September 2014 - openSUSE Security - openSUSE Mailing Lists

[opensuse-security] Re: [security-announce] SUSE-SU-2014:1247-1: important: Security update for bash
by Wilfred van Velzen 08 Oct '14

08 Oct '14

What about releasing this patch for the NON LTSS versions as well? Considering the severity of this bug...! On Sun, Sep 28, 2014 at 7:05 PM, <opensuse-security(a)opensuse.org> wrote: > SUSE Security Update: Security update for bash > ______________________________________________________________________________ > > Announcement ID: SUSE-SU-2014:1247-1 > Rating: important > References: #898346 #898603 #898604 > Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 > > Affected Products: > SUSE Linux Enterprise Software Development Kit 11 SP3 > SUSE Linux Enterprise Server 11 SP3 for VMware > SUSE Linux Enterprise Server 11 SP3 > SUSE Linux Enterprise Server 11 SP2 LTSS > SUSE Linux Enterprise Server 11 SP1 LTSS > SUSE Linux Enterprise Server 10 SP4 LTSS > SUSE Linux Enterprise Server 10 SP3 LTSS > SUSE Linux Enterprise Desktop 11 SP3 > ______________________________________________________________________________ > > An update that fixes three vulnerabilities is now available. > > Description: > > > The command-line shell 'bash' evaluates environment variables, which > allows the injection of characters and might be used to access files on > the system in some circumstances (CVE-2014-7169). > > Please note that this issue is different from a previously fixed > vulnerability tracked under CVE-2014-6271 and is less serious due to the > special, non-default system configuration that is needed to create an > exploitable situation. > > To remove further exploitation potential we now limit the > function-in-environment variable to variables prefixed with BASH_FUNC_. > This hardening feature is work in progress and might be improved in later > updates. > > Additionally, two other security issues have been fixed: > > * CVE-2014-7186: Nested HERE documents could lead to a crash of bash. > * CVE-2014-7187: Nesting of for loops could lead to a crash of bash. > > Security Issues: > > * CVE-2014-7169 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169> > * CVE-2014-7186 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186> > * CVE-2014-7187 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187> > > > Patch Instructions: > > To install this SUSE Security Update use YaST online_update. > Alternatively you can run the command listed for your product: > > - SUSE Linux Enterprise Software Development Kit 11 SP3: > > zypper in -t patch sdksp3-bash-9780 > > - SUSE Linux Enterprise Server 11 SP3 for VMware: > > zypper in -t patch slessp3-bash-9780 > > - SUSE Linux Enterprise Server 11 SP3: > > zypper in -t patch slessp3-bash-9780 > > - SUSE Linux Enterprise Server 11 SP2 LTSS: > > zypper in -t patch slessp2-bash-9781 > > - SUSE Linux Enterprise Server 11 SP1 LTSS: > > zypper in -t patch slessp1-bash-9782 > > - SUSE Linux Enterprise Desktop 11 SP3: > > zypper in -t patch sledsp3-bash-9780 > > To bring your system up-to-date, use "zypper patch". > > > Package List: > > - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64): > > readline-devel-5.2-147.22.1 > > - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64): > > readline-devel-32bit-5.2-147.22.1 > > - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64): > > libreadline5-5.2-147.22.1 > > - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64): > > bash-3.2-147.22.1 > bash-doc-3.2-147.22.1 > libreadline5-5.2-147.22.1 > readline-doc-5.2-147.22.1 > > - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64): > > libreadline5-32bit-5.2-147.22.1 > > - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64): > > bash-3.2-147.22.1 > bash-doc-3.2-147.22.1 > libreadline5-5.2-147.22.1 > readline-doc-5.2-147.22.1 > > - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64): > > libreadline5-32bit-5.2-147.22.1 > > - SUSE Linux Enterprise Server 11 SP3 (ia64): > > bash-x86-3.2-147.22.1 > libreadline5-x86-5.2-147.22.1 > > - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64): > > bash-3.2-147.14.22.1 > bash-doc-3.2-147.14.22.1 > libreadline5-5.2-147.14.22.1 > readline-doc-5.2-147.14.22.1 > > - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64): > > libreadline5-32bit-5.2-147.14.22.1 > > - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64): > > bash-3.2-147.14.22.1 > bash-doc-3.2-147.14.22.1 > libreadline5-5.2-147.14.22.1 > readline-doc-5.2-147.14.22.1 > > - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64): > > libreadline5-32bit-5.2-147.14.22.1 > > - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): > > bash-3.1-24.34.1 > readline-5.1-24.34.1 > readline-devel-5.1-24.34.1 > > - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): > > readline-32bit-5.1-24.34.1 > readline-devel-32bit-5.1-24.34.1 > > - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64): > > bash-3.1-24.34.1 > readline-5.1-24.34.1 > readline-devel-5.1-24.34.1 > > - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64): > > readline-32bit-5.1-24.34.1 > readline-devel-32bit-5.1-24.34.1 > > - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): > > bash-3.2-147.22.1 > bash-doc-3.2-147.22.1 > libreadline5-5.2-147.22.1 > readline-doc-5.2-147.22.1 > > - SUSE Linux Enterprise Desktop 11 SP3 (x86_64): > > libreadline5-32bit-5.2-147.22.1 > > > References: > > http://support.novell.com/security/cve/CVE-2014-7169.html > http://support.novell.com/security/cve/CVE-2014-7186.html > http://support.novell.com/security/cve/CVE-2014-7187.html > https://bugzilla.suse.com/show_bug.cgi?id=898346 > https://bugzilla.suse.com/show_bug.cgi?id=898603 > https://bugzilla.suse.com/show_bug.cgi?id=898604 > http://download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e845919… > http://download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba9… > http://download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7… > http://download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd749… > http://download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2… > > -- > To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org > For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org > -- Met vriendelijke groet / Best regards, Wilfred van Velzen -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

