September 2014 - openSUSE Security Announce

[security-announce] SUSE-SU-2014:1260-1: critical: bash
by opensuse-security＠opensuse.org 30 Sep '14

30 Sep '14

SUSE Security Update: bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1260-1 Rating: critical References: #896776 Cross-References: CVE-2014-6271 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: bash was updated to fix unexpected code execution with environment variables (CVE-2014-6271). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2014-59 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-59 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-59 - 12: zypper in -t patch SUSE-SLE-WE-12-2014-59 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): bash-debuginfo-4.2-77.1 bash-debugsource-4.2-77.1 bash-devel-4.2-77.1 readline-devel-6.2-77.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): bash-4.2-77.1 bash-debuginfo-4.2-77.1 bash-debugsource-4.2-77.1 libreadline6-6.2-77.1 libreadline6-debuginfo-6.2-77.1 - SUSE Linux Enterprise Server 12 (noarch): bash-doc-4.2-77.1 readline-doc-6.2-77.1 - SUSE Linux Enterprise Desktop 12 (x86_64): bash-4.2-77.1 bash-debuginfo-4.2-77.1 bash-debugsource-4.2-77.1 libreadline6-6.2-77.1 libreadline6-debuginfo-6.2-77.1 - SUSE Linux Enterprise Desktop 12 (noarch): bash-doc-4.2-77.1 bash-lang-4.2-77.1 readline-doc-6.2-77.1 - 12 (noarch): bash-lang-4.2-77.1 References: http://support.novell.com/security/cve/CVE-2014-6271.html https://bugzilla.suse.com/show_bug.cgi?id=896776 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2014:1259-1: important: bash
by opensuse-security＠opensuse.org 30 Sep '14

30 Sep '14

SUSE Security Update: bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1259-1 Rating: important References: #898346 #898603 #898604 Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates. Additionaly two more security issues were fixed in bash: CVE-2014-7186: Nested HERE documents could lead to a crash of bash. CVE-2014-7187: Nesting of for loops could lead to a crash of bash. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12: zypper in -t patch SUSE-SLE-SDK-12-2014-63 - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-63 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-63 - 12: zypper in -t patch SUSE-SLE-WE-12-2014-63 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64): bash-debuginfo-4.2-81.1 bash-debugsource-4.2-81.1 bash-devel-4.2-81.1 readline-devel-6.2-81.1 - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): bash-4.2-81.1 bash-debuginfo-4.2-81.1 bash-debugsource-4.2-81.1 libreadline6-6.2-81.1 libreadline6-debuginfo-6.2-81.1 - SUSE Linux Enterprise Server 12 (noarch): bash-doc-4.2-81.1 readline-doc-6.2-81.1 - SUSE Linux Enterprise Desktop 12 (x86_64): bash-4.2-81.1 bash-debuginfo-4.2-81.1 bash-debugsource-4.2-81.1 libreadline6-6.2-81.1 libreadline6-debuginfo-6.2-81.1 - SUSE Linux Enterprise Desktop 12 (noarch): bash-doc-4.2-81.1 bash-lang-4.2-81.1 readline-doc-6.2-81.1 - 12 (noarch): bash-lang-4.2-81.1 References: http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898346 https://bugzilla.suse.com/show_bug.cgi?id=898603 https://bugzilla.suse.com/show_bug.cgi?id=898604 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2014:1220-3: important: Security update for mozilla-nss
by opensuse-security＠opensuse.org 29 Sep '14

