---
- branch: MAIN
  date: Thu Sep  3 08:14:13 UTC 2020
  files:
  - new: '1.20'
    old: '1.19'
    path: pkgsrc/textproc/miller/Makefile
    pathrev: pkgsrc/textproc/miller/Makefile@1.20
    type: modified
  - new: '1.19'
    old: '1.18'
    path: pkgsrc/textproc/miller/distinfo
    pathrev: pkgsrc/textproc/miller/distinfo@1.19
    type: modified
  id: 20200903T081413Z.f09dd71e0c9152d68ec335d82b3fb350c6828991
  log: |
    miller: update to 5.9.1.

    ChangeLog:

    Security update: disallow --prepipe in .mlrrc

    As of Miller 5.9.0, you can have a .mlrrc file containing preferred flags.

    As reported in #363, it would be possible for someone to prepare a repository
    or some other zipfile/tarfile, for example, containing datasets, and send it
    to you. They could have a line of the form prepipe do_something_bad; cat in
    that repository, so when you ran any mlr commands in there, it would run the
    do_something_bad command (whatever that might be).

    The fix is (a) disallow prepipe within .mlrrc files; (b) as a consolation,
    allow new prepipe-zcat and prepipe-gunzip options which are safe to use.

    Fixes CVE-2020-15167.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/textproc/miller'
  unixtime: '1599120853'
  user: fcambus