Hi to all,
Any news about the patch about that bad vulnerability on OpenSuSE ?
Claudio.
On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote:
Hi to all,
Any news about the patch about that bad vulnerability on OpenSuSE ?
It is currently in the review teams queue for 12.3 and 13.1.
openSUSE:Maintenance:3023 / SR 251834
Some smoketesting and I see if I can release it as soon as the review team has approved it.
Factory submit I also asked for, but as Factory is?was? currently not releasable this needs to be fixed first.
Ciao, Marcus
Il 24/09/2014 18:20, Marcus Meissner ha scritto:
On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote:
Hi to all,
Any news about the patch about that bad vulnerability on OpenSuSE ?
It is currently in the review teams queue for 12.3 and 13.1.
openSUSE:Maintenance:3023 / SR 251834
Some smoketesting and I see if I can release it as soon as the review team has approved it.
Factory submit I also asked for, but as Factory is?was? currently not releasable this needs to be fixed first.
Ciao, Marcus
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
Ciao, Claudio.
On Thu, Sep 25, 2014 at 10:13:09AM +0200, Claudio ML wrote:
Il 24/09/2014 18:20, Marcus Meissner ha scritto:
On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote:
Hi to all,
Any news about the patch about that bad vulnerability on OpenSuSE ?
It is currently in the review teams queue for 12.3 and 13.1.
openSUSE:Maintenance:3023 / SR 251834
Some smoketesting and I see if I can release it as soon as the review team has approved it.
Factory submit I also asked for, but as Factory is?was? currently not releasable this needs to be fixed first.
Ciao, Marcus
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
It should have been published at the same time.
Checking ... for some reason the OBS did not publish the 12.3 update repo.
Ciao, Marcus
Il 25/09/2014 10:19, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 10:13:09AM +0200, Claudio ML wrote:
Il 24/09/2014 18:20, Marcus Meissner ha scritto:
On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote:
Hi to all,
Any news about the patch about that bad vulnerability on OpenSuSE ?
It is currently in the review teams queue for 12.3 and 13.1.
openSUSE:Maintenance:3023 / SR 251834
Some smoketesting and I see if I can release it as soon as the review team has approved it.
Factory submit I also asked for, but as Factory is?was? currently not releasable this needs to be fixed first.
Ciao, Marcus
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
It should have been published at the same time.
Checking ... for some reason the OBS did not publish the 12.3 update repo.
Ciao, Marcus
Ok, thank you. But...at the time i am writing no patch for 12.3... Sorry for bothering, but i am a little worried about some of my systems....
Claudio.
On Thu, Sep 25, 2014 at 11:47:07AM +0200, Claudio ML wrote:
Il 25/09/2014 10:19, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 10:13:09AM +0200, Claudio ML wrote:
Il 24/09/2014 18:20, Marcus Meissner ha scritto:
On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote:
Hi to all,
Any news about the patch about that bad vulnerability on OpenSuSE ?
It is currently in the review teams queue for 12.3 and 13.1.
openSUSE:Maintenance:3023 / SR 251834
Some smoketesting and I see if I can release it as soon as the review team has approved it.
Factory submit I also asked for, but as Factory is?was? currently not releasable this needs to be fixed first.
Ciao, Marcus
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
It should have been published at the same time.
Checking ... for some reason the OBS did not publish the 12.3 update repo.
Ciao, Marcus
Ok, thank you. But...at the time i am writing no patch for 12.3... Sorry for bothering, but i am a little worried about some of my systems....
That was bug ...
The 12.3 update repository was not publishing as it choked on generating delta rpms for "chromium-debuginfo" since 19th of September.
I let mls whack that with a big hammer and lets see if syncs in the next hours.
Ciao, Marcus
On Thu, Sep 25, 2014 at 12:23:17PM +0200, Marcus Meissner wrote:
On Thu, Sep 25, 2014 at 11:47:07AM +0200, Claudio ML wrote:
Il 25/09/2014 10:19, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 10:13:09AM +0200, Claudio ML wrote:
Il 24/09/2014 18:20, Marcus Meissner ha scritto:
On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote:
Hi to all,
Any news about the patch about that bad vulnerability on OpenSuSE ?
It is currently in the review teams queue for 12.3 and 13.1.
openSUSE:Maintenance:3023 / SR 251834
Some smoketesting and I see if I can release it as soon as the review team has approved it.
Factory submit I also asked for, but as Factory is?was? currently not releasable this needs to be fixed first.
Ciao, Marcus
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
It should have been published at the same time.