29 Sep '14

SUSE Security Update: Security update for mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1220-3 Rating: important References: #897890 Cross-References: CVE-2014-1568 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: Mozilla NSS was updated to version 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-libfreebl3-9775 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 3.16.5]: libfreebl3-3.16.5-0.4.2.1 mozilla-nss-3.16.5-0.4.2.1 mozilla-nss-tools-3.16.5-0.4.2.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.16.5]: libfreebl3-32bit-3.16.5-0.4.2.1 mozilla-nss-32bit-3.16.5-0.4.2.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 3.16.5]: mozilla-nss-3.16.5-0.5.1 mozilla-nss-devel-3.16.5-0.5.1 mozilla-nss-tools-3.16.5-0.5.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64) [New Version: 3.16.5]: mozilla-nss-32bit-3.16.5-0.5.1 References: http://support.novell.com/security/cve/CVE-2014-1568.html https://bugzilla.suse.com/show_bug.cgi?id=897890 http://download.suse.com/patch/finder/?keywords=2ee24d8f2ff89770e348b8257c8… http://download.suse.com/patch/finder/?keywords=c6f6720a0652853ecb54d85b96a… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2014:1247-2: important: Security update for bash
by opensuse-security＠opensuse.org 29 Sep '14

29 Sep '14

SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1247-2 Rating: important References: #898346 #898603 #898604 Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates. Additionally, two other security issues have been fixed: * CVE-2014-7186: Nested HERE documents could lead to a crash of bash. * CVE-2014-7187: Nesting of for loops could lead to a crash of bash. Security Issues: * CVE-2014-7169 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169> * CVE-2014-7186 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186> * CVE-2014-7187 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-bash-9779 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): bash-3.2-147.14.22.1 bash-doc-3.2-147.14.22.1 libreadline5-32bit-5.2-147.14.22.1 libreadline5-5.2-147.14.22.1 readline-doc-5.2-147.14.22.1 References: http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898346 https://bugzilla.suse.com/show_bug.cgi?id=898603 https://bugzilla.suse.com/show_bug.cgi?id=898604 http://download.suse.com/patch/finder/?keywords=991d0956c7a6a53ad424c0964c1… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2014:1220-2: important: Security update for mozilla-nss
by opensuse-security＠opensuse.org 29 Sep '14

29 Sep '14

SUSE Security Update: Security update for mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1220-2 Rating: important References: #897890 Cross-References: CVE-2014-1568 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. It includes one version update. Description: Mozilla NSS was updated to 3.16.5 to fix a RSA certificate forgery issue. MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Security Issues: * CVE-2014-1568 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-libfreebl3-9774 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 3.16.5]: libfreebl3-3.16.5-0.4.2.1 mozilla-nss-3.16.5-0.4.2.1 mozilla-nss-devel-3.16.5-0.4.2.1 mozilla-nss-tools-3.16.5-0.4.2.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.16.5]: libfreebl3-32bit-3.16.5-0.4.2.1 mozilla-nss-32bit-3.16.5-0.4.2.1 References: http://support.novell.com/security/cve/CVE-2014-1568.html https://bugzilla.suse.com/show_bug.cgi?id=897890 http://download.suse.com/patch/finder/?keywords=d63b0bfb5e439b036b903e3aa94… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2014:1254-1: critical: bash
by opensuse-security＠opensuse.org 29 Sep '14

29 Sep '14

openSUSE Security Update: bash ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1254-1 Rating: critical References: #895475 #896776 Cross-References: CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: bash was updated to fix command injection via environment variables. (CVE-2014-6271,CVE-2014-7169) Also a hardening patch was applied that only imports functions over BASH_FUNC_ prefixed environment variables. Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents and for loop issue Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2014-567 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): bash-4.2-75.4.1 bash-debuginfo-4.2-75.4.1 bash-debugsource-4.2-75.4.1 bash-devel-4.2-75.4.1 bash-loadables-4.2-75.4.1 bash-loadables-debuginfo-4.2-75.4.1 libreadline6-6.2-75.4.1 libreadline6-debuginfo-6.2-75.4.1 readline-devel-6.2-75.4.1 - openSUSE 13.2 (x86_64): bash-debuginfo-32bit-4.2-75.4.1 libreadline6-32bit-6.2-75.4.1 libreadline6-debuginfo-32bit-6.2-75.4.1 readline-devel-32bit-6.2-75.4.1 - openSUSE 13.2 (noarch): bash-doc-4.2-75.4.1 bash-lang-4.2-75.4.1 readline-doc-6.2-75.4.1 References: http://support.novell.com/security/cve/CVE-2014-6271.html http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=895475 https://bugzilla.suse.com/show_bug.cgi?id=896776 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2014:1248-1: important: update for bash
by opensuse-security＠opensuse.org 28 Sep '14

