[opensuse-packaging] fyi : Thread: Vulnerability in bash
Fyi, http://forums.opensuse.org/showthread.php/501161-Vulnerability-in-bash --Glenn -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Thu, Sep 25, 2014 at 2:58 AM, <doiggl@velocitynet.com.au> wrote:
Fyi, http://forums.opensuse.org/showthread.php/501161-Vulnerability-in-bash --Glenn
We got the update yesterday, at least in 13.1. I myself also disabled all AcceptEnv vars from sshd_config, just in case, and will leave it so until they bring some trouble by being disabled. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Someone said there's another hole in the fixed bash? http://ww2.sinaimg.cn/bmiddle/9e35e64fgw1ekojtbhf96j20ih0dn0vs.jpg Marguerite
On 09/25/2014 10:29 AM, marguerite wrote:
Someone said there's another hole in the fixed bash?
Yes, MITRE issued a new CVE (CVE-2014-7169) for issues remaining after the patch. I haven't heard any specific details as to what those issues might be. -- Jason Craig -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Thu, Sep 25, 2014 at 1:31 PM, Jason Craig <jc@jacraig.com> wrote:
On 09/25/2014 10:29 AM, marguerite wrote:
Someone said there's another hole in the fixed bash?
Yes, MITRE issued a new CVE (CVE-2014-7169) for issues remaining after the patch. I haven't heard any specific details as to what those issues might be.
So, I'm glad I decided to disable the AcceptEnv ;-) I wonder if one can configure ssh to validate the values in the environment variables? LANG variables don't need arbitrary stuff, just one of several possible locales -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Thu, Sep 25, 2014 at 10:31:23AM -0600, Jason Craig wrote:
On 09/25/2014 10:29 AM, marguerite wrote:
Someone said there's another hole in the fixed bash?
Yes, MITRE issued a new CVE (CVE-2014-7169) for issues remaining after the patch. I haven't heard any specific details as to what those issues might be.
They so far seem way less critical than the original one. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (5)
-
Claudio Freire -
doiggl@velocitynet.com.au -
Jason Craig -
Marcus Meissner -
marguerite