sed @ Savannah: sed-4.10 released [stable]
This is to announce sed-4.10, a stable release.
It's been more than 3.5 years and quite a few new bug fixes.
Special thanks to Paul Eggert, Bruno Haible and Collin Funk
for all their help, and especially to Bruno for all the gnulib
support and thorough and indefatigable testing and analysis.There have been 92 commits by 9 people in the 180 weeks since 4.9.
See the NEWS below for a brief summary.
Thanks to everyone who has contributed!
The following people contributed changes to this release:Arkadiusz Drabczyk (2)
Ash Roberts (1)
Brun Haible (1)
Bruno Haible (5)
Collin Funk (5)
Hans Ginzel (1)
Jim Meyering (60)
Paul Eggert (16)
Weixie Cui (1)Jim
[on behalf of the sed maintainers] ==================================================================Here is the GNU sed home page:
https://gnu.org/s/sed/Here are the compressed sources:
https://ftp.gnu.org/gnu/sed/sed-4.10.tar.gz (2.7MB)
https://ftp.gnu.org/gnu/sed/sed-4.10.tar.xz (1.7MB)Here are the GPG detached signatures:
https://ftp.gnu.org/gnu/sed/sed-4.10.tar.gz.sig
https://ftp.gnu.org/gnu/sed/sed-4.10.tar.xz.sigUse a mirror for higher download bandwidth:
https://www.gnu.org/order/ftp.htmlHere are the SHA256 and SHA3-256 checksums:
SHA256 (sed-4.10.tar.gz) = TRef+vkuxNzsVB98Ayvhw7mhhW9JcK25WlBSIXAvUnc=
SHA3-256 (sed-4.10.tar.gz) = ftB7Hf2uN4RnayBEgasV7KmqZqCxBUj7e+Am6WDaiKk=
SHA256 (sed-4.10.tar.xz) = uOchgrLslqNXTimYxHt6qmTMIM4ADY6awxPMB87PKMc=
SHA3-256 (sed-4.10.tar.xz) = bVWJvXR28fvhgP1XTpej6t8V+Bh2YI1lL6aGBy1cG5c=Verify the base64 SHA256 checksum with 'cksum -a sha256 --check'
from coreutils-9.2 or OpenBSD's cksum since 2007.Verify the base64 SHA3-256 checksum with 'cksum -a sha3 --check'
from coreutils-9.8.Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:gpg --verify sed-4.10.tar.gz.sig
The signature should match the fingerprint of the following key:
pub rsa4096/0x7FD9FCCB000BEEEE 2010-06-14 [SCEA] Key fingerprint = 155D 3FC5 00C8 3448 6D1E EA67 7FD9 FCCB 000B EEEE
uid [ unknown] Jim Meyering <jim@meyering.net>
uid [ unknown] Jim Meyering <meyering@fb.com>
uid [ unknown] Jim Meyering <meyering@gnu.org>If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.gpg --locate-external-key jim@meyering.net
gpg --recv-keys 7FD9FCCB000BEEEE
wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=sed&download=1' | gpg --import -
As a last resort to find the key, you can try the official GNU
keyring:wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
gpg --keyring gnu-keyring.gpg --verify sed-4.10.tar.gz.sigThis release is based on the sed git repository, available as
git clone https://https.git.savannah.gnu.org/git/sed.git
with commit 89b7a2224d4faa9d8baf76094b1232ad1477ef3e tagged as v4.10.
For a summary of changes and contributors, see:
https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git;a=shortlog;h=v4.10
or run this command from a git-cloned sed directory:
git shortlog v4.9..v4.10This release was bootstrapped with the following tools:
Autoconf 2.73.1-b400b
Automake 1.18.1.91
Gnulib 2026-04-19 15211966deb52d4cae425c655177a815a88d3fc0NEWS
* Noteworthy changes in release 4.10 (2026-04-21) [stable]
** Bug fixes
sed 's/a/b/g' (and other global substitutions) now works on input
lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
would evoke a "panic" (exit 4).
[bug present since the beginning]'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
an attacker swap a symlink between resolution and open, causing sed to
read attacker-chosen content and write it to the original target.
[bug introduced in sed 4.1e]sed no longer falsely matches when back-references are combined with
optional groups (.?) and the $ anchor. For example, this no longer
falsely matches the empty string at beginning of line:
$ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/'
Xab
[bug present since "the beginning"]In --posix mode, sed no longer mishandles backslash escapes (\n,
\t, \a, etc.) after a named character class like [[:alpha:]].
For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the
trailing newline, treating \n as a literal backslash and an 'n'
rather than a newline. This happened when an earlier backslash
escape in the same regex had already been converted, shifting the
in-place normalization buffer.
[bug introduced in sed 4.9]sed --debug no longer crashes when a label (":") command is compiled
before the --debug option is processed, e.g., sed -f<(...) --debug.
[bug introduced in sed 4.7 with --debug]sed no longer rejects the documented GNU extension 'a**' (equivalent
to 'a*') in Basic Regular Expression (BRE) mode. Previously, this
worked only with -E (ERE mode), even though grep has always accepted
it in BRE mode.
[bug present since "the beginning"]sed no longer rejects "\c[" in regular expressions
[bug present since the beginning]'sed --follow-symlinks -i' no longer mishandles an operand that is a
short symbolic link to a long symbolic link to a file.
[bug introduced in sed 4.9]Fix some some longstanding but unlikely integer overflows.
Internally, 'sed' now more often prefers signed integer arithmetic,
which can be checked automatically via 'gcc -fsanitize=undefined'.** Changes in behavior
In the default C locale, diagnostics now quote 'like this' (with
apostrophes) instead of `like this' (with a grave accent and an
apostrophe). This tracks the GNU coding standards.'sed --posix' now warns about uses of backslashes in the 's' command
that are handled by GNU sed but are not portable to other
implementations.** Build-related
builds no longer fail on platforms without the <getopt.h> header or
getopt_long function.
[bug introduced in sed 4.9]
Source: Planet GNU