On Mon, 29 Sep 2014, Paul Eggert wrote: > which is caused by a widely-distributed Bash fix that overreacted to > the bug and is causing me more problems than the bug did. Let's not > do something like this with Autoconf. Hmm, that "overreaction" is currently mitigating two undisclosed RCE bugs in bash: http://lcamtuf.blogspot.co.nz/2014/09/bash-bug-apply-unofficial-patch-now.html http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx Which is going to trigger a third round of shellshock security updates (because mitigated is not fixed) soon enough, at which point a lot of people might well decide to patch bash to remove the functionality entirely. NetBSD and FreeBSD already did. But this doesn't affect autoconf, really. What _could_ affect autoconf is that bash can add crap to the environment which is illegal under POSIX, because bash functions are not as restricted as POSIX environment variables. Sorry, I don't have the link to the relevant oss-sec post right now. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh _______________________________________________ Autoconf mailing list Autoconf@xxxxxxx https://lists.gnu.org/mailman/listinfo/autoconf
