diff options
author | dana <dana@dana.is> | 2019-12-31 03:41:28 -0600 |
---|---|---|
committer | dana <dana@dana.is> | 2020-02-14 16:06:58 -0600 |
commit | 048f40b68b05fdd5f3f8d60cda4e69fce2611331 (patch) | |
tree | 036d243b19dd2847c54a0a945a3acffec4e62c1f /NEWS | |
parent | b15bd4aa590db8087d1e8f2eb1af2874f5db814d (diff) | |
download | zsh-048f40b68b05fdd5f3f8d60cda4e69fce2611331.tar.gz zsh-048f40b68b05fdd5f3f8d60cda4e69fce2611331.tar.xz zsh-048f40b68b05fdd5f3f8d60cda4e69fce2611331.zip |
Update NEWS/README
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/NEWS b/NEWS index af59cb4e6..964e1633f 100644 --- a/NEWS +++ b/NEWS @@ -4,8 +4,22 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH Note also the list of incompatibilities in the README file. -Changes since 5.7.1 -------------------- +Changes since 5.7.1-test-3 +-------------------------- + +CVE-2019-20044: When unsetting the PRIVILEGED option, the shell sets its +effective user and group IDs to match their respective real IDs. On some +platforms (including Linux and macOS, but not FreeBSD), when the RUID and +EUID were both non-zero, it was possible to regain the shell's former +privileges by e.g. assigning to the EUID or EGID parameter. In the course +of investigating this issue, it was also found that the setopt built-in +did not correctly report errors when unsetting the option, which +prevented users from handling them as the documentation recommended. +setopt now returns non-zero if it is unable to safely drop privileges. +[ Reported by Sam Foxman <samfoxman320@gmail.com>. ] + +Changes from 5.7.1 to 5.7.1-test-3 +---------------------------------- The zsh/zutil module's zparseopts builtin learnt an -F option to abort parsing when an unrecognised option-like parameter is encountered. |