diff options
| author | Axel Beckert <abe@deuxchevaux.org> | 2020-02-16 03:29:05 +0100 |
|---|---|---|
| committer | Axel Beckert <abe@deuxchevaux.org> | 2020-02-16 03:29:05 +0100 |
| commit | 94c033d2e281eb1f49e8366d21fc259ce8c0c4f5 (patch) | |
| tree | 701ad2fd3a7867e97689d1349d46ca25a92297b4 /NEWS | |
| parent | 643de931640e01aa246723d2038328ef33737965 (diff) | |
| parent | 77d203f3fbbd76386bf197f9776269a1de580bb5 (diff) | |
| download | zsh-94c033d2e281eb1f49e8366d21fc259ce8c0c4f5.tar.gz zsh-94c033d2e281eb1f49e8366d21fc259ce8c0c4f5.zip | |
New upstream version 5.8
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 18 |
1 files changed, 16 insertions, 2 deletions
@@ -4,8 +4,22 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH Note also the list of incompatibilities in the README file. -Changes since 5.7.1 -------------------- +Changes since 5.7.1-test-3 +-------------------------- + +CVE-2019-20044: When unsetting the PRIVILEGED option, the shell sets its +effective user and group IDs to match their respective real IDs. On some +platforms (including Linux and macOS, but not FreeBSD), when the RUID and +EUID were both non-zero, it was possible to regain the shell's former +privileges by e.g. assigning to the EUID or EGID parameter. In the course +of investigating this issue, it was also found that the setopt built-in +did not correctly report errors when unsetting the option, which +prevented users from handling them as the documentation recommended. +setopt now returns non-zero if it is unable to safely drop privileges. +[ Reported by Sam Foxman <samfoxman320@gmail.com>. ] + +Changes from 5.7.1 to 5.7.1-test-3 +---------------------------------- The zsh/zutil module's zparseopts builtin learnt an -F option to abort parsing when an unrecognised option-like parameter is encountered. |