Findutils 4.2.22 is now available on alpha.gnu.org

[James Youngman]

I am pleased to announce the release of version 4.2.22 of GNU
findutils.  This is a security bugfix release; the list of bugs fixes
appears below.

GNU findutils is a set of software tools for finding files that match
certain criteria and for performing various operations on them.
Findutils includes the programs "find", "xargs" and "locate".

This is an "unstable" release of findutils.  It includes a range of
changes, including both bugfixes and small functional changes.  It can
be downloaded from ftp://alpha.gnu.org/pub/gnu/findutils.  The current
stable release of findutils is still 4.2.20, which is available from
ftp.gnu.org and its mirrors.  More information about findutils is
available at http://www.gnu.org/software/findutils/.

However, the 4.2.20 release is affected by the security issued
addressed by this release, and so a release to ftp.gnu.org will be
made following some testing of this release.


*** Please test this release and provide feedback to the
*** address@hidden mailing list.  Once we know that this
*** release is stable enough, we need to make a release to ftp.gnu.org
*** so that a normal public release fixing this problem is available.


Bugs in GNU findutils should be reported to the findutils bug tracker
at http://savannah.gnu.org/bugs/?group=findutils.  Reporting bugs via
the web interface will ensure that you are automatically informed when
the bug has been fixed.  General discussion of findutils takes place
on the bug-findutils mailing list.  To join the 'bug-findutils'
mailing list, send email to <address@hidden>.

To verify the GPG signature of the release, you will need the public
key of the findutils maintainer, James Youngman.  You can download
this from ftp://ftp.gnu.org/gnu/gnu-keyring.gpg.  Alternatively, you
could query a PGP keyserver, but you will need to use one that can
cope with subkeys containing photos.  Many older key servers cannot do
this.  I use subkeys.pgp.net.  I think that one works.  See also the
"Downloading" section of http://www.gnu.org/software/findutils/.

* Major changes in release 4.2.22

** Security Fixes

If a directory entry searched with "find -L" is a symbolic link to
".", we no longer loop indefinitely.  This problem affected find
versions 4.2.19, 4.2.20 and 4.2.21.  This problem allows users to make
"find" loop indefinitely.  This is in effect a denial of service and
could be used to prevent updates to the locate database or to defeat
file security checks based on find.   However, it should be noted that
you should not use "find -L" in security-sensitive scenarios.

** Other Bug Fixes

None in this release.

** Functional Changes to locate

A locate database can now be supplied on stdin, using '-' as a element
of the database-path. If more than one database-path element is '-',
later instances are ignored.

A new option to locate, '--all' ('-A') causes matches to be limited to
entries which match all given patterns, not entries which match
one or more patterns.

** Documentation Changes

Some typos in the manual pages have been fixed.  Various parts of the
manual now point out that it is good practice to quote the argument of
"-name".  The manpage now has a "NON-BUGS" section which explains some
symptoms that look like bugs but aren't.  The explanations of the "%k"
and "%b" directives to "find -printf" have been imrpoved.

--
James Youngman <address@hidden>
GNU findutils maintainer