1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3035-1] bash security update

    From Salvatore Bonaccorso@1:229/2 to All on Thu Sep 25 23:20:01 2014
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3035-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso September 25, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : bash
    CVE ID : CVE-2014-7169
    Debian Bug : 762760 762761

    Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271
    released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was
    incomplete and could still allow some characters to be injected into
    another environment (CVE-2014-7169). With this update prefix and suffix
    for environment variable names which contain shell functions are added
    as hardening measure.

    Additionally two out-of-bounds array accesses in the bash parser are
    fixed which were revealed in Red Hat's internal analysis for these
    issues and also independently reported by Todd Sabin.

    For the stable distribution (wheezy), these problems have been fixed in
    version 4.2+dfsg-0.1+deb7u3.

    We recommend that you upgrade your bash packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJUJIZRAAoJEAVMuPMTQ89EBjMP/3QWVLlaIlKEiZ84LAwsyf5h DZXP9mTEnXOyPlwbsydG4qJNuv0QQvkDmy0nQm8J8U9tWtRuAPqfdE1O6qHnNQHY 9xFAMk+sro+F4gVuesiRshACy6qII2Ie20ypUT0uyj53Yd0FQwecKtHIMbbOW7AM xDNiMGlv4hzaVOTV3i9z+USsbbaqpTR1QSQMSzP0MPBnc+9idCIyg/LPU0ZJTirL Hdx9AMGk9tlD5BzU9CCA83xigOQ2c3DrAqxT2zidhGsHUVIE4+L2Q0jXwfIXi9B5 wp5DEbGdmfPO0ZuGP40m9T5todlCCPX2/sANePROLkYZjaBKFkptK1l2Kutk7pbE rPevXBUpLzwCN+nS0RRTDaqPyeAA9SIgaKHKeJ03cqs15LXJLbChJLVIwtw1TY35 /ZJaTthGxMwEfLzCvM/O/mwooFl5C7rhEMiDsE3dqVJer5UmbS2uUa0O6s5jFlbS azeEaat25RLQB96Q44gGM0BUvOWtyImApACEa4AW7EA4ElcjlqOlFszVqWL+8mXe uucRq2v14CUgSdo2WRC5WWIaYTtdgDcPqfzrL1ZwzO1QBggCOOgfTscUzvXQzcR3 oB30GhH3Wt8WcyjpMRsJsoU2gtA2QKMHKF252hNmuUsdYlYDxOQBr4Qdf0/t+dOg 2HiapmyVDkvxwSj70zlk
    =hYD1
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Anthony MOLL@1:229/2 to All on Mon Sep 29 14:00:03 2014
    XPost: linux.debian.security
    From: [email protected]

    Je pense que les firewall Netasq sont impacter par cette faille de s�curit�.

    Anthony

    -----Message d'origine-----
    De�: Salvatore Bonaccorso [mailto:[email protected]]
    Envoy�: jeudi 25 septembre 2014 23:19
    ��: [email protected]
    Objet�: [SECURITY] [DSA 3035-1] bash security update

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3035-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso September 25, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : bash
    CVE ID : CVE-2014-7169
    Debian Bug : 762760 762761

    Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this
    update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.

    Additionally two out-of-bounds array accesses in the bash parser are fixed which were revealed in Red Hat's internal analysis for these issues and also independently reported by Todd Sabin.

    For the stable distribution (wheezy), these problems have been fixed in version 4.2+dfsg-0.1+deb7u3.

    We recommend that you upgrade your bash packages.

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJUJIZRAAoJEAVMuPMTQ89EBjMP/3QWVLlaIlKEiZ84LAwsyf5h DZXP9mTEnXOyPlwbsydG4qJNuv0QQvkDmy0nQm8J8U9tWtRuAPqfdE1O6qHnNQHY 9xFAMk+sro+F4gVuesiRshACy6qII2Ie20ypUT0uyj53Yd0FQwecKtHIMbbOW7AM xDNiMGlv4hzaVOTV3i9z+USsbbaqpTR1QSQMSzP0MPBnc+9idCIyg/LPU0ZJTirL Hdx9AMGk9tlD5BzU9CCA83xigOQ2c3DrAqxT2zidhGsHUVIE4+L2Q0jXwfIXi9B5 wp5DEbGdmfPO0ZuGP40m9T5todlCCPX2/sANePROLkYZjaBKFkptK1l2Kutk7pbE rPevXBUpLzwCN+nS0RRTDaqPyeAA9SIgaKHKeJ03cqs15LXJLbChJLVIwtw1TY35 /ZJaTthGxMwEfLzCvM/O/mwooFl5C7rhEMiDsE3dqVJer5UmbS2uUa0O6s5jFlbS azeEaat25RLQB96Q44gGM0BUvOWtyImApACEa4AW7EA4ElcjlqOlFszVqWL+8mXe uucRq2v14CUgSdo2WRC5WWIaYTtdgDcPqfzrL1ZwzO1QBggCOOgfTscUzvXQzcR3 oB30GhH3Wt8WcyjpMRsJsoU2gtA2QKMHKF252hNmuUsdYlYDxOQBr4Qdf0/t+dOg 2HiapmyVDkvxwSj70zlk
    =hYD1
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)