From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7831 invoked by alias); 25 Aug 2015 21:17:25 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 7760 invoked by uid 89); 25 Aug 2015 21:17:25 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-HELO: localhost.localdomain Received: from localhost (HELO localhost.localdomain) (127.0.0.1) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 25 Aug 2015 21:17:25 +0000 Reply-To: cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 From: "Eric Blake (cygwin)" Subject: [ANNOUNCEMENT] Updated: bash-4.3.42-3 Reply-To: The Cygwin Mailing List To: cygwin@cygwin.com Message-Id: Date: Tue, 25 Aug 2015 21:17:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fDDKvHbKX2pNwqnBvk1s3dBo4nQFv1Kg6" X-IsSubscribed: yes X-SW-Source: 2015-08/txt/msg00441.txt.bz2 --fDDKvHbKX2pNwqnBvk1s3dBo4nQFv1Kg6 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-length: 6492 A new release of bash, 4.3.42-3, has been uploaded and will soon reach a mirror near you; leaving 4.3.39-2 as the previous version. NEWS: =3D=3D=3D=3D=3D This is a minor build that folds in several new upstream patches. I am aware of an issue reported with using bash on text mode mounts, but have not yet had time to investigate if the fault lies in bash or in cygwin1.dll; this build was done solely as a refresh to a newer patchlevel while I still investigate. This build of bash is immune to the ShellShock vulnerabilities (although unpatched bash 4.3 is vulnerable, the official upstream patches solve the issue). By now, you should no longer be running a vulnerable bash, but to double check you can run the following test to make sure you are not subject to arbitrary remote code execution due to ShellShock: $ env 'bad=3D() { echo vulnerable; }' bash -c bad If it prints "bash: bad: command not found", your version of bash is safe and not subject to remote exploits. If it prints "vulnerable", you need to upgrade now. There are a few things you should be aware of before using this version: 1. When using binary mounts, cygwin programs try to emulate Linux. Bash on Linux does not understand \r\n line endings, but interprets the \r literally, which leads to syntax errors or odd variable assignments. Therefore, you will get the same behavior on Cygwin binary mounts by default. 2. d2u is your friend. You can use it to convert any problematic script into binary line endings. 3. Cygwin text mounts automatically work with either line ending style, because the \r is stripped before bash reads the file. If you absolutely must use files with \r\n line endings, consider mounting the directory where those files live as a text mount. However, text mounts are not as well tested or supported on the cygwin mailing list, so you may encounter other problems with other cygwin tools in those directories. 4. This version of bash has a cygwin-specific set option, named "igncr", to force bash to ignore \r, independently of cygwin's mount style. As of bash-3.2.3-5, it controls regular scripts, command substitution, and sourced files. I hope to convince the upstream bash maintainer to accept this patch into a future bash release even on Linux, rather than keeping it a cygwin-specific patch, but only time will tell. There are several ways to activate this option: 4a. For a single affected script, add this line just after the she-bang: (set -o igncr) 2>/dev/null && set -o igncr; # comment is needed 4b. For a single script, invoke bash explicitly with the option, as in 'bash -o igncr ./myscript' rather than the simpler './myscript'. 4c. To affect all scripts, export the environment variable BASH_ENV, pointing to a file that sets the shell option as desired. Bash will source this file on startup for every script. 4d. Added in the bash-3.2-2 release: export the environment variable SHELLOPTS with igncr included in it. It is read-only from within bash, but you can set it before invoking bash; once in bash, it auto-tracks the current state of 'set -o igncr'. If exported, then all bash child processes inherit the same option settings; with the exception added in 3.2.9-11 that certain interactive options are not inherited in non-interactive use. 4e. bash-4.1.9-1 dropped support for 'shopt -s igncr'; it did not make sense to support the option through both set and shopt, and SHELLOPTS proved to be more powerful. 5. You can also experiment with the IFS variable for controlling how bash will treat \r during variable expansion. 6. There are varying levels of speed at which bash operates. The fastest is on a binary mount with igncr disabled (the default behavior). Next would be text mounts with igncr disabled and no \r in the underlying file. Next would be binary mounts with igncr enabled. And the slowest that bash will operate is on text mounts with igncr enabled. 7. As additional cygwin extensions, this version of bash includes: 7a. EXECIGNORE - a colon-separated list of glob patterns to ignore when completing on executables. EXECIGNORE=3D*.dll is common. 7b. completion_strip_exe - using 'shopt -s completion_strip_exe' makes completion strip .exe suffixes 8. This version of bash is immune to ShellShock (CVE-2014-6271 and friends) because it exports functions via 'BASH_FUNC_foo%%=3D' rather than 'foo=3D' environment variables. However, doing this has exposed weaknesses in some other utilities like 'ksh' or 'at' that fail to scrub their environment to exclude what is not a valid name for them. 9. If you don't like how bash behaves, then propose a patch, rather than proposing idle ideas. This turn of events has already been talked to death on the mailing lists by people with many ideas, but few patches. Thanks to Dan Colascione for providing the EXECIGNORE and completion_strip_exe patches. Remember, you must not have any bash or /bin/sh instances running when you upgrade the bash package. This release requires cygwin-2.2.1-1 or later. See also the upstream documentation in /usr/share/doc/bash/. DESCRIPTION: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification. As of the bash 3.0 series, cygwin /bin/sh defaults to bash, not ash, similar to some Linux distributions (although /bin/sh may swap to dash at some future time). UPDATE: =3D=3D=3D=3D=3D=3D=3D To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Save it and run setup, answer the questions and pick up 'bash' in the 'Base' category (it should already be selected). DOWNLOAD: =3D=3D=3D=3D=3D=3D=3D=3D=3D Note that downloads from cygwin.com aren't allowed due to bandwidth limitations. This means that you will need to find a mirror which has this update, please choose the one nearest to you: http://cygwin.com/mirrors.html QUESTIONS: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. --=20 Eric Blake volunteer cygwin bash package maintainer For more details on this list (including unsubscription), see: http://sourceware.org/lists.html --fDDKvHbKX2pNwqnBvk1s3dBo4nQFv1Kg6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" Content-length: 604 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJV3M3qAAoJEKeha0olJ0NqVa8IAKUlmXMBeU3JVDN4FBKyml2M /3WrAcundmhL1W4/30O1MwxlvYBfpvxst7Hwo7cg0tNoT/JnZhyPOnLluPdSk5t9 I/BnWK0eaoeZ/4Tcy9sPfsvgHx0Cam43xBbQ2Fr+lLlqosE5q1WQp9R/wMfMVRn9 6mBLf2/krI/WCYwERe8//vBUkHuKvmAMcgZdLCtj8RGZynp5QzUI/YCHptOBj9wx xfdYUqAc61VndSd2pG4y7ZAnTfmH++ALxiGVMNzym5UUqYIsUc8hPUDSYVr3lHzm 5EkfMFk8itcrs+grqrsqdFqBrIJCprCxszmDoxuJApPcahkKiZ/ACZtVOnU1wxA= =JGPe -----END PGP SIGNATURE----- --fDDKvHbKX2pNwqnBvk1s3dBo4nQFv1Kg6--