bash (4.3-14ubuntu1.4) xenial-security; urgency=medium * SECURITY UPDATE: rbash restriction bypass (LP: #1803441) - debian/patches/CVE-2019-9924.patch: if the shell is restricted, reject attempts to add pathnames containing slashes to the hash table in variables.c. - CVE-2019-9924 -- Marc Deslauriers Fri, 12 Jul 2019 14:25:28 -0400 bash (4.3-14ubuntu1.3) xenial; urgency=medium * Resurrect "Set the default path to comply with Debian policy" in deb-bash-config.diff which went missing since 4.2+dfsg-1 or so. LP: #1792004 LP: #1614080 Closes: #781367 * Add autopkgtest for the built-in path. -- Dimitri John Ledkov Fri, 03 May 2019 14:57:15 +0100 bash (4.3-14ubuntu1.2) xenial-security; urgency=medium * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025) - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c. - CVE-2016-0634 * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4 (LP: #1689304) - debian/patches/bash43-048.diff: check for root in variables.c. - CVE-2016-7543 * SECURITY UPDATE: restricted shell bypass via use-after-free - debian/patches/bash44-006.diff: check for negative offsets in builtins/pushd.def. - CVE-2016-9401 -- Marc Deslauriers Tue, 16 May 2017 07:51:45 -0400 bash (4.3-14ubuntu1.1) xenial-proposed; urgency=medium * SRU: LP: #1595869. * Apply upstream patches 043 - 046. Fixes: - When the lastpipe option is enabled, the last component can contain nested pipelines and cause a segmentation fault under certain circumstances. - A typo prevents the `compat42' shopt option from working as intended. - If a file open attempted as part of a redirection fails because it is interrupted by a signal, the shell needs to process any pending traps to allow the redirection to be canceled. - An incorrect conversion from an indexed to associative array can result in a core dump. * Add $HOME/.local/bin to PATH, and add the user's home directories unconditionally to the path, so that they are available without a new login. Closes: #820856, LP: #1588562. -- Matthias Klose Fri, 24 Jun 2016 10:20:17 +0200 bash (4.3-14ubuntu1) wily; urgency=medium * Merge with Debian; remaining changes: - skel.bashrc: - Run lesspipe. - Enable ls aliases. - Set options in ll alias to -alF. - Define an alert alias. - Enabled colored grep aliases. - etc.bash.bashrc: - Add sudo hint. -- Matthias Klose Tue, 01 Sep 2015 01:15:55 +0200 bash (4.3-14) unstable; urgency=medium * Apply upstream patches 040 - 042. -- Matthias Klose Tue, 01 Sep 2015 01:04:38 +0200 bash (4.3-13ubuntu1) wily; urgency=medium * Merge with Debian; remaining changes: - skel.bashrc: - Run lesspipe. - Enable ls aliases. - Set options in ll alias to -alF. - Define an alert alias. - Enabled colored grep aliases. - etc.bash.bashrc: - Add sudo hint. -- Tiago Stürmer Daitx Wed, 29 Jul 2015 18:37:59 -0300 bash (4.3-13) unstable; urgency=medium * Apply upstream patches 034 - 039. * Disallow setuid scripts if not called as `sh' and not called with the -p option. Closes: #720545, #734866. -- Matthias Klose Sun, 26 Jul 2015 14:53:19 +0200 bash (4.3-12) unstable; urgency=medium * Apply upstream patches 031 - 033. * Add a Built-Using attribute for bash-static. Closes: #769342. * Move definition of the macro "FN" out of the region of the "ig" macro. Define macros and registers "zZ" and "zY". Closes: #774597. * Also set color prompt for *-256color terminals. Closes: #766443. -- Matthias Klose Wed, 28 Jan 2015 17:05:00 +0100 bash (4.3-11ubuntu3) wily; urgency=medium * debian/patches/privmode.diff: disabled patch to re-enable proper privilege dropping security feature. (LP: #1459201) -- Marc Deslauriers Wed, 27 May 2015 10:57:56 -0400 # For older changelog entries, run 'apt-get changelog bash'