Checking ... for some reason the OBS did not publish the 12.3 update repo.
Ciao, Marcus
Ok, thank you. But...at the time i am writing no patch for 12.3... Sorry for bothering, but i am a little worried about some of my systems....
That was bug ...
The 12.3 update repository was not publishing as it choked on generating delta rpms for "chromium-debuginfo" since 19th of September.
I let mls whack that with a big hammer and lets see if syncs in the next hours.
This is fixed now and the patch is available for 12.3 too.
Ciao, Marcus
Il 25/09/2014 13:37, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 12:23:17PM +0200, Marcus Meissner wrote:
On Thu, Sep 25, 2014 at 11:47:07AM +0200, Claudio ML wrote:
Il 25/09/2014 10:19, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 10:13:09AM +0200, Claudio ML wrote:
Il 24/09/2014 18:20, Marcus Meissner ha scritto:
On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote: > Hi to all, > > Any news about the patch about that bad vulnerability on OpenSuSE ? It is currently in the review teams queue for 12.3 and 13.1.
openSUSE:Maintenance:3023 / SR 251834
Some smoketesting and I see if I can release it as soon as the review team has approved it.
Factory submit I also asked for, but as Factory is?was? currently not releasable this needs to be fixed first.
Ciao, Marcus
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
It should have been published at the same time.
Checking ... for some reason the OBS did not publish the 12.3 update repo.
Ciao, Marcus
Ok, thank you. But...at the time i am writing no patch for 12.3... Sorry for bothering, but i am a little worried about some of my systems....
That was bug ...
The 12.3 update repository was not publishing as it choked on generating delta rpms for "chromium-debuginfo" since 19th of September.
I let mls whack that with a big hammer and lets see if syncs in the next hours.
This is fixed now and the patch is available for 12.3 too.
Ciao, Marcus
Perfect! Patching now :)
Ciao, Claudio
On 09/25/2014 02:20 PM, Claudio ML wrote:
Il 25/09/2014 13:37, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 12:23:17PM +0200, Marcus Meissner wrote:
On Thu, Sep 25, 2014 at 11:47:07AM +0200, Claudio ML wrote:
Il 25/09/2014 10:19, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 10:13:09AM +0200, Claudio ML wrote:
Il 24/09/2014 18:20, Marcus Meissner ha scritto: > On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote: >> Hi to all, >> >> Any news about the patch about that bad vulnerability on OpenSuSE ? > It is currently in the review teams queue for 12.3 and 13.1. > > openSUSE:Maintenance:3023 / SR 251834 > > Some smoketesting and I see if I can release it as soon as the review > team has approved it. > > Factory submit I also asked for, but as Factory is?was? currently not releasable > this needs to be fixed first. > > Ciao, Marcus > > Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
It should have been published at the same time.
Checking ... for some reason the OBS did not publish the 12.3 update repo.
Ciao, Marcus
Ok, thank you. But...at the time i am writing no patch for 12.3... Sorry for bothering, but i am a little worried about some of my systems....
That was bug ...
The 12.3 update repository was not publishing as it choked on generating delta rpms for "chromium-debuginfo" since 19th of September.
I let mls whack that with a big hammer and lets see if syncs in the next hours.
This is fixed now and the patch is available for 12.3 too.
Ciao, Marcus
Perfect! Patching now :)
Ciao, Claudio
Marcus, thanks for fixing 12.3!
Unfortunately, the problem seems not to be fixed - CVE-2014-7169 remains open, see https://access.redhat.com/articles/1200223
Cheers,
Urs
On Thu, Sep 25, 2014 at 02:27:23PM +0200, Urs Beyerle wrote:
On 09/25/2014 02:20 PM, Claudio ML wrote:
Il 25/09/2014 13:37, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 12:23:17PM +0200, Marcus Meissner wrote:
On Thu, Sep 25, 2014 at 11:47:07AM +0200, Claudio ML wrote:
Il 25/09/2014 10:19, Marcus Meissner ha scritto:
On Thu, Sep 25, 2014 at 10:13:09AM +0200, Claudio ML wrote: >Il 24/09/2014 18:20, Marcus Meissner ha scritto: >>On Wed, Sep 24, 2014 at 06:17:13PM +0200, Claudio ML wrote: >>>Hi to all, >>> >>>Any news about the patch about that bad vulnerability on OpenSuSE ? >>It is currently in the review teams queue for 12.3 and 13.1. >> >>openSUSE:Maintenance:3023 / SR 251834 >> >>Some smoketesting and I see if I can release it as soon as the review >>team has approved it. >> >>Factory submit I also asked for, but as Factory is?was? currently not releasable >>this needs to be fixed first. >> >>Ciao, Marcus >> >> >Thank you. I have seen it was released for 13.1, but not for 12.3. When >is coming out for this release? It should have been published at the same time.
