From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 18286 invoked by alias); 1 Oct 2014 01:43:13 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 18239 invoked by uid 89); 1 Oct 2014 01:42:57 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SEM_FRESH,SPF_HELO_PASS,SPF_PASS,URIBL_RHS_DOB autolearn=ham version=3.3.2 X-HELO: plane.gmane.org Received: from plane.gmane.org (HELO plane.gmane.org) (80.91.229.3) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-SHA encrypted) ESMTPS; Wed, 01 Oct 2014 01:42:56 +0000 Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1XZ8wO-0003Vu-ME for cygwin@cygwin.com; Wed, 01 Oct 2014 03:42:52 +0200 Received: from 206-47-101-56.dsl.ncf.ca ([206.47.101.56]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 01 Oct 2014 03:42:52 +0200 Received: from AndyMHancock by 206-47-101-56.dsl.ncf.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 01 Oct 2014 03:42:52 +0200 To: cygwin@cygwin.com From: Andy Subject: Re: [ANNOUNCEMENT] Updated: bash-4.1.14-7 Date: Wed, 01 Oct 2014 01:43:00 -0000 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit User-Agent: Loom/3.14 (http://gmane.org/) X-IsSubscribed: yes X-SW-Source: 2014-10/txt/msg00002.txt.bz2 Eric Blake (cygwin byu.net> writes: > This is a minor rebuild which picks up an upstream patch to fix > CVE-2014-7169 and all other ShellShock attacks (4.1.13-6 was also safe, > but used a slightly different downstream patch that used '()' instead of > '%%' in environment variables, and which was overly restrictive on > importing functions whose name was not an identifier). There are still > known parser crashers (such as CVE-2014-7186, CVE-2014-7187, and > CVE-2014-6277) where upstream will probably issue patches soon; but > while those issues can trigger a local crash, they cannot be exploited > for escalation of privilege via arbitrary variable contents by this > build. Left unpatched, a vulnerable version of bash could allow > arbitrary code execution via specially crafted environment variables, > and was exploitable through a number of remote services, so it is highly > recommended that you upgrade I found this to be a good test site, with a comprehensive list of exploits and explicit description of what to expect in order to decide whether an exploit is still active: http://shellshocker.net -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple