What about releasing this patch for the NON LTSS versions as well?
Considering the severity of this bug...!
On Sun, Sep 28, 2014 at 7:05 PM, <opensuse-security(a)opensuse.org> wrote:
> SUSE Security Update: Security update for bash
> ______________________________________________________________________________
>
> Announcement ID: SUSE-SU-2014:1247-1
> Rating: important
> References: #898346 #898603 #898604
> Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
>
> Affected Products:
> SUSE Linux Enterprise Software Development Kit 11 SP3
> SUSE Linux Enterprise Server 11 SP3 for VMware
> SUSE Linux Enterprise Server 11 SP3
> SUSE Linux Enterprise Server 11 SP2 LTSS
> SUSE Linux Enterprise Server 11 SP1 LTSS
> SUSE Linux Enterprise Server 10 SP4 LTSS
> SUSE Linux Enterprise Server 10 SP3 LTSS
> SUSE Linux Enterprise Desktop 11 SP3
> ______________________________________________________________________________
>
> An update that fixes three vulnerabilities is now available.
>
> Description:
>
>
> The command-line shell 'bash' evaluates environment variables, which
> allows the injection of characters and might be used to access files on
> the system in some circumstances (CVE-2014-7169).
>
> Please note that this issue is different from a previously fixed
> vulnerability tracked under CVE-2014-6271 and is less serious due to the
> special, non-default system configuration that is needed to create an
> exploitable situation.
>
> To remove further exploitation potential we now limit the
> function-in-environment variable to variables prefixed with BASH_FUNC_.
> This hardening feature is work in progress and might be improved in later
> updates.
>
> Additionally, two other security issues have been fixed:
>
> * CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
> * CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
>
> Security Issues:
>
> * CVE-2014-7169
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>
> * CVE-2014-7186
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>
> * CVE-2014-7187
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>
>
>
> Patch Instructions:
>
> To install this SUSE Security Update use YaST online_update.
> Alternatively you can run the command listed for your product:
>
> - SUSE Linux Enterprise Software Development Kit 11 SP3:
>
> zypper in -t patch sdksp3-bash-9780
>
> - SUSE Linux Enterprise Server 11 SP3 for VMware:
>
> zypper in -t patch slessp3-bash-9780
>
> - SUSE Linux Enterprise Server 11 SP3:
>
> zypper in -t patch slessp3-bash-9780
>
> - SUSE Linux Enterprise Server 11 SP2 LTSS:
>
> zypper in -t patch slessp2-bash-9781
>
> - SUSE Linux Enterprise Server 11 SP1 LTSS:
>
> zypper in -t patch slessp1-bash-9782
>
> - SUSE Linux Enterprise Desktop 11 SP3:
>
> zypper in -t patch sledsp3-bash-9780
>
> To bring your system up-to-date, use "zypper patch".
>
>
> Package List:
>
> - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):
>
> readline-devel-5.2-147.22.1
>
> - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64):
>
> readline-devel-32bit-5.2-147.22.1
>
> - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):
>
> libreadline5-5.2-147.22.1
>
> - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64):
>
> bash-3.2-147.22.1
> bash-doc-3.2-147.22.1
> libreadline5-5.2-147.22.1
> readline-doc-5.2-147.22.1
>
> - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64):
>
> libreadline5-32bit-5.2-147.22.1
>
> - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64):
>
> bash-3.2-147.22.1
> bash-doc-3.2-147.22.1
> libreadline5-5.2-147.22.1
> readline-doc-5.2-147.22.1
>
> - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64):
>
> libreadline5-32bit-5.2-147.22.1
>
> - SUSE Linux Enterprise Server 11 SP3 (ia64):
>
> bash-x86-3.2-147.22.1
> libreadline5-x86-5.2-147.22.1
>
> - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64):
>
> bash-3.2-147.14.22.1
> bash-doc-3.2-147.14.22.1
> libreadline5-5.2-147.14.22.1
> readline-doc-5.2-147.14.22.1
>
> - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64):
>
> libreadline5-32bit-5.2-147.14.22.1
>
> - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):
>
> bash-3.2-147.14.22.1
> bash-doc-3.2-147.14.22.1
> libreadline5-5.2-147.14.22.1
