diff options
| author | dana <dana@dana.is> | 2019-12-31 03:41:28 -0600 |
|---|---|---|
| committer | dana <dana@dana.is> | 2020-02-14 16:06:58 -0600 |
| commit | 048f40b68b05fdd5f3f8d60cda4e69fce2611331 (patch) | |
| tree | 036d243b19dd2847c54a0a945a3acffec4e62c1f | |
| parent | b15bd4aa590db8087d1e8f2eb1af2874f5db814d (diff) | |
| download | zsh-048f40b68b05fdd5f3f8d60cda4e69fce2611331.tar.gz zsh-048f40b68b05fdd5f3f8d60cda4e69fce2611331.tar.xz zsh-048f40b68b05fdd5f3f8d60cda4e69fce2611331.zip | |
Update NEWS/README
| -rw-r--r-- | NEWS | 18 | ||||
| -rw-r--r-- | README | 11 |
2 files changed, 25 insertions, 4 deletions
diff --git a/NEWS b/NEWS index af59cb4e6..964e1633f 100644 --- a/NEWS +++ b/NEWS @@ -4,8 +4,22 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH Note also the list of incompatibilities in the README file. -Changes since 5.7.1 -------------------- +Changes since 5.7.1-test-3 +-------------------------- + +CVE-2019-20044: When unsetting the PRIVILEGED option, the shell sets its +effective user and group IDs to match their respective real IDs. On some +platforms (including Linux and macOS, but not FreeBSD), when the RUID and +EUID were both non-zero, it was possible to regain the shell's former +privileges by e.g. assigning to the EUID or EGID parameter. In the course +of investigating this issue, it was also found that the setopt built-in +did not correctly report errors when unsetting the option, which +prevented users from handling them as the documentation recommended. +setopt now returns non-zero if it is unable to safely drop privileges. +[ Reported by Sam Foxman <samfoxman320@gmail.com>. ] + +Changes from 5.7.1 to 5.7.1-test-3 +---------------------------------- The zsh/zutil module's zparseopts builtin learnt an -F option to abort parsing when an unrecognised option-like parameter is encountered. diff --git a/README b/README index a3701abe5..7f1dd5f92 100644 --- a/README +++ b/README @@ -5,8 +5,9 @@ THE Z SHELL (ZSH) Version ------- -This is version 5.8 of the shell. This is a stable release. There are -a few visible improvements since 5.7 as well as many bugfixes. +This is version 5.8 of the shell. This is a security and feature release. +There are a few visible improvements since 5.7, as well as many bugfixes. +All zsh installations are encouraged to upgrade as soon as possible. Note in particular the changes highlighted under "Incompatibilities since 5.7.1" below. See NEWS for more information. @@ -56,6 +57,12 @@ This only affects you if you override that function in your dotfiles. The cd and chdir builtins no longer interpret operands like -1 and +2 as stack entries when POSIX_CD is enabled. +Dropping privileges with `unsetopt privileged` may fail (with an error +message) on some older and uncommon platforms due to library dependency +changes made in the course of fixing CVE-2019-20044. Please report this +to the zsh-workers mailing list if your system is affected. See NEWS for +more. + Incompatibilities between 5.6.2 and 5.7.1 ----------------------------------------- |