diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | README | 8 |
2 files changed, 10 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog index f1fdbceac..985711036 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-10-06 Peter Stephenson <p.stephenson@samsung.com> + + * unposted (discussed offline): README: update description of + integer import problem. + 2014-10-04 Barton E. Schaefer <schaefer@zsh.org> * 33354: Src/jobs.c, Test/A05execution.ztst: when backgrounding diff --git a/README b/README index 42105ee8d..e3ccc70b1 100644 --- a/README +++ b/README @@ -10,9 +10,11 @@ There are minor new features as well as bug fixes since 5.0.6. Note in particular there is a security fix to disallow evaluation of the initial values of integer variables imported from the environment (they -are instead treated as literal numbers). Although no exploits are -currently known with this issue it is recommended to upgrade as soon as -possible. +are instead treated as literal numbers). That could allow local +privilege escalation, under some specific and atypical conditions where +zsh is being invoked in privilege elevation contexts when the +environment has not been properly sanitized, such as when zsh is invoked +by sudo on systems where "env_reset" has been disabled. Installing Zsh -------------- |