> readline-doc-5.2-147.14.22.1
>
> - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):
>
> libreadline5-32bit-5.2-147.14.22.1
>
> - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):
>
> bash-3.1-24.34.1
> readline-5.1-24.34.1
> readline-devel-5.1-24.34.1
>
> - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64):
>
> readline-32bit-5.1-24.34.1
> readline-devel-32bit-5.1-24.34.1
>
> - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
>
> bash-3.1-24.34.1
> readline-5.1-24.34.1
> readline-devel-5.1-24.34.1
>
> - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):
>
> readline-32bit-5.1-24.34.1
> readline-devel-32bit-5.1-24.34.1
>
> - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64):
>
> bash-3.2-147.22.1
> bash-doc-3.2-147.22.1
> libreadline5-5.2-147.22.1
> readline-doc-5.2-147.22.1
>
> - SUSE Linux Enterprise Desktop 11 SP3 (x86_64):
>
> libreadline5-32bit-5.2-147.22.1
>
>
> References:
>
> http://support.novell.com/security/cve/CVE-2014-7169.html
> http://support.novell.com/security/cve/CVE-2014-7186.html
> http://support.novell.com/security/cve/CVE-2014-7187.html
> https://bugzilla.suse.com/show_bug.cgi?id=898346
> https://bugzilla.suse.com/show_bug.cgi?id=898603
> https://bugzilla.suse.com/show_bug.cgi?id=898604
> http://download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e845919…
> http://download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba9…
> http://download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7…
> http://download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd749…
> http://download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2…
>
> --
> To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
> For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
>
--
Met vriendelijke groet / Best regards,
Wilfred van Velzen
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
How can we access these rpms without using YaST online_update - where is the repository?
> -----Original Message-----
> From: opensuse-security(a)opensuse.org [mailto:opensuse-
> security(a)opensuse.org]
> Sent: Tuesday, September 30, 2014 10:05 AM
> To: opensuse-security-announce(a)opensuse.org
> Subject: [security-announce] SUSE-SU-2014:1259-1: important: bash
>
> SUSE Security Update: bash
> __________________________________________________________
> ____________________
>
> Announcement ID: SUSE-SU-2014:1259-1
> Rating: important
> References: #898346 #898603 #898604
> Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
>
> Affected Products:
> SUSE Linux Enterprise Software Development Kit 12
> SUSE Linux Enterprise Server 12
> SUSE Linux Enterprise Desktop 12
> 12
> __________________________________________________________
> ____________________
>
> An update that fixes three vulnerabilities is now available.
>
> Description:
>
>
> The command-line shell 'bash' evaluates environment variables, which
> allows the injection of characters and might be used to access files on
> the system in some circumstances (CVE-2014-7169).
>
> Please note that this issue is different from a previously fixed
> vulnerability tracked under CVE-2014-6271 and it is less serious due to
> the special, non-default system configuration that is needed to create an
> exploitable situation.
>
> To remove further exploitation potential we now limit the
> function-in-environment variable to variables prefixed with BASH_FUNC_ .
> This hardening feature is work in progress and might be improved in later
> updates.
>
> Additionaly two more security issues were fixed in bash: CVE-2014-7186:
> Nested HERE documents could lead to a crash of bash.
>
> CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
>
>
> Patch Instructions:
>
> To install this SUSE Security Update use YaST online_update.
> Alternatively you can run the command listed for your product:
>
> - SUSE Linux Enterprise Software Development Kit 12:
>
> zypper in -t patch SUSE-SLE-SDK-12-2014-63
>
> - SUSE Linux Enterprise Server 12:
>
> zypper in -t patch SUSE-SLE-SERVER-12-2014-63
>
> - SUSE Linux Enterprise Desktop 12:
>
> zypper in -t patch SUSE-SLE-DESKTOP-12-2014-63
>
> - 12:
>
> zypper in -t patch SUSE-SLE-WE-12-2014-63
>
> To bring your system up-to-date, use "zypper patch".
