This message announces the Automake 1.11.6 bug-fixing release. This release FIXES A SECURITY VULNERABILITY (CVE-2012-3386), so you are strongly encouraged to upgrade your existing Automake installation ASAP.
With this release, the recipe of the 'distcheck' target no longer grants temporary world-wide write permissions on the extracted distdir. Even if such rights were only granted for a vanishingly small time window, the implied race condition proved to be enough to allow a local attacker to run arbitrary code with the privileges of the user running "make distcheck". The fix of this security vulnerability is the only change between the earlier 1.11.5 release and the present 1.11.6 one. Download the fixed release here: ftp://ftp.gnu.org/gnu/automake/automake-1.11.6.tar.gz ftp://ftp.gnu.org/gnu/automake/automake-1.11.6.tar.xz Please report bugs and problems to <bug-autom...@gnu.org>, and send general comments and feedback to <autom...@gnu.org>. Thanks to everyone who has reported problems, contributed patches, and helped testing Automake!
