This is an old revision of the document!


Slackware-current ChangeLog (2014/09/29)

Mon Sep 29 18:41:23 UTC 2014
a/bash-4.3.027-x86_64-1.txz:  Upgraded.
  Another bash update.  Here's some information included with the patch:
    "This patch changes the encoding bash uses for exported functions to avoid
    clashes with shell variables and to avoid depending only on an environment
    variable's contents to determine whether or not to interpret it as a shell
    function."
  After this update, an environment variable will not go through the parser
  unless it follows this naming structure:  BASH_FUNC_*%%
  Most scripts never expected to import functions from environment variables,
  so this change (although not backwards compatible) is not likely to break
  many existing scripts.  It will, however, close off access to the parser as
  an attack surface in the vast majority of cases.  There's already another
  vulnerability similar to CVE-2014-6271 for which there is not yet a fix,
  but this hardening patch prevents it (and likely many more similar ones).
  Thanks to Florian Weimer and Chet Ramey.
  (* Security fix *)
  • news/2014/09/29/slackware-current-changelog.1414191577.txt.gz
  • Last modified: 10 years ago
  • by Giuseppe Di Terlizzi