SUSE Security Update: bash
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:1260-1
Rating: critical
References: #896776
Cross-References: CVE-2014-6271
Affected Products:
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
12
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
bash was updated to fix unexpected code execution with environment
variables (CVE-2014-6271).
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2014-59
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2014-59
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2014-59
- 12:
zypper in -t patch SUSE-SLE-WE-12-2014-59
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
bash-debuginfo-4.2-77.1
bash-debugsource-4.2-77.1
bash-devel-4.2-77.1
readline-devel-6.2-77.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
bash-4.2-77.1
bash-debuginfo-4.2-77.1
bash-debugsource-4.2-77.1
libreadline6-6.2-77.1
libreadline6-debuginfo-6.2-77.1
- SUSE Linux Enterprise Server 12 (noarch):
bash-doc-4.2-77.1
readline-doc-6.2-77.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
bash-4.2-77.1
bash-debuginfo-4.2-77.1
bash-debugsource-4.2-77.1
libreadline6-6.2-77.1
libreadline6-debuginfo-6.2-77.1
- SUSE Linux Enterprise Desktop 12 (noarch):
bash-doc-4.2-77.1
bash-lang-4.2-77.1
readline-doc-6.2-77.1
- 12 (noarch):
bash-lang-4.2-77.1
References:
http://support.novell.com/security/cve/CVE-2014-6271.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=896776
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: bash
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:1259-1
Rating: important
References: #898346 #898603 #898604
Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
Affected Products:
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
12
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
The command-line shell 'bash' evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).
Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and it is less serious due to
the special, non-default system configuration that is needed to create an
exploitable situation.
To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_ .
This hardening feature is work in progress and might be improved in later
updates.
Additionaly two more security issues were fixed in bash: CVE-2014-7186:
Nested HERE documents could lead to a crash of bash.
CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2014-63
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2014-63
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2014-63
- 12:
zypper in -t patch SUSE-SLE-WE-12-2014-63
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
bash-debuginfo-4.2-81.1
bash-debugsource-4.2-81.1
bash-devel-4.2-81.1
readline-devel-6.2-81.1
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
bash-4.2-81.1
bash-debuginfo-4.2-81.1
bash-debugsource-4.2-81.1
libreadline6-6.2-81.1
libreadline6-debuginfo-6.2-81.1
- SUSE Linux Enterprise Server 12 (noarch):
bash-doc-4.2-81.1
readline-doc-6.2-81.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
bash-4.2-81.1
bash-debuginfo-4.2-81.1
bash-debugsource-4.2-81.1
libreadline6-6.2-81.1
libreadline6-debuginfo-6.2-81.1
- SUSE Linux Enterprise Desktop 12 (noarch):
bash-doc-4.2-81.1
bash-lang-4.2-81.1
readline-doc-6.2-81.1
- 12 (noarch):
bash-lang-4.2-81.1
References:
http://support.novell.com/security/cve/CVE-2014-7169.htmlhttp://support.novell.com/security/cve/CVE-2014-7186.htmlhttp://support.novell.com/security/cve/CVE-2014-7187.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=898346https://bugzilla.suse.com/show_bug.cgi?id=898603https://bugzilla.suse.com/show_bug.cgi?id=898604
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for mozilla-nss
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:1220-3
Rating: important
References: #897890
Cross-References: CVE-2014-1568
Affected Products:
SUSE Linux Enterprise Server 11 SP1 LTSS
SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________
An update that fixes one vulnerability is now available. It
includes one version update.
Description:
Mozilla NSS was updated to version 3.16.5 to fix a RSA certificate forgery
issue.
MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher
at Inria Paris in team Prosecco, reported an issue in Network Security
Services (NSS) libraries affecting all versions. He discovered that NSS is
vulnerable to a variant of a signature forgery attack previously published
by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values
involved in a signature and could lead to the forging of RSA certificates.
The Advanced Threat Research team at Intel Security also independently
discovered and reported this issue.