>
>
> Package List:
>
> - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x
> x86_64):
>
> bash-debuginfo-4.2-81.1
> bash-debugsource-4.2-81.1
> bash-devel-4.2-81.1
> readline-devel-6.2-81.1
>
> - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
>
> bash-4.2-81.1
> bash-debuginfo-4.2-81.1
> bash-debugsource-4.2-81.1
> libreadline6-6.2-81.1
> libreadline6-debuginfo-6.2-81.1
>
> - SUSE Linux Enterprise Server 12 (noarch):
>
> bash-doc-4.2-81.1
> readline-doc-6.2-81.1
>
> - SUSE Linux Enterprise Desktop 12 (x86_64):
>
> bash-4.2-81.1
> bash-debuginfo-4.2-81.1
> bash-debugsource-4.2-81.1
> libreadline6-6.2-81.1
> libreadline6-debuginfo-6.2-81.1
>
> - SUSE Linux Enterprise Desktop 12 (noarch):
>
> bash-doc-4.2-81.1
> bash-lang-4.2-81.1
> readline-doc-6.2-81.1
>
> - 12 (noarch):
>
> bash-lang-4.2-81.1
>
>
> References:
>
> http://support.novell.com/security/cve/CVE-2014-7169.html
> http://support.novell.com/security/cve/CVE-2014-7186.html
> http://support.novell.com/security/cve/CVE-2014-7187.html
> https://bugzilla.suse.com/show_bug.cgi?id=898346
> https://bugzilla.suse.com/show_bug.cgi?id=898603
> https://bugzilla.suse.com/show_bug.cgi?id=898604
>
> --
> To unsubscribe, e-mail: opensuse-security-
> announce+unsubscribe(a)opensuse.org
> For additional commands, e-mail: opensuse-security-
> announce+help(a)opensuse.org
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
There are still many applications or projects on the net that do not
offer any digital signature or any other kind of verification. I think
this is true for both Open Source and MS Windows. E.g. some Linux video
drivers from video vendors. No signature, no checksum.
I wonder, is there somewhere a kind of "global check sum archive" where
people upload file names and corresponding hash sums?
IMHO this would greatly hinder fraud.
Is there such a project?
Haven´t found one so far...
Thanks
Hi there,
how do you completely stop AppArmor temporarily?
I´d like to stop AA for a short time and restart it again.
I see there is /etc/init.d/boot.apparmor is this the one to use?
Thanks
Hello,
at sans.org I read:
"The first thing to do is check the contents of /var/lib/rpm. The
databases should have a date/time stamp of when you originally installed
the system. If you see a different date, be suspect of the integrity of
the databases."
Well, on my system the time stamp of the files within /var/lib/rpm do
not carry the time stamp from original installation, the time stamp seem
to be the last time I installed some new stuff with YaST.
But, the time stamp of the directory /var/lib/rpm itself actually is the
original time from installation.
I now wonder, does sans.org tell us something not entirely correct?
When you install stuff, doesn´t the time stamps change below /var/lib/rpm ?
Thanks
Hello,
I just see, Firefox wants to acces /proc/tty/drivers and asks for PTRACE
use.
Is it safe to grant this access? What are the risks connected to
accessing these things? Currently Firefox seem to work well without
granting these things...
Thanks
What is your opinion about the strength of ClamAV?
I am especially concerned about active, malicious content hidden in
documents like PDF or LibreOffice data files.
Does ClamAV have some serious heuristics?
Of course I know, anti virus tools only can offer limited protection.
Thanks
I've been under attack recently and need help tracing the source and
locking down. At one point the hacker took full control of my system,
including windows and terminals. I went offline for four days this week,
reinstalled openSUSE 13.1 offline yesterday, turned on the firewall and
ran the patches online. I'm blocking unneeded ports in my modem-router.
The attacks seem to continue almost immediately. rkhunter gives a very
suspicious warning:
<code>
[10:19:02] /sbin/ifup [ Warning ]
[10:19:02] Warning: The command '/sbin/ifup' has been replaced by a
script: /sbin/ifup: Bourne-Again shell script, ASCII..
sbin> ls -l ifup
-rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
sbin> ls -l ifdown
lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup
sbin>
</code>
Note the permissions on ifdown. On restarting from suspension, there's a
signal going out. I'm going to have to go down again, but don't have a
clue what I need to do to get this system operating cleanly. Any
tips/suggestions are appreciated. Thanks,
Jon Cosby
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
Hallo,
bin bis zum 15.9.2014 nicht im Hause.
Bitte wenden Sie sich in dringenden Fällen an meine Kollegen (support(a)shoppilot.de).
Mit freundlichen Grüßen
Hans Ophüls
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org