6 7

[opensuse-security] RE: [security-announce] SUSE-SU-2014:1259-1: important: bash
by Wendy Palm 30 Sep '14

30 Sep '14

How can we access these rpms without using YaST online_update - where is the repository? > -----Original Message----- > From: opensuse-security(a)opensuse.org [mailto:opensuse- > security(a)opensuse.org] > Sent: Tuesday, September 30, 2014 10:05 AM > To: opensuse-security-announce(a)opensuse.org > Subject: [security-announce] SUSE-SU-2014:1259-1: important: bash > > SUSE Security Update: bash > __________________________________________________________ > ____________________ > > Announcement ID: SUSE-SU-2014:1259-1 > Rating: important > References: #898346 #898603 #898604 > Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 > > Affected Products: > SUSE Linux Enterprise Software Development Kit 12 > SUSE Linux Enterprise Server 12 > SUSE Linux Enterprise Desktop 12 > 12 > __________________________________________________________ > ____________________ > > An update that fixes three vulnerabilities is now available. > > Description: > > > The command-line shell 'bash' evaluates environment variables, which > allows the injection of characters and might be used to access files on > the system in some circumstances (CVE-2014-7169). > > Please note that this issue is different from a previously fixed > vulnerability tracked under CVE-2014-6271 and it is less serious due to > the special, non-default system configuration that is needed to create an > exploitable situation. > > To remove further exploitation potential we now limit the > function-in-environment variable to variables prefixed with BASH_FUNC_ . > This hardening feature is work in progress and might be improved in later > updates. > > Additionaly two more security issues were fixed in bash: CVE-2014-7186: > Nested HERE documents could lead to a crash of bash. > > CVE-2014-7187: Nesting of for loops could lead to a crash of bash. > > > Patch Instructions: > > To install this SUSE Security Update use YaST online_update. > Alternatively you can run the command listed for your product: > > - SUSE Linux Enterprise Software Development Kit 12: > > zypper in -t patch SUSE-SLE-SDK-12-2014-63 > > - SUSE Linux Enterprise Server 12: > > zypper in -t patch SUSE-SLE-SERVER-12-2014-63 > > - SUSE Linux Enterprise Desktop 12: > > zypper in -t patch SUSE-SLE-DESKTOP-12-2014-63 > > - 12: > > zypper in -t patch SUSE-SLE-WE-12-2014-63 > > To bring your system up-to-date, use "zypper patch". > > > Package List: > > - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x > x86_64): > > bash-debuginfo-4.2-81.1 > bash-debugsource-4.2-81.1 > bash-devel-4.2-81.1 > readline-devel-6.2-81.1 > > - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): > > bash-4.2-81.1 > bash-debuginfo-4.2-81.1 > bash-debugsource-4.2-81.1 > libreadline6-6.2-81.1 > libreadline6-debuginfo-6.2-81.1 > > - SUSE Linux Enterprise Server 12 (noarch): > > bash-doc-4.2-81.1 > readline-doc-6.2-81.1 > > - SUSE Linux Enterprise Desktop 12 (x86_64): > > bash-4.2-81.1 > bash-debuginfo-4.2-81.1 > bash-debugsource-4.2-81.1 > libreadline6-6.2-81.1 > libreadline6-debuginfo-6.2-81.1 > > - SUSE Linux Enterprise Desktop 12 (noarch): > > bash-doc-4.2-81.1 > bash-lang-4.2-81.1 > readline-doc-6.2-81.1 > > - 12 (noarch): > > bash-lang-4.2-81.1 > > > References: > > http://support.novell.com/security/cve/CVE-2014-7169.html > http://support.novell.com/security/cve/CVE-2014-7186.html > http://support.novell.com/security/cve/CVE-2014-7187.html > https://bugzilla.suse.com/show_bug.cgi?id=898346 > https://bugzilla.suse.com/show_bug.cgi?id=898603 > https://bugzilla.suse.com/show_bug.cgi?id=898604 > > -- > To unsubscribe, e-mail: opensuse-security- > announce+unsubscribe(a)opensuse.org > For additional commands, e-mail: opensuse-security- > announce+help(a)opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] Global check sum archive?
by pinguin74 25 Sep '14

