From: Karel Zak <kzak@redhat.com>
To: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
util-linux@vger.kernel.org
Subject: [ANNOUNCE] util-linux maintenance release v2.39.4
Date: Thu, 4 Apr 2024 11:39:43 +0200 [thread overview]
Message-ID: <20240404093943.jkyn4eimk3humbw2@ws.net.home> (raw)
The util-linux stable maintenance release v2.39.4 is available at
http://www.kernel.org/pub/linux/utils/util-linux/v2.39/
Feedback and bug reports, as always, are welcomed.
(Please note that the current stable release is v2.40.)
Karel
util-linux v2.39.4 Release Notes
================================
Security issues
---------------
This release fixes CVE-2024-28085. The wall command does not filter escape
sequences from command line arguments. The vulnerable code was introduced in
commit cdd3cc7fa4 (2013). Every version since has been vulnerable.
This allows unprivileged users to put arbitrary text on other users terminals,
if mesg is set to y and *wall is setgid*. Not all distros are affected (e.g.
CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is
set to y by default).
Changes between v2.39.3 and v2.39.4
-----------------------------------
build:
- only build test_enosys if an audit arch exists [Thomas Weißschuh]
dmesg:
- (tests) validate json output [Thomas Weißschuh]
- -r LOG_MAKEPRI needs fac << 3 [Edward Chron]
- correctly print all supported facility names [Thomas Weißschuh]
- only write one message to json [Thomas Weißschuh]
- open-code LOG_MAKEPRI [Thomas Weißschuh]
docs:
- update AUTHORS file [Karel Zak]
fadvise:
- (test) don't compare fincore page counts [Thomas Weißschuh]
- (test) dynamically calculate expected test values [Thomas Weißschuh]
- (test) test with 64k blocks [Thomas Weißschuh]
- (tests) factor out calls to "fincore" [Thomas Weißschuh]
github:
- add labeler [Karel Zak]
jsonwrt:
- add ul_jsonwrt_value_s_sized [Thomas Weißschuh]
libblkid:
- Check offset in LUKS2 header [Milan Broz]
- topology/ioctl correctly handle kernel types [Thomas Weißschuh]
libmount:
- don't initialize variable twice (#2714) [Thorsten Kukuk]
- make sure "option=" is used as string [Karel Zak]
libsmartcols:
- (tests) add test for continuous json output [Thomas Weißschuh]
- drop spourious newline in between streamed JSON objects [Thomas Weißschuh]
- flush correct stream [Thomas Weißschuh]
- only recognize closed object as final element [Thomas Weißschuh]
po:
- merge changes [Karel Zak]
po-man:
- merge changes [Karel Zak]
wall:
- fix calloc cal [-Werror=calloc-transposed-args] [Karel Zak]
- fix escape sequence Injection [CVE-2024-28085] [Karel Zak]
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
reply other threads:[~2024-04-04 9:39 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240404093943.jkyn4eimk3humbw2@ws.net.home \
--to=kzak@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).