---
- branch: MAIN
  date: Fri Dec  8 19:59:47 UTC 2023
  files:
  - new: '1.47'
    old: '1.46'
    path: pkgsrc/shells/fish/Makefile
    pathrev: pkgsrc/shells/fish/Makefile@1.47
    type: modified
  - new: '1.34'
    old: '1.33'
    path: pkgsrc/shells/fish/distinfo
    pathrev: pkgsrc/shells/fish/distinfo@1.34
    type: modified
  id: 20231208T195947Z.016a8c56225b6b95e45aef06b73cb2c5d2a2ec1c
  log: |
    fish: update to 3.6.2.

    fish 3.6.2 (released December 4, 2023)
    ======================================

    This release of fish contains a security fix for CVE-2023-49284, a minor security problem identified
    in fish 3.6.1 and previous versions (thought to affect all released versions of fish).

    fish uses certain Unicode non-characters internally for marking wildcards and expansions. It
    incorrectly allowed these markers to be read on command substitution output, rather than
    transforming them into a safe internal representation.

    For example, ``echo \UFDD2HOME`` has the same output as ``echo $HOME``.

    While this may cause unexpected behavior with direct input, this may become a minor security problem
    if the output is being fed from an external program into a command substitution where this output
    may not be expected.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/shells/fish'
  unixtime: '1702065587'
  user: wiz