28 Sep '14

openSUSE Security Update: update for bash ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1248-1 Rating: important References: #896776 Affected Products: openSUSE Evergreen 11.4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for bash completely disables the importing of shell functions from the environment and thereby remove the exposure of the parser from untrusted/harmful environment. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Evergreen 11.4: zypper in -t patch 2014-90 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Evergreen 11.4 (i586 x86_64): bash-4.1-20.35.1 bash-debuginfo-4.1-20.35.1 bash-debugsource-4.1-20.35.1 bash-devel-4.1-18.35.1 bash-loadables-4.1-18.35.1 bash-loadables-debuginfo-4.1-18.35.1 libreadline6-6.1-18.35.1 libreadline6-debuginfo-6.1-18.35.1 readline-devel-6.1-18.35.1 - openSUSE Evergreen 11.4 (x86_64): bash-debuginfo-32bit-4.1-20.35.1 libreadline6-32bit-6.1-18.35.1 libreadline6-debuginfo-32bit-6.1-18.35.1 readline-devel-32bit-6.1-18.35.1 - openSUSE Evergreen 11.4 (noarch): bash-doc-4.1-18.35.1 bash-lang-4.1-20.35.1 readline-doc-6.1-18.35.1 - openSUSE Evergreen 11.4 (ia64): bash-debuginfo-x86-4.1-20.35.1 bash-x86-4.1-20.35.1 libreadline6-debuginfo-x86-6.1-18.35.1 libreadline6-x86-6.1-18.35.1 References: https://bugzilla.suse.com/show_bug.cgi?id=896776 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] SUSE-SU-2014:1247-1: important: Security update for bash
by opensuse-security＠opensuse.org 28 Sep '14

28 Sep '14

SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1247-1 Rating: important References: #898346 #898603 #898604 Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 LTSS SUSE Linux Enterprise Server 11 SP1 LTSS SUSE Linux Enterprise Server 10 SP4 LTSS SUSE Linux Enterprise Server 10 SP3 LTSS SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates. Additionally, two other security issues have been fixed: * CVE-2014-7186: Nested HERE documents could lead to a crash of bash. * CVE-2014-7187: Nesting of for loops could lead to a crash of bash. Security Issues: * CVE-2014-7169 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169> * CVE-2014-7186 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186> * CVE-2014-7187 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-bash-9780 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-bash-9780 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-bash-9780 - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-bash-9781 - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-bash-9782 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-bash-9780 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): readline-devel-5.2-147.22.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): readline-devel-32bit-5.2-147.22.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): libreadline5-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): bash-3.2-147.22.1 bash-doc-3.2-147.22.1 libreadline5-5.2-147.22.1 readline-doc-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): libreadline5-32bit-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): bash-3.2-147.22.1 bash-doc-3.2-147.22.1 libreadline5-5.2-147.22.1 readline-doc-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): libreadline5-32bit-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP3 (ia64): bash-x86-3.2-147.22.1 libreadline5-x86-5.2-147.22.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): bash-3.2-147.14.22.1 bash-doc-3.2-147.14.22.1 libreadline5-5.2-147.14.22.1 readline-doc-5.2-147.14.22.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): libreadline5-32bit-5.2-147.14.22.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): bash-3.2-147.14.22.1 bash-doc-3.2-147.14.22.1 libreadline5-5.2-147.14.22.1 readline-doc-5.2-147.14.22.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): libreadline5-32bit-5.2-147.14.22.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): bash-3.1-24.34.1 readline-5.1-24.34.1 readline-devel-5.1-24.34.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): readline-32bit-5.1-24.34.1 readline-devel-32bit-5.1-24.34.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): bash-3.1-24.34.1 readline-5.1-24.34.1 readline-devel-5.1-24.34.1 - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): readline-32bit-5.1-24.34.1 readline-devel-32bit-5.1-24.34.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): bash-3.2-147.22.1 bash-doc-3.2-147.22.1 libreadline5-5.2-147.22.1 readline-doc-5.2-147.22.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): libreadline5-32bit-5.2-147.22.1 References: http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898346 https://bugzilla.suse.com/show_bug.cgi?id=898603 https://bugzilla.suse.com/show_bug.cgi?id=898604 http://download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e845919… http://download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba9… http://download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7… http://download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd749… http://download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2… -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2014:1242-1: important: bash
by opensuse-security＠opensuse.org 28 Sep '14

