openSUSE Security Update: update for bash ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1310-1 Rating: moderate References: #898812 #898884 Cross-References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7187 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: - Replace patches bash-4.2-heredoc-eof-delim.patch and bash-4.2-parse-exportfunc.patch with the official upstream patch levels bash42-052 and bash42-053 - Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch level bash42-051 - Add patches bash-4.2-heredoc-eof-delim.patch for bsc#898812, CVE-2014-6277: more troubles with functions bash-4.2-parse-exportfunc.patch for bsc#898884, CVE-2014-6278: code execution after original 6271 fix - Make bash-4.2-extra-import-func.patch an optional patch due instruction - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50 - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-595 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): bash-4.2-68.12.1 bash-debuginfo-4.2-68.12.1 bash-debugsource-4.2-68.12.1 bash-devel-4.2-68.12.1 bash-loadables-4.2-68.12.1 bash-loadables-debuginfo-4.2-68.12.1 libreadline6-6.2-68.12.1 libreadline6-debuginfo-6.2-68.12.1 readline-devel-6.2-68.12.1 - openSUSE 13.1 (x86_64): bash-debuginfo-32bit-4.2-68.12.1 libreadline6-32bit-6.2-68.12.1 libreadline6-debuginfo-32bit-6.2-68.12.1 readline-devel-32bit-6.2-68.12.1 - openSUSE 13.1 (noarch): bash-doc-4.2-68.12.1 bash-lang-4.2-68.12.1 readline-doc-6.2-68.12.1 References: http://support.novell.com/security/cve/CVE-2014-6271.html http://support.novell.com/security/cve/CVE-2014-6277.html http://support.novell.com/security/cve/CVE-2014-6278.html http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898812 https://bugzilla.suse.com/show_bug.cgi?id=898884