-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi all,
I'm pleased to announce the release of fish 3.6.2, which contains a fix for a bug with a potential security impact, and fish 3.6.3, which contains a test suite that passes properly (but no other changes). CVE-2023-49284 has been assigned for a problem in fish where certain Unicode non-characters are used internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, `echo \UFDD2HOME` has the same output as `echo $HOME`), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. This design flaw was introduced in very early versions of fish, predating the version control system, and is thought to be present in every version of fish released in the last 15 years or more, although with different characters. Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances. The tarball and packages for Linux, macOS and Windows will soon be available from https://fishshell.com/ and the release notes will be at https://fishshell.com/release_notes.html - but in the meantime I have uploaded the release to the GitHub releases page at: https://github.com/fish-shell/fish-shell/releases/tag/3.6.3 The Linux packages will be submitted to the release:3 channel, and if you are using your system package manager to install fish from these channels a new version will make its way to you soon. If you'd like to use this method, the links are: https://launchpad.net/~fish-shell/+archive/ubuntu/release-3 (Ubuntu) https://software.opensuse.org//download.html?project=shells%3Afish%3Arelease%3A3&package=fish (Debian, Fedora, openSUSE and Red Hat Enterprise Linux) A pull request for Homebrew has been submitted, making the new version available soon via upgrading or running `brew install fish`. For our distributors, the tarball is available at https://github.com/fish-shell/fish-shell/releases/download/3.6.3/fish-3.6.3.tar.xz The SHA-256 sum is 55520128c8ef515908a3821423b430db9258527a6c6acb61c7cb95626b5a48d5 and the tarball has a signature from my personal PGP key, as does this message. May you always remember to run the test suite in the directory containing the release, not elsewhere. Thanks, David Adam fish committer zanc...@ucc.gu.uwa.edu.au -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEnh3gZzzMAykZ0YUmwLlpspdOiI4FAmVt/ysACgkQwLlpspdO iI5RIxAAo4jMrjQPUBnZgdKRCF5ZgADzFfXCNGFUqtarhFpY3fP6urAw+w0XfMJA I4mUyxy1dHQx1ef22ct5bcfIo6W9PNBKHNGnIS31xPn7243p6E0rVSlPthM/4TB1 ZWplls0UBmXbdddSw7TbcO/wFZO5tnBX0KutyZ6Vm4Gn/DVJY87HPjb8qokBMmtD Yfw8NSIP+LlmPzIkS8KlXWoKBHQ7rHR50lNvJTfNlknDG8rnr7rP9uRUHmdvEP8R FatN7pGOzkYfk2zCH9ZijCYdUWe7HySerYz7LTRVT2lLmjcUstBXtSv/ZW5QGHdM jqZVI6JOFke6Hb2v7tOWtqRYzwW7XibXQEWEAVee+bQPxjlj2/6efxKt+OOBk4R/ FowOUCCdPFpm8PaFJ/ogjZRkMAuTgx+EZ3I8j6E4BGxHlZgGdrNaGDa8QVjG7pgC 4NOO+MXuWcef+pf4nKWiEntsVmM21nFuu+N8OyPN/x1jCih6E2kFGSz3a1V94bKl b1+hf27kZjHE3iS6fFCRRhWOutrzXklsr4dwH14/HSSbVZl+aEOJ6q5WoNgWsoyO 0RqVlJc3z4cdJCMrqIjXo7+FCSGENJqwC4R434M6pEF68HKp0/2rn7d4wkVIgO1b 9hGOGVO74N/dGjSkZjWC+g6Qs7FXWqz5XkNMQFM4v7NXGWfZx6o= =GuGh -----END PGP SIGNATURE----- _______________________________________________ Fish-users mailing list Fish-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fish-users