Re: CVS commit: pkgsrc/shells/bash

To: "OBATA Akio" <obata%lins.jp@localhost>
Subject: Re: CVS commit: pkgsrc/shells/bash
From: christos%zoulas.com@localhost (Christos Zoulas)
Date: Thu, 25 Sep 2014 21:50:38 -0400

On Sep 26, 10:39am, obata%lins.jp@localhost ("OBATA Akio") wrote:
-- Subject: Re: CVS commit: pkgsrc/shells/bash

| Where this "new feature, change default behaviour" came from (in pkgsrc feature freeze)?

Me. This is a security fix. There are currently:

        - 2 CVE's
        - 1 official patch for one CVS
        - 1 unofficial one that fixes one regression by the official patch
        - a second regression POC

There is active discussion about adding prefixes and suffixes to
prevent parsing errors. I am definitely not going to wait for the
ultimate fix to come when there are active exploits in the wild
and unknown attack vectors. AKAMAI implemented something similar
(disabled the feature completely).

If you don't like it, bring it up with the pkgsrc gods. I am trying to
protect the innocent public the best way I can.

christos

Follow-Ups:
- Re: CVS commit: pkgsrc/shells/bash
  - From: Greg Troxel

References:
- Re: CVS commit: pkgsrc/shells/bash
  - From: OBATA Akio

Prev by Date: Re: CVS commit: pkgsrc/shells/bash
Next by Date: CVS commit: pkgsrc/devel/nss
Previous by Thread: Re: CVS commit: pkgsrc/shells/bash
Next by Thread: Re: CVS commit: pkgsrc/shells/bash
Indexes:

Home | Main Index | Thread Index | Old Index