Release Notes for fish 2.1.1 (released September 26, 2014)
Important: if you are upgrading, stop all running instances of fishd as soon as possible after installing this release; it will be restarted automatically. On most systems, there will be no further action required. Note that some environments (where XDG_RUNTIME_DIR is set), such as Fedora 20, will require a restart of all running fish processes before universal variables work as intended.
Distributors are highly encouraged to call killall fishd, pkill fishd or similar in installation scripts, or to warn their users to do so.
Security fixes
- The fish_config web interface now uses an authentication token to protect requests and only responds to requests from the local machine with this token, preventing a remote code execution attack. (closing CVE-2014-2914). #1438
psubandfuncedare no longer vulnerable to attacks which allow local privilege escalation and data tampering (closing CVE-2014-2906 and CVE-2014-3856). #1437fishduses a secure path for its socket, preventing a local privilege escalation attack (closing CVE-2014-2905). #1436__fish_print_packagesis no longer vulnerable to attacks which would allow local privilege escalation and data tampering (closing CVE-2014-3219). #1440
Other fixes
fishdnow ignores SIGPIPE, fixing crashes using tools like GNU Parallel and which occurred more often as a result of the otherfishdchanges. #1084 & #1690
The SHA-1 sum for the official source tarball is 8f97f39b92ea7dfef1f464b18e304045bf37546d.