From the Changes section of mksh's website: R50c is a security fix release: [tg] Know more rare signals when generating sys_signame[] replacement [tg] OpenBSD sync (mostly RCSID only) [tg] Document HISTSIZE limit; found by luigi_345 on IRC [zacts] Fix link to Debian .mkshrc [tg] Cease exporting $RANDOM (Debian #760857) [tg] Fix C99 compatibility [tg] Work around klibc bug causing a coredump (Debian #763842) [tg] Use issetugid(2) as additional check if we are FPRIVILEGED [tg] SECURITY: do not permit += from environment [tg] Fix more field splitting bugs reported by Stephane Chazelas and mikeserv; document current status wrt. ambiguous ones as testcases too app-shells/mksh-50c is already in the tree.
New GLSA request filed. @Maintainer(s): Please clean up vulnerable versions from the tree
+ 01 Jan 2015; Mikle Kolyada <zlogene@gentoo.org> -mksh-48b.ebuild, + -mksh-49.ebuild, -mksh-50b.ebuild, -mksh-50c.ebuild: + Security cleanup +
https://www.mirbsd.org/permalinks/wlog-10_e20141003-tg.htm#e20141003-tg_wlog-10 The issue has not got a CVE identifier because it was identified as low-risk
This issue was resolved and addressed in GLSA 201511-01 at https://security.gentoo.org/glsa/201511-01 by GLSA coordinator Yury German (BlueKnight).