diff options
| author | Peter Stephenson <pws@zsh.org> | 2014-10-06 17:16:12 +0100 |
|---|---|---|
| committer | Peter Stephenson <pws@zsh.org> | 2014-10-06 17:16:12 +0100 |
| commit | 43c8bc81cf96c22726aacf87bb9a0a982f43b32e (patch) | |
| tree | 1cab5f6ca8a84f6691956e3d4ab0b497f73c9ef2 /README | |
| parent | 33354: when backgrounding a pipeline, close all pipe descriptors in the parent (diff) | |
| download | zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.tar zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.tar.gz zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.tar.bz2 zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.tar.lz zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.tar.xz zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.tar.zst zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.zip | |
unposted (discussed offline): update README for integer import vulnerability
Diffstat (limited to 'README')
| -rw-r--r-- | README | 8 |
1 files changed, 5 insertions, 3 deletions
@@ -10,9 +10,11 @@ There are minor new features as well as bug fixes since 5.0.6. Note in particular there is a security fix to disallow evaluation of the initial values of integer variables imported from the environment (they -are instead treated as literal numbers). Although no exploits are -currently known with this issue it is recommended to upgrade as soon as -possible. +are instead treated as literal numbers). That could allow local +privilege escalation, under some specific and atypical conditions where +zsh is being invoked in privilege elevation contexts when the +environment has not been properly sanitized, such as when zsh is invoked +by sudo on systems where "env_reset" has been disabled. Installing Zsh -------------- |