Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20140927021133.GA1015@openwall.com>
Date: Sat, 27 Sep 2014 06:11:33 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: bash security update (CVE-2014-6271)

On Thu, Sep 25, 2014 at 08:33:37PM +0400, Solar Designer wrote:
> As many of you are aware, the initial bash security updates are not
> final.  Please expect further updates soon.  There's a lengthy thread
> discussing this on oss-security, and here's a summary:
> 
> http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
> 
> There is not yet a consensus on how distros should address the issues,
> beyond applying upstream's patches.

Here's the revised CHANGES-current entry:

2014/09/25 -
2014/09/27	Package: bash
SECURITY FIX	Severity: none to high, remote, active
Updated to 3.1 patchlevel 19 with additional patches by Florian Weimer
of Red Hat.  This fixes vulnerabilities with and introduces security
hardening of function imports, which could in many setups be exploited
remotely.
References:
http://www.openwall.com/lists/oss-security/2014/09/24/10
http://www.openwall.com/lists/oss-security/2014/09/24/11
http://www.openwall.com/lists/oss-security/2014/09/24/40
http://www.openwall.com/lists/oss-security/2014/09/25/5
http://www.openwall.com/lists/oss-security/2014/09/25/13
http://www.openwall.com/lists/oss-security/2014/09/25/32
http://www.openwall.com/lists/oss-security/2014/09/26/2
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

The new bash packages in Owl-current are, along with their SHA-256
digests (although I recommend that you check GnuPG signatures on the
*.mtree files, and check the RPMs against those):

18b56329786f6620db97eb43d25c5aa98c60a6eae3bd4373218969d0f322e422  bash-3.1.19-owl2.i686.rpm
1c150f2f61ffffcb672e799b148146570c3c4362f201b8578386717a7a3cf607  bash-devel-3.1.19-owl2.i686.rpm
605c556f484021f302210fb6e5655be102559b262ead2b77fb76b77a9b80b8de  bash-doc-3.1.19-owl2.i686.rpm
49bd69a4e707a2aac9c0c99881109e2c1d02398d455bf6e5dd0e5498faf35747  owl-etc-1.2-owl1.noarch.rpm

893f7bcc3ef004ea4b549040b00e65a16f3f1991616c6099beded7e95b947132  bash-3.1.19-owl2.x86_64.rpm
183e64f53b374cdd79e2f6f0e1d9697d9a5595d991059392c309ab54bdfed21c  bash-devel-3.1.19-owl2.x86_64.rpm
c1a7b3caac47c0f1fde8f91513e7e92b48a93196293a1b1fd4244cbb2b5f127c  bash-doc-3.1.19-owl2.x86_64.rpm
55674a52399e9c4cbb225ec8837d7c989be9fdd68596b9f16737dd81e3ce3713  owl-etc-1.2-owl1.noarch.rpm

I've included owl-etc here because you'll need to upgrade it as well if
you're updating a really old version of Owl, since we've moved
/etc/profile and /etc/bashrc from owl-etc to bash in 2010.  Yes, these
packages happen to install and work even on pretty old versions of Owl.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.