|
Message-ID: <20140927021133.GA1015@openwall.com> Date: Sat, 27 Sep 2014 06:11:33 +0400 From: Solar Designer <solar@...nwall.com> To: owl-users@...ts.openwall.com Subject: Re: bash security update (CVE-2014-6271) On Thu, Sep 25, 2014 at 08:33:37PM +0400, Solar Designer wrote: > As many of you are aware, the initial bash security updates are not > final. Please expect further updates soon. There's a lengthy thread > discussing this on oss-security, and here's a summary: > > http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html > > There is not yet a consensus on how distros should address the issues, > beyond applying upstream's patches. Here's the revised CHANGES-current entry: 2014/09/25 - 2014/09/27 Package: bash SECURITY FIX Severity: none to high, remote, active Updated to 3.1 patchlevel 19 with additional patches by Florian Weimer of Red Hat. This fixes vulnerabilities with and introduces security hardening of function imports, which could in many setups be exploited remotely. References: http://www.openwall.com/lists/oss-security/2014/09/24/10 http://www.openwall.com/lists/oss-security/2014/09/24/11 http://www.openwall.com/lists/oss-security/2014/09/24/40 http://www.openwall.com/lists/oss-security/2014/09/25/5 http://www.openwall.com/lists/oss-security/2014/09/25/13 http://www.openwall.com/lists/oss-security/2014/09/25/32 http://www.openwall.com/lists/oss-security/2014/09/26/2 http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 The new bash packages in Owl-current are, along with their SHA-256 digests (although I recommend that you check GnuPG signatures on the *.mtree files, and check the RPMs against those): 18b56329786f6620db97eb43d25c5aa98c60a6eae3bd4373218969d0f322e422 bash-3.1.19-owl2.i686.rpm 1c150f2f61ffffcb672e799b148146570c3c4362f201b8578386717a7a3cf607 bash-devel-3.1.19-owl2.i686.rpm 605c556f484021f302210fb6e5655be102559b262ead2b77fb76b77a9b80b8de bash-doc-3.1.19-owl2.i686.rpm 49bd69a4e707a2aac9c0c99881109e2c1d02398d455bf6e5dd0e5498faf35747 owl-etc-1.2-owl1.noarch.rpm 893f7bcc3ef004ea4b549040b00e65a16f3f1991616c6099beded7e95b947132 bash-3.1.19-owl2.x86_64.rpm 183e64f53b374cdd79e2f6f0e1d9697d9a5595d991059392c309ab54bdfed21c bash-devel-3.1.19-owl2.x86_64.rpm c1a7b3caac47c0f1fde8f91513e7e92b48a93196293a1b1fd4244cbb2b5f127c bash-doc-3.1.19-owl2.x86_64.rpm 55674a52399e9c4cbb225ec8837d7c989be9fdd68596b9f16737dd81e3ce3713 owl-etc-1.2-owl1.noarch.rpm I've included owl-etc here because you'll need to upgrade it as well if you're updating a really old version of Owl, since we've moved /etc/profile and /etc/bashrc from owl-etc to bash in 2010. Yes, these packages happen to install and work even on pretty old versions of Owl. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.