В Sat, 28 Mar 2015 08:55:11 -0700
Lew Wolfgang
On 03/27/2015 09:47 PM, Andrei Borzenkov wrote:
В Fri, 27 Mar 2015 17:03:10 -0700 Lew Wolfgang
пишет: Hi Folks,
I'm having to maintain a 13.2 box with a requirement to run Nessus scans on it. Nessus is complaining about bash related CVE-2014-6271 and related issues. The fix is mentioned here:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
but "zypper in -t patch openSUSE-2014-567" says "patch non-existent or not needed".
Nessus identifies the installed bash as bash-4.2-75.3.1, but says it should be bash-4.2-75.4.1.
This doesn't work either:
zypper patch --cve=CVE-2014-6217
Is there something wrong with the repositories, or is Nessus barking up the wrong tree?
This is on a fresh 13.2 x86-64 system.
There is no patch for 13.2 because it had been fixed before 13.2 was even released:
* Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776)
Thanks Andrei. Do you have a link to the reference? I'm going to have to show the IA folks here that their Nessus plugin is confused about bash version numbers. They may have pulled their info from this announcement:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
...that shows a patched 13.2 should report bash-4.2-75.4.1.
IIRC this was emergency fix indeed and it was published as update at this time to avoid waiting for normal channel. As for version numbers, I must step back - I still do not understand how release is computed. But it is quite possible that release number for this update was indeed higher than what we have now. Basically, "4" above is number of commits since base revision and commits are counted independently in each repository. But the fact is that current bash in 13.2 includes fixes for this CVE and did it for half a year at the very least. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org