SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1212-1 Rating: critical References: #776694 #819783 #820149 #844550 #896776 Cross-References: CVE-2014-0475 Affected Products: SUSE Linux Enterprise Server 11 SP1 LTSS ______________________________________________________________________________ An update that solves one vulnerability and has four fixes is now available. Description: bash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Additionally, the following bugs have been fixed: * Fix crash when expanding '$[' without matching ']'. (bnc#844550) * Do not restart the signal handler after a trap is reset. (bnc#820149) * Work around a crash in libreadline. (bnc#819783) * Make skeleton files configurations files. (bnc#776694) Security Issues: * CVE-2014-6271 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 LTSS: zypper in -t patch slessp1-bash-9738 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): bash-3.2-147.14.20.1 bash-doc-3.2-147.14.20.1 libreadline5-5.2-147.14.20.1 readline-doc-5.2-147.14.20.1 - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): libreadline5-32bit-5.2-147.14.20.1 References: http://support.novell.com/security/cve/CVE-2014-0475.html https://bugzilla.suse.com/776694 https://bugzilla.suse.com/819783 https://bugzilla.suse.com/820149 https://bugzilla.suse.com/844550 https://bugzilla.suse.com/896776 http://download.suse.com/patch/finder/?keywords=55e9078b7e861e70ae3998e079b2... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org