Release Notes for fish 2.1.1 (released September 26, 2014)
Important: if you are upgrading, stop all running instances of fishd
as soon as possible after installing this release; it will be restarted automatically. On most systems, there will be no further action required. Note that some environments (where XDG_RUNTIME_DIR
is set), such as Fedora 20, will require a restart of all running fish processes before universal variables work as intended.
Distributors are highly encouraged to call killall fishd
, pkill fishd
or similar in installation scripts, or to warn their users to do so.
Security fixes
- The fish_config web interface now uses an authentication token to protect requests and only responds to requests from the local machine with this token, preventing a remote code execution attack. (closing CVE-2014-2914). #1438
psub
andfunced
are no longer vulnerable to attacks which allow local privilege escalation and data tampering (closing CVE-2014-2906 and CVE-2014-3856). #1437fishd
uses a secure path for its socket, preventing a local privilege escalation attack (closing CVE-2014-2905). #1436__fish_print_packages
is no longer vulnerable to attacks which would allow local privilege escalation and data tampering (closing CVE-2014-3219). #1440
Other fixes
fishd
now ignores SIGPIPE, fixing crashes using tools like GNU Parallel and which occurred more often as a result of the otherfishd
changes. #1084 & #1690
The SHA-1 sum for the official source tarball is 8f97f39b92ea7dfef1f464b18e304045bf37546d.