Security Issues:
* CVE-2014-1568
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-libfreebl3-9775
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 3.16.5]:
libfreebl3-3.16.5-0.4.2.1
mozilla-nss-3.16.5-0.4.2.1
mozilla-nss-tools-3.16.5-0.4.2.1
- SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.16.5]:
libfreebl3-32bit-3.16.5-0.4.2.1
mozilla-nss-32bit-3.16.5-0.4.2.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 3.16.5]:
mozilla-nss-3.16.5-0.5.1
mozilla-nss-devel-3.16.5-0.5.1
mozilla-nss-tools-3.16.5-0.5.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64) [New Version: 3.16.5]:
mozilla-nss-32bit-3.16.5-0.5.1
References:
http://support.novell.com/security/cve/CVE-2014-1568.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=897890http://download.suse.com/patch/finder/?keywords=2ee24d8f2ff89770e348b8257c8…http://download.suse.com/patch/finder/?keywords=c6f6720a0652853ecb54d85b96a…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for bash
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:1247-2
Rating: important
References: #898346 #898603 #898604
Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
Affected Products:
SUSE Manager 1.7 for SLE 11 SP2
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
The command-line shell 'bash' evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).
Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and is less serious due to the
special, non-default system configuration that is needed to create an
exploitable situation.
To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_.
This hardening feature is work in progress and might be improved in later
updates.
Additionally, two other security issues have been fixed:
* CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
* CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
Security Issues:
* CVE-2014-7169
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>
* CVE-2014-7186
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>
* CVE-2014-7187
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Manager 1.7 for SLE 11 SP2:
zypper in -t patch sleman17sp2-bash-9779
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Manager 1.7 for SLE 11 SP2 (x86_64):
bash-3.2-147.14.22.1
bash-doc-3.2-147.14.22.1
libreadline5-32bit-5.2-147.14.22.1
libreadline5-5.2-147.14.22.1
readline-doc-5.2-147.14.22.1
References:
http://support.novell.com/security/cve/CVE-2014-7169.htmlhttp://support.novell.com/security/cve/CVE-2014-7186.htmlhttp://support.novell.com/security/cve/CVE-2014-7187.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=898346https://bugzilla.suse.com/show_bug.cgi?id=898603https://bugzilla.suse.com/show_bug.cgi?id=898604http://download.suse.com/patch/finder/?keywords=991d0956c7a6a53ad424c0964c1…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for mozilla-nss
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:1220-2
Rating: important
References: #897890
Cross-References: CVE-2014-1568
Affected Products:
SUSE Linux Enterprise Server 11 SP2 LTSS
______________________________________________________________________________
An update that fixes one vulnerability is now available. It
includes one version update.
Description:
Mozilla NSS was updated to 3.16.5 to fix a RSA certificate forgery issue.
MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher
at Inria Paris in team Prosecco, reported an issue in Network Security
Services (NSS) libraries affecting all versions. He discovered that NSS is
vulnerable to a variant of a signature forgery attack previously published
by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values
involved in a signature and could lead to the forging of RSA certificates.
The Advanced Threat Research team at Intel Security also independently
discovered and reported this issue.
Security Issues:
* CVE-2014-1568
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP2 LTSS:
zypper in -t patch slessp2-libfreebl3-9774
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 3.16.5]:
libfreebl3-3.16.5-0.4.2.1
mozilla-nss-3.16.5-0.4.2.1
mozilla-nss-devel-3.16.5-0.4.2.1
mozilla-nss-tools-3.16.5-0.4.2.1
- SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.16.5]:
libfreebl3-32bit-3.16.5-0.4.2.1
mozilla-nss-32bit-3.16.5-0.4.2.1
References:
http://support.novell.com/security/cve/CVE-2014-1568.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=897890http://download.suse.com/patch/finder/?keywords=d63b0bfb5e439b036b903e3aa94…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: bash
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1254-1
Rating: critical
References: #895475 #896776
Cross-References: CVE-2014-6271 CVE-2014-7169 CVE-2014-7186
CVE-2014-7187
Affected Products:
openSUSE 13.2
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
bash was updated to fix command injection via environment variables.
(CVE-2014-6271,CVE-2014-7169)
Also a hardening patch was applied that only imports functions over
BASH_FUNC_ prefixed environment variables.
Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents
and for loop issue
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2014-567
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
bash-4.2-75.4.1
bash-debuginfo-4.2-75.4.1
bash-debugsource-4.2-75.4.1
bash-devel-4.2-75.4.1
bash-loadables-4.2-75.4.1
bash-loadables-debuginfo-4.2-75.4.1
libreadline6-6.2-75.4.1
libreadline6-debuginfo-6.2-75.4.1
readline-devel-6.2-75.4.1
- openSUSE 13.2 (x86_64):
bash-debuginfo-32bit-4.2-75.4.1
libreadline6-32bit-6.2-75.4.1
libreadline6-debuginfo-32bit-6.2-75.4.1
readline-devel-32bit-6.2-75.4.1
- openSUSE 13.2 (noarch):
bash-doc-4.2-75.4.1
bash-lang-4.2-75.4.1
readline-doc-6.2-75.4.1
References:
http://support.novell.com/security/cve/CVE-2014-6271.htmlhttp://support.novell.com/security/cve/CVE-2014-7169.htmlhttp://support.novell.com/security/cve/CVE-2014-7186.htmlhttp://support.novell.com/security/cve/CVE-2014-7187.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=895475https://bugzilla.suse.com/show_bug.cgi?id=896776
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: update for bash
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1248-1
Rating: important
References: #896776
Affected Products:
openSUSE Evergreen 11.4
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for bash completely disables the importing of shell functions
from the environment and thereby remove the exposure of the parser from
untrusted/harmful environment.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Evergreen 11.4:
zypper in -t patch 2014-90
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Evergreen 11.4 (i586 x86_64):
bash-4.1-20.35.1
bash-debuginfo-4.1-20.35.1
bash-debugsource-4.1-20.35.1
bash-devel-4.1-18.35.1
bash-loadables-4.1-18.35.1
bash-loadables-debuginfo-4.1-18.35.1
libreadline6-6.1-18.35.1
libreadline6-debuginfo-6.1-18.35.1
readline-devel-6.1-18.35.1
- openSUSE Evergreen 11.4 (x86_64):
bash-debuginfo-32bit-4.1-20.35.1
libreadline6-32bit-6.1-18.35.1
libreadline6-debuginfo-32bit-6.1-18.35.1
readline-devel-32bit-6.1-18.35.1
- openSUSE Evergreen 11.4 (noarch):
bash-doc-4.1-18.35.1
bash-lang-4.1-20.35.1
readline-doc-6.1-18.35.1
- openSUSE Evergreen 11.4 (ia64):
bash-debuginfo-x86-4.1-20.35.1
bash-x86-4.1-20.35.1
libreadline6-debuginfo-x86-6.1-18.35.1
libreadline6-x86-6.1-18.35.1
References:
https://bugzilla.suse.com/show_bug.cgi?id=896776
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
SUSE Security Update: Security update for bash
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:1247-1
Rating: important
References: #898346 #898603 #898604
Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
Affected Products:
SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP2 LTSS
SUSE Linux Enterprise Server 11 SP1 LTSS
SUSE Linux Enterprise Server 10 SP4 LTSS
SUSE Linux Enterprise Server 10 SP3 LTSS
SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
The command-line shell 'bash' evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).
Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and is less serious due to the
special, non-default system configuration that is needed to create an
exploitable situation.
To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_.
This hardening feature is work in progress and might be improved in later
updates.
Additionally, two other security issues have been fixed:
* CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
* CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
Security Issues:
* CVE-2014-7169
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>
* CVE-2014-7186
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>
* CVE-2014-7187
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP3:
zypper in -t patch sdksp3-bash-9780
- SUSE Linux Enterprise Server 11 SP3 for VMware:
zypper in -t patch slessp3-bash-9780
- SUSE Linux Enterprise Server 11 SP3:
zypper in -t patch slessp3-bash-9780
- SUSE Linux Enterprise Server 11 SP2 LTSS:
zypper in -t patch slessp2-bash-9781
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-bash-9782
- SUSE Linux Enterprise Desktop 11 SP3:
zypper in -t patch sledsp3-bash-9780
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):
readline-devel-5.2-147.22.1
- SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64):
readline-devel-32bit-5.2-147.22.1
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):
libreadline5-5.2-147.22.1
- SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64):
bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1
- SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64):
libreadline5-32bit-5.2-147.22.1
- SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64):
bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1
- SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64):
libreadline5-32bit-5.2-147.22.1
- SUSE Linux Enterprise Server 11 SP3 (ia64):
bash-x86-3.2-147.22.1
libreadline5-x86-5.2-147.22.1
- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64):
bash-3.2-147.14.22.1
bash-doc-3.2-147.14.22.1
libreadline5-5.2-147.14.22.1
readline-doc-5.2-147.14.22.1
- SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64):
libreadline5-32bit-5.2-147.14.22.1
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):
bash-3.2-147.14.22.1
bash-doc-3.2-147.14.22.1
libreadline5-5.2-147.14.22.1
readline-doc-5.2-147.14.22.1
- SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):
libreadline5-32bit-5.2-147.14.22.1
- SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):
bash-3.1-24.34.1
readline-5.1-24.34.1
readline-devel-5.1-24.34.1
- SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64):
readline-32bit-5.1-24.34.1
readline-devel-32bit-5.1-24.34.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
bash-3.1-24.34.1
readline-5.1-24.34.1
readline-devel-5.1-24.34.1
- SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):
readline-32bit-5.1-24.34.1
readline-devel-32bit-5.1-24.34.1
- SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64):
bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1
- SUSE Linux Enterprise Desktop 11 SP3 (x86_64):
libreadline5-32bit-5.2-147.22.1
References:
http://support.novell.com/security/cve/CVE-2014-7169.htmlhttp://support.novell.com/security/cve/CVE-2014-7186.htmlhttp://support.novell.com/security/cve/CVE-2014-7187.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=898346https://bugzilla.suse.com/show_bug.cgi?id=898603https://bugzilla.suse.com/show_bug.cgi?id=898604http://download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e845919…http://download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba9…http://download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7…http://download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd749…http://download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2…
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: bash
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1242-1
Rating: important
References: #898346 #898603 #898604
Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
Affected Products:
openSUSE 13.1
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
The command-line shell 'bash' evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).
Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and it is less serious due to
the special, non-default system configuration that is needed to create an
exploitable situation.
To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_ .
This hardening feature is work in progress and might be improved in later
updates.
Additionaly two more security issues were fixed in bash: CVE-2014-7186:
Nested HERE documents could lead to a crash of bash.
CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.1:
zypper in -t patch openSUSE-2014-564
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.1 (i586 x86_64):
bash-4.2-68.8.1
bash-debuginfo-4.2-68.8.1
bash-debugsource-4.2-68.8.1
bash-devel-4.2-68.8.1
bash-loadables-4.2-68.8.1
bash-loadables-debuginfo-4.2-68.8.1
libreadline6-6.2-68.8.1
libreadline6-debuginfo-6.2-68.8.1
readline-devel-6.2-68.8.1
- openSUSE 13.1 (x86_64):
bash-debuginfo-32bit-4.2-68.8.1
libreadline6-32bit-6.2-68.8.1
libreadline6-debuginfo-32bit-6.2-68.8.1
readline-devel-32bit-6.2-68.8.1
- openSUSE 13.1 (noarch):
bash-doc-4.2-68.8.1
bash-lang-4.2-68.8.1
readline-doc-6.2-68.8.1
References:
http://support.novell.com/security/cve/CVE-2014-7169.htmlhttp://support.novell.com/security/cve/CVE-2014-7186.htmlhttp://support.novell.com/security/cve/CVE-2014-7187.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=898346https://bugzilla.suse.com/show_bug.cgi?id=898603https://bugzilla.suse.com/show_bug.cgi?id=898604
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
openSUSE Security Update: Important security fix for bash that allows the injection of commands.
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1238-1
Rating: important
References: #896776
Cross-References: CVE-2014-6271
Affected Products:
openSUSE Evergreen 11.4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update fixes a bug in the bash shell that allows an attacker to
execute arbitrary commands upon shell invocation if he can control the
shell's environment. This is particularly dangerous if the shell is used
as a cgi interpreter for a web server, or if the shell handles untrusted
input inherited in the environment from other sources.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Evergreen 11.4:
zypper in -t patch 2014-86
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Evergreen 11.4 (i586 x86_64):
bash-4.1-20.31.1
bash-debuginfo-4.1-20.31.1
bash-debugsource-4.1-20.31.1
bash-devel-4.1-18.31.1
bash-loadables-4.1-18.31.1
bash-loadables-debuginfo-4.1-18.31.1
libreadline6-6.1-18.31.1
libreadline6-debuginfo-6.1-18.31.1
readline-devel-6.1-18.31.1
- openSUSE Evergreen 11.4 (x86_64):
bash-debuginfo-32bit-4.1-20.31.1
libreadline6-32bit-6.1-18.31.1
libreadline6-debuginfo-32bit-6.1-18.31.1
readline-devel-32bit-6.1-18.31.1
- openSUSE Evergreen 11.4 (noarch):
bash-doc-4.1-18.31.1
bash-lang-4.1-20.31.1
readline-doc-6.1-18.31.1
- openSUSE Evergreen 11.4 (ia64):
bash-debuginfo-x86-4.1-20.31.1
bash-x86-4.1-20.31.1
libreadline6-debuginfo-x86-6.1-18.31.1
libreadline6-x86-6.1-18.31.1
References:
http://support.novell.com/security/cve/CVE-2014-6271.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=896776
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org