Re: zsh 5.8.1 released (CVE-2021-45444)

[dana <dana@xxxxxxx>]

On 13 Feb 2022, at 02:58, david rayner <david@xxxxxxxxxxxxxx> wrote:
> Out of curiosity what is the process by which this will filter out to the
> various Linux & other distributions. Is it ad-hoc (I see you mention a
> security mailing list) ?

The people who maintain those distributions' zsh packages are generally
subscribed to the mailing list, and they pull down the update when they see
the announcement. Some maintainers even get early notifications when a
security release is coming.

On 13 Feb 2022, at 02:58, david rayner <david@xxxxxxxxxxxxxx> wrote:
> Also you say it contains few changes but does it include various patches
> that I often see discussed in this group?

Usually when we release a new version it's based on the master branch, so it
will contain all of the patches that have been discussed on the mailing list
up to that point. In this case, we weren't ready to do that, so we went back
to the last stable version and released a small update based on that.

The README/NEWS files included with the shell (and the Web site which is based
on those files) only contain summaries of major changes and incompatibilities,
not routine bug fixes, so if you want to find out *exactly* what was changed,
you can either look at the ChangeLog file or do a comparison in Git. Here's
ChangeLog for 5.8.1:

  https://github.com/zsh-users/zsh/blob/zsh-5.8.1/ChangeLog
  https://gitlab.com/zsh-org/zsh/-/blob/zsh-5.8.1/ChangeLog
  https://sourceforge.net/p/zsh/code/ci/zsh-5.8.1/tree/ChangeLog

And here's the comparison between 5.8 and 5.8.1:

  https://github.com/zsh-users/zsh/compare/zsh-5.8...zsh-5.8.1
  https://gitlab.com/zsh-org/zsh/-/compare/zsh-5.8...zsh-5.8.1
  (not sure how to do comparisons in the SF interface)

Maybe we could add one of those links to the announcements, or provide a list
of changes some other way, if people want that.

dana