28 Sep '14

openSUSE Security Update: bash ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1242-1 Rating: important References: #898346 #898603 #898604 Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates. Additionaly two more security issues were fixed in bash: CVE-2014-7186: Nested HERE documents could lead to a crash of bash. CVE-2014-7187: Nesting of for loops could lead to a crash of bash. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-564 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): bash-4.2-68.8.1 bash-debuginfo-4.2-68.8.1 bash-debugsource-4.2-68.8.1 bash-devel-4.2-68.8.1 bash-loadables-4.2-68.8.1 bash-loadables-debuginfo-4.2-68.8.1 libreadline6-6.2-68.8.1 libreadline6-debuginfo-6.2-68.8.1 readline-devel-6.2-68.8.1 - openSUSE 13.1 (x86_64): bash-debuginfo-32bit-4.2-68.8.1 libreadline6-32bit-6.2-68.8.1 libreadline6-debuginfo-32bit-6.2-68.8.1 readline-devel-32bit-6.2-68.8.1 - openSUSE 13.1 (noarch): bash-doc-4.2-68.8.1 bash-lang-4.2-68.8.1 readline-doc-6.2-68.8.1 References: http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898346 https://bugzilla.suse.com/show_bug.cgi?id=898603 https://bugzilla.suse.com/show_bug.cgi?id=898604 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0

[security-announce] openSUSE-SU-2014:1238-1: important: Important security fix for bash that allows the injection of commands.
by opensuse-security＠opensuse.org 28 Sep '14

28 Sep '14

openSUSE Security Update: Important security fix for bash that allows the injection of commands. ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1238-1 Rating: important References: #896776 Cross-References: CVE-2014-6271 Affected Products: openSUSE Evergreen 11.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes a bug in the bash shell that allows an attacker to execute arbitrary commands upon shell invocation if he can control the shell's environment. This is particularly dangerous if the shell is used as a cgi interpreter for a web server, or if the shell handles untrusted input inherited in the environment from other sources. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Evergreen 11.4: zypper in -t patch 2014-86 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Evergreen 11.4 (i586 x86_64): bash-4.1-20.31.1 bash-debuginfo-4.1-20.31.1 bash-debugsource-4.1-20.31.1 bash-devel-4.1-18.31.1 bash-loadables-4.1-18.31.1 bash-loadables-debuginfo-4.1-18.31.1 libreadline6-6.1-18.31.1 libreadline6-debuginfo-6.1-18.31.1 readline-devel-6.1-18.31.1 - openSUSE Evergreen 11.4 (x86_64): bash-debuginfo-32bit-4.1-20.31.1 libreadline6-32bit-6.1-18.31.1 libreadline6-debuginfo-32bit-6.1-18.31.1 readline-devel-32bit-6.1-18.31.1 - openSUSE Evergreen 11.4 (noarch): bash-doc-4.1-18.31.1 bash-lang-4.1-20.31.1 readline-doc-6.1-18.31.1 - openSUSE Evergreen 11.4 (ia64): bash-debuginfo-x86-4.1-20.31.1 bash-x86-4.1-20.31.1 libreadline6-debuginfo-x86-6.1-18.31.1 libreadline6-x86-6.1-18.31.1 References: http://support.novell.com/security/cve/CVE-2014-6271.html https://bugzilla.suse.com/show_bug.cgi?id=896776 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org

1 0