Hi folks, A heads up on the current status of the so called "Shellshock" vulnerabilities found in bash. CVE-2014-6271: This is the original issue, that was embargoed and got public on Wednesday September 24th, 1400 UTC. This issue allows trivial code execution if an attacker can inject environment variables into bash. We have published online updates on September 24th as soon as the embargo ended. -------------------------------------------------------------------------------- Over the next days several more issues were found. CVE-2014-7169: Another issue found shortly after release of the first one. This problem so far only allowed overwriting of specific filenames (the first word in the called shell script). Due to this limitation of exploitability we considered it less severe than the original problem. CVE-2014-7186: A nesting issue of "HERE" documents, which could lead to crashes of bash, but without controlled exploitation. CVE-2014-7187: A nesting issue with "FOR" loops, which lead to bash parser errors (but no crashes). -------------------------------------------------------------------------------- On Sunday the 28th we released a second round of bash security updates, that fixed those 3 new CVEs. This second round of updates also contains a hardening patch that changes the function export to use a prefix of "BASH_FUNC_" and a suffix of "()". This patch makes it impossible for attackers to exploit the function parsing feature of bash altogether. (If it would be possible for attackers to inject environment variables named BASH_FUNC_xx() they could also inject variables like PATH, PS1, LD_PRELOAD and others.) -------------------------------------------------------------------------------- Today, Wednesday Oct 1st, two more CVEs were published by Michael Zalewski: CVE-2014-6277: Attacker controllable crash in bash that could lead to code execution. CVE-2014-6278: Code injection via parsing of function definitions in environment variables. Due to the environment variable hardening patch being included in our second round of updates, both issues are not exploitable and so currently no updates are being planned for these issues. We have published a high level overview page for our enterprise customers: https://www.suse.com/support/shellshock/ If you are running an outdated SUSE Linux Enterprise installation (but have a valid SLES subscription) we will supply fixes for your outdated installation as a one-time offering, above page has links on how to get this offering. More references: https://www.suse.com/support/kb/doc.php?id=7015702 TID on the original shellshock issues https://www.suse.com/support/kb/doc.php?id=7015714 TID on Oct 1st shellshock issues Upstream documentation of new issues: http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html Our automated references: http://support.novell.com/security/cve/CVE-2014-6271.html http://support.novell.com/security/cve/CVE-2014-7169.html http://support.novell.com/security/cve/CVE-2014-7187.html http://support.novell.com/security/cve/CVE-2014-7186.html http://support.novell.com/security/cve/CVE-2014-6277.html http://support.novell.com/security/cve/CVE-2014-6278.html http://lists.opensuse.org/opensuse-security-announce/2014-09/ Ciao, Marcus