25 Sep '14

There are still many applications or projects on the net that do not offer any digital signature or any other kind of verification. I think this is true for both Open Source and MS Windows. E.g. some Linux video drivers from video vendors. No signature, no checksum. I wonder, is there somewhere a kind of "global check sum archive" where people upload file names and corresponding hash sums? IMHO this would greatly hinder fraud. Is there such a project? Haven´t found one so far... Thanks

1 0

[opensuse-security] Temporarily stop AppArmor
by pinguin74 23 Sep '14

23 Sep '14

Hi there, how do you completely stop AppArmor temporarily? I´d like to stop AA for a short time and restart it again. I see there is /etc/init.d/boot.apparmor is this the one to use? Thanks

3 2

[opensuse-security] rpm database integrity
by pinguin74 16 Sep '14

16 Sep '14

Hello, at sans.org I read: "The first thing to do is check the contents of /var/lib/rpm. The databases should have a date/time stamp of when you originally installed the system. If you see a different date, be suspect of the integrity of the databases." Well, on my system the time stamp of the files within /var/lib/rpm do not carry the time stamp from original installation, the time stamp seem to be the last time I installed some new stuff with YaST. But, the time stamp of the directory /var/lib/rpm itself actually is the original time from installation. I now wonder, does sans.org tell us something not entirely correct? When you install stuff, doesn´t the time stamps change below /var/lib/rpm ? Thanks

2 1

[opensuse-security] Firefox access demands
by pinguin74 16 Sep '14

16 Sep '14

Hello, I just see, Firefox wants to acces /proc/tty/drivers and asks for PTRACE use. Is it safe to grant this access? What are the risks connected to accessing these things? Currently Firefox seem to work well without granting these things... Thanks

3 3

[opensuse-security] How capable is ClamAV?
by pinguin74 15 Sep '14

15 Sep '14

What is your opinion about the strength of ClamAV? I am especially concerned about active, malicious content hidden in documents like PDF or LibreOffice data files. Does ClamAV have some serious heuristics? Of course I know, anti virus tools only can offer limited protection. Thanks

4 7

[opensuse-security] repositories/security:/apparmor
by pinguin74 14 Sep '14

14 Sep '14

Hi there, there is a AA Repo with some updated AA packages. Are they stable? Or is this some testing versions of AA? Thanks

2 2

[opensuse-security] System attacked, need help
by Jon Cosby 13 Sep '14

13 Sep '14

I've been under attack recently and need help tracing the source and locking down. At one point the hacker took full control of my system, including windows and terminals. I went offline for four days this week, reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and ran the patches online. I'm blocking unneeded ports in my modem-router. The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning: <code> [10:19:02] /sbin/ifup [ Warning ] [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII.. sbin> ls -l ifup -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup sbin> </code> Note the permissions on ifdown. On restarting from suspension, there's a signal going out. I'm going to have to go down again, but don't have a clue what I need to do to get this system operating cleanly. Any tips/suggestions are appreciated. Thanks, Jon Cosby -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

3 6

[opensuse-security] Re: [security-announce] SUSE-SU-2014:1124-1: important: Security update for flash-player
by hop＠shoppilot.de 12 Sep '14

12 Sep '14

Hallo, bin bis zum 15.9.2014 nicht im Hause. Bitte wenden Sie sich in dringenden Fällen an meine Kollegen (support(a)shoppilot.de). Mit freundlichen Grüßen Hans Ophüls -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0