@LnL7, thanks for your PR! By analyzing the history of the files in this pull request, we identified @vcunat to be a potential reviewer.

Should we stage this first?

I'm testing a bit locally first.

I'm also building a bunch of stuff locally, since it's a pretty important package. Looks good so far.

This is the one with big rebuild, but vulnerabilities seem aimed at interactive bash and we default to 4.4 for that, and that branch has no patches for these problems in the upstream list yet.

I noticed 4.4, but as far as I can tell my system doesn't use that.

On my nixos (no bash overrides):

$ bash --version
GNU bash, version 4.4.0(1)-release
...

I hope this fixes all the currently known bash vulnerabilities.

I think so, looks like it's only the default on master/unstable for bashInteractive. We might want to backport this then?

/cc @grahamc

I'm slightly confused. Gentoo seems to have updated to the 4.3-p48 in October and now after several months they make a security alert...

Oh, I looked wrong... the announcement is for 4.3-p48 -r1 vs. vanilla -p48 – they added more patches that haven't been published on the upstream patch list: https://security.gentoo.org/glsa/201701-02

We can do it like Gentoo, adding their patch on top. They've deployed it so it's probably OK.

Let me just do a bit more testing with that.

Is this going to stable?

master uses 4.4 for bashInteractive so this is not super important there, but 16.09 does use this version for everything.

I'll do the picking.

OK Sounds good to me. I wouldn't worry about using a staging branch for 16.09, can you update #21642 when you have?

Oh, an equivalent of this PR was on 16.09 already: #19274 but we were missing these security patches on master :-/

Well I'll be...

I picked that new Gentoo patch at least: e924319, which is all that the current CVE message seems to be about.

Thanks!