Slackware-14.1 ChangeLog (2014-09-29)

Mon Sep 29 18:41:23 UTC 2014


  • patches/packages/bash-4.2.050-i486-1_slack14.1.txz
    Another bash update. Here's some information included with the patch:
    “This patch changes the encoding bash uses for exported functions to avoid
    clashes with shell variables and to avoid depending only on an environment
    variable's contents to determine whether or not to interpret it as a shell
    After this update, an environment variable will not go through the parser
    unless it follows this naming structure: BASH_FUNC_*%%
    Most scripts never expected to import functions from environment variables,
    so this change (although not backwards compatible) is not likely to break
    many existing scripts. It will, however, close off access to the parser as
    an attack surface in the vast majority of cases. There's already another
    vulnerability similar to CVE-2014-6271 for which there is not yet a fix,
    but this hardening patch prevents it (and likely many more similar ones).
    Thanks to Florian Weimer and Chet Ramey.
    (* Security fix *)