin/sh instances running when you upgrade the bash package. This release requires cygwin-1.7.34-6 or later; and it requires the experimental libreadline7-6.3.8-1 or later. If no one complains of regressions after a week, I will promote both packages to current. See also the upstream documentation in /usr/share/doc/bash/. DESCRIPTION: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification. As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash, similar to some Linux distributions (although /bin/sh may swap to dash at some future time). UPDATE: =3D=3D=3D=3D=3D=3D=3D To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Save it and run setup, answer the questions and pick up 'bash' in the 'Base' category (it should already be selected). DOWNLOAD: =3D=3D=3D=3D=3D=3D=3D=3D=3D Note that downloads from cygwin.com aren't allowed due to bandwidth limitations. This means that you will need to find a mirror which has this update, please choose the one nearest to you: http://cygwin.com/mirrors.html QUESTIONS: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. --=20 Eric Blake volunteer cygwin bash package maintainer For more details on this list (including unsubscription), see: http://sourceware.org/lists.html --N578dOLjOW4ArB6UA0rsvtnNLuEESJUME Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" Content-length: 604 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJU2L3YAAoJEKeha0olJ0NqGQ0H/3TNXs9uX/fZ3DM4kPfKXzhD B7Czlu1LoySwO9kpp9Z853tQi6OWrUfr1V4O7/1RTFUslY8C1YJh01/UnpYgMINZ iLw3qjTtydal1m8w2/b2uuyljg7Q/M1J2JQBIwW3A2mz3JIbi6ZxYdKB76k89RIm ctHdNFY/LCCL7Bdt+QPd8xqQMVxbSSeUWA7Mkqi6TIn0W+CCLVTmAjpS8kF6RYnh woV+U1Y0OgKVobfZjdXhGHyiAoMbiulb6Z9ygwE5vToZLJ7xXAyO4XMzZYGswBc+ /jQ2/Bi2dmcrXn+5Gs8kf36DY2zILCClJTxJlTc3u1FhUREiLiqiyhammF/tiMk= =+btT -----END PGP SIGNATURE----- --N578dOLjOW4ArB6UA0rsvtnNLuEESJUME--