Checking ... for some reason the OBS did not publish the 12.3 update repo.
Ciao, Marcus
Ok, thank you. But...at the time i am writing no patch for 12.3... Sorry for bothering, but i am a little worried about some of my systems....
That was bug ...
The 12.3 update repository was not publishing as it choked on generating delta rpms for "chromium-debuginfo" since 19th of September.
I let mls whack that with a big hammer and lets see if syncs in the next hours.
This is fixed now and the patch is available for 12.3 too.
Ciao, Marcus
Perfect! Patching now :)
Ciao, Claudio
Marcus, thanks for fixing 12.3!
Unfortunately, the problem seems not to be fixed - CVE-2014-7169 remains open, see https://access.redhat.com/articles/1200223
Yes, we are working on this still. https://bugzilla.suse.com/show_bug.cgi?id=898346
It is not as critical as the original issue.
Ciao, Marcus
Marcus Meissner wrote on 2014-09-25 14:29 (GMT+0200):
It sure would be nice if people posting on opensuse* mailing lists would make their Bugzilla links links to bugzilla.opensuse.org.
Any chance for a patch for opensuse 12.2 ?
Ruben
* Ruben Safir ruben@mrbrklyn.com [09-25-14 11:57]:
Any chance for a patch for opensuse 12.2 ?
Does your installed version of bash have the problem?
On Thu, Sep 25, 2014 at 12:04:17PM -0400, Patrick Shanahan wrote:
- Ruben Safir ruben@mrbrklyn.com [09-25-14 11:57]:
Any chance for a patch for opensuse 12.2 ?
Yes, evidently
$env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
Does your installed version of bash have the problem?
-- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 25/09/14 a las #4, Ruben Safir escribió:
Any chance for a patch for opensuse 12.2
12.2 is an EOL product.
On Thu, Sep 25, 2014 at 01:23:28PM -0300, Cristian Rodríguez wrote:
El 25/09/14 a las #4, Ruben Safir escribió:
Any chance for a patch for opensuse 12.2
12.2 is an EOL product.
so if a patch can come out to download, that would be good. it would be easier than rebuilding it from scratch.
On September 25, 2014 9:30:11 AM PDT, Ruben Safir ruben@mrbrklyn.com wrote:
On Thu, Sep 25, 2014 at 01:23:28PM -0300, Cristian Rodríguez wrote:
El 25/09/14 a las #4, Ruben Safir escribió:
Any chance for a patch for opensuse 12.2
12.2 is an EOL product.
so if a patch can come out to download, that would be good. it would be easier than rebuilding it from scratch.
Maybe the rpm from 12.3 would work?
I've done that in the past and it's worked.
You could also fork the project on OBS and install the patches yourself? http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/
On Thu, Sep 25, 2014 at 11:58:38AM -0500, Christopher Myers wrote:
I've done that in the past and it's worked.
You could also fork the project on OBS and install the patches yourself? http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I'm working on it. It doesn't need a fork, does it?
I'm patching the source code at the moment
Ruben Safir 09/25/14 1:04 PM >>>
I'm working on it. It doesn't need a fork, does it?
Not entirely sure - any time I've tried to create my own copy of a package with another as the base, I've had to fork it to apply the patches. I'm sure you could build your own package from scratch though, but I figured it'd be quicker to fork the official bash 4.2 package and apply the couple of patches it's missing.
Chris
On Thu, Sep 25, 2014 at 09:55:05AM -0700, John Andersen wrote:
On September 25, 2014 9:30:11 AM PDT, Ruben Safir ruben@mrbrklyn.com wrote:
On Thu, Sep 25, 2014 at 01:23:28PM -0300, Cristian Rodríguez wrote:
El 25/09/14 a las #4, Ruben Safir escribió:
Any chance for a patch for opensuse 12.2
12.2 is an EOL product.
so if a patch can come out to download, that would be good. it would be easier than rebuilding it from scratch.
Maybe the rpm from 12.3 would work?
Yes - where is it? :)
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/25/2014 11:02 AM, Ruben Safir wrote:
On Thu, Sep 25, 2014 at 09:55:05AM -0700, John Andersen wrote:
On September 25, 2014 9:30:11 AM PDT, Ruben Safir ruben@mrbrklyn.com wrote:
On Thu, Sep 25, 2014 at 01:23:28PM -0300, Cristian Rodríguez wrote:
El 25/09/14 a las #4, Ruben Safir escribió:
Any chance for a patch for opensuse 12.2
12.2 is an EOL product.
so if a patch can come out to download, that would be good. it would be easier than rebuilding it from scratch.
Maybe the rpm from 12.3 would work?
Yes - where is it? :)
Well anything I post here will be obsolete almost instantly, so I suggest you point your browser here http://download.opensuse.org/update/12.3/ and drill down to your architecture.
In my case the RPM file/version number is 4.2-61.9.1.x86_64.rpm but like I say, that will probably be updated shortly, so watch the date.
I'm resisting the temptation to post a direct link, so that if someone clobbers their system its their own damn fault. ;-)
There are companion doc packages that are probably not needed.
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/25/2014 11:30 AM, Ruben Safir wrote:
On Thu, Sep 25, 2014 at 01:23:28PM -0300, Cristian Rodríguez wrote:
El 25/09/14 a las #4, Ruben Safir escribió:
Any chance for a patch for opensuse 12.2
12.2 is an EOL product.
so if a patch can come out to download, that would be good. it would be easier than rebuilding it from scratch.
Rebuild from scratch. It's only about a 4 minute build. I did it on 3 Arch boxes last night.
On 09/25/2014 01:44 PM, David C. Rankin wrote:
On 09/25/2014 11:30 AM, Ruben Safir wrote:
On Thu, Sep 25, 2014 at 01:23:28PM -0300, Cristian Rodríguez wrote:
El 25/09/14 a las #4, Ruben Safir escribió:
Any chance for a patch for opensuse 12.2
12.2 is an EOL product.
so if a patch can come out to download, that would be good. it would be easier than rebuilding it from scratch.
Rebuild from scratch. It's only about a 4 minute build. I did it on 3 Arch boxes last night.
You may also have to download and build `readline` as well. (that's just another 30 second build). Depending on the openSuSE dependencies, it looks like Bash 4.3 requires readline 6.3.
On 9/25/2014 11:49 AM, David C. Rankin wrote:
You may also have to download and build `readline` as well. (that's just another 30 second build). Depending on the openSuSE dependencies, it looks like Bash 4.3 requires readline 6.3.
Which rpm would instantly show when you installed the binaries. Never build what you can install via binaries is my motto.
On Thu, Sep 25, 2014 at 11:52:34AM -0700, John Andersen wrote:
On 9/25/2014 11:49 AM, David C. Rankin wrote:
You may also have to download and build `readline` as well. (that's just another 30 second build). Depending on the openSuSE dependencies, it looks like Bash 4.3 requires readline 6.3.
Which rpm would instantly show when you installed the binaries. Never build what you can install via binaries is my motto.
Don't grab the wheel when I ask for directions is my motto
Why do you use gmail for your mail? Don't you have an email address where you mail is delivered to YOU?
Weird
-- _____________________________________
---This space for rent---
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello,
On Thu, 25 Sep 2014, Ruben Safir wrote:
Any chance for a patch for opensuse 12.2
zypper ar http://download.opensuse.org/repositories/home:/dnh/openSUSE_12.2_Update_sta...
Only switch the bash* and *readline* packages to that repo.
HTH, -dnh
On 09/25/2014 04:13 AM, Claudio ML wrote:
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
I'm running 13.1 with the latest updates (as of yesterday) and it failed that test.
On Thursday 25 Sep 2014 07:40:31 James Knott wrote:
On 09/25/2014 04:13 AM, Claudio ML wrote:
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
I'm running 13.1 with the latest updates (as of yesterday) and it failed that test.
I've just done a "zypper up" and it installed a new "bash". teh supposed test is as follows:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be: vulnerable this is a test
An unaffected (or patched) system will output: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
I got the following so i'm happy
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
On 09/25/2014 06:40 AM, James Knott wrote:
On 09/25/2014 04:13 AM, Claudio ML wrote:
Thank you. I have seen it was released for 13.1, but not for 12.3. When is coming out for this release?
I'm running 13.1 with the latest updates (as of yesterday) and it failed that test.
You just pulled updates before your mirror was updated. Try again. I did it about 9:30 CDT (Zulu -5).
On 09/25/2014 02:54 PM, David C. Rankin wrote:
I'm running 13.1 with the latest updates (as of yesterday) and it failed that test.
You just pulled updates before your mirror was updated. Try again. I did it