I am pleased to announce the release of version 4.2.23 of GNU findutils. This release includes a fix for a potential security problem; the list of bugs fixed appears below.
GNU findutils is a set of software tools for finding files that match certain criteria and for performing various operations on them. Findutils includes the programs "find", "xargs" and "locate". More information about findutils is available at http://www.gnu.org/software/findutils/. This is a "stable" release of findutils. It replaces findutils version 4.2.20, which was the previous stable release. It can be downloaded from ftp://ftp.gnu.org/pub/gnu/findutils. The ftp.gnu.org site is very busy, so you may find it more convenient to download findutils from one of the mirror sites listed at http://www.gnu.org/order/ftp.html. This release includes a range of changes, including both bugfixes and small functional changes. All the changes since the previous stable release are summarised below. Bugs in GNU findutils should be reported to the findutils bug tracker at http://savannah.gnu.org/bugs/?group=findutils. Reporting bugs via the web interface will ensure that you are automatically informed when the bug has been fixed. General discussion of findutils takes place on the bug-findutils mailing list. To join the 'bug-findutils' mailing list, send email to <[EMAIL PROTECTED]>. To verify the GPG signature of the release, you will need the public key of the findutils maintainer, James Youngman. You can download this from ftp://ftp.gnu.org/gnu/gnu-keyring.gpg. Alternatively, you could query a PGP keyserver, but you will need to use one that can cope with subkeys containing photos. Many older key servers cannot do this. I use subkeys.pgp.net. I think that one works. See also the "Downloading" section of http://www.gnu.org/software/findutils/. * Major changes in release 4.2.23 ** Documentation Changes The -L and -I options of xargs are currently incompatible (but should not be). Improved the documentation for -execdir and -okdir. ** Functional Changes to updatedb File names ending in "/" which are specified as an argument to --prunepaths (or in $PRUNEPATHS) don't work, so we now issue an error message if the user tries to do that. The obvious exception of course is "/" which does work and is not rejected. * Major changes in release 4.2.22 ** Security Fixes If a directory entry searched with "find -L" is a symbolic link to ".", we no longer loop indefinitely. This problem affected find versions 4.2.19, 4.2.20 and 4.2.21. This problem allows users to make "find" loop indefinitely. This is in effect a denial of service and could be used to prevent updates to the locate database or to defeat file security checks based on find. However, it should be noted that in any case you should not use "find -L" in security-sensitive scenarios. ** Other Bug Fixes None in this release. ** Functional Changes to locate A locate database can now be supplied on stdin, using '-' as a element of the database-path. If more than one database-path element is '-', later instances are ignored. A new option to locate, '--all' ('-A') causes matches to be limited to entries which match all given patterns, not entries which match one or more patterns. ** Documentation Changes Some typos in the manual pages have been fixed. Various parts of the manual now point out that it is good practice to quote the argument of "-name". The manpage now has a "NON-BUGS" section which explains some symptoms that look like bugs but aren't. The explanations of the "%k" and "%b" directives to "find -printf" have been imrpoved. * Major changes in release 4.2.21 ** Functional Changes to find The GNU extension "find ... -perm +MODE" has been withdrawn because it is incompatible with POSIX in obscure cases like "find ... -perm ++r". Use the new syntax "find ... -perm /MODE" instead. Old usages will still continue to work, so long as they don't conflict with POSIX. If the output is going to a terminal, the -print, -fprint, -printf and -fprintf actions now quote "unusual" characters to prevent unwanted effects on the terminal. See "Unusual Characters in File Names" for further details. There is no change to the behaviour when the output is not going to a terminal. The locate program does the same thing, unless the -0 option is in effect (in which case the filenames are printed as-is). ** Functional Changes to locate The locate command will now read each locate database at most once. This means that if you are using multiple databases and are searching for more than one name, the results will now be printed in a different order (and if you specified a small limit with --limit, you may get a different set of results). A new option '--print' for locate causes it to print the matching results even if the '--count' or '--statistics' option is in effect. ** Bug Fixes find /blah/blah/blah -depth -empty now works once again. The -regex and -iregex tests of find now correctly accept POSIX Basic Regular Expressions. (Savannah bug #12999) The updatedb program now works on systems where "su" does not support the "-s" option, for example Solaris. -- James Youngman <[EMAIL PROTECTED]> GNU findutils maintainer _______________________________________________ GNU Announcement mailing list <info-gnu@gnu.org> http://lists.gnu.org/mailman/listinfo/info-gnu
