(Please note: this release builds and runs successfully, but the test suite does not pass. A new version will be released shortly.)

This release of fish contains a security fix for CVE-2023-49284, a minor security problem identified in fish 3.6.1 and previous versions (thought to affect all released versions of fish).

fish uses certain Unicode non-characters internally for marking wildcards and expansions. It incorrectly allowed these markers to be read on command substitution output, rather than transforming them into a safe internal representation.

For example, echo \UFDD2HOME has the same output as echo $HOME.

While this may cause unexpected behavior with direct input, this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected.

Download links: To download the source code for fish, we suggest the file named "fish-3.6.2.tar.xz". The file downloaded from "Source code (tar.gz)" will not build correctly. The SHA-256 sum of this file is a21a6c986f1f80273895ba7e905fa80ad7e1a262ddb3d979efa443367eaf4863. A GPG signature from David Adam (key ID 0x7A67D962D88A709A) is available as "fish-3.6.2.tar.xz.asc".