Overview
Request 1132456 superseded
(This version has bugzilla references)
- New upstream release 3.6.4
* This release contains a complete fix for the test suite failure in fish
3.6.2 and 3.6.3.
- New upstream release 3.6.3
* This release contains a fix for a test suite failure in fish 3.6.2.
- New upstream release 3.6.2
This release of fish contains a security fix for CVE-2023-49284, a minor security problem identified
in fish 3.6.1 and previous versions (thought to affect all released versions of fish).
fish uses certain Unicode non-characters internally for marking wildcards and expansions. It
incorrectly allowed these markers to be read on command substitution output, rather than
transforming them into a safe internal representation.
For example, ``echo \UFDD2HOME`` has the same output as ``echo $HOME``.
While this may cause unexpected behavior with direct input, this may become a minor security problem
if the output is being fed from an external program into a command substitution where this output
may not be expected. (bsc#1217808, CVE-2023-49284)
- Enable tests
- Created by simotek
- In state superseded
- Supersedes 1132425
- Superseded by 1132463
- Open review for licensedigger
- Open review for openSUSE:Factory:Staging:F
Request History
simotek created request
(This version has bugzilla references)
- New upstream release 3.6.4
* This release contains a complete fix for the test suite failure in fish
3.6.2 and 3.6.3.
- New upstream release 3.6.3
* This release contains a fix for a test suite failure in fish 3.6.2.
- New upstream release 3.6.2
This release of fish contains a security fix for CVE-2023-49284, a minor security problem identified
in fish 3.6.1 and previous versions (thought to affect all released versions of fish).
fish uses certain Unicode non-characters internally for marking wildcards and expansions. It
incorrectly allowed these markers to be read on command substitution output, rather than
transforming them into a safe internal representation.
For example, ``echo \UFDD2HOME`` has the same output as ``echo $HOME``.
While this may cause unexpected behavior with direct input, this may become a minor security problem
if the output is being fed from an external program into a command substitution where this output
may not be expected. (bsc#1217808, CVE-2023-49284)
- Enable tests
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
staging-bot set openSUSE:Factory:Staging:E as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:E"
staging-bot accepted review
Picked "openSUSE:Factory:Staging:E"
anag+factory added factory-staging as a reviewer
Being evaluated by group "factory-staging"
anag+factory accepted review
Unstaged from project "openSUSE:Factory:Staging:E"
anag+factory set openSUSE:Factory:Staging:F as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:F"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:F"
dimstar declined review
+License: GPL-2.0-only AND AND BSD-3-Clause AND ISC AND LGPL-2.0-or-later AND MIT AND PSF-2.0
`AND AND`- too many and (which is the reason for the License chack failure)
dimstar declined request
+License: GPL-2.0-only AND AND BSD-3-Clause AND ISC AND LGPL-2.0-or-later AND MIT AND PSF-2.0
`AND AND`- too many and (which is the reason for the License chack failure)
@dancermak
There is something wrong in the licence line change, I'm guessing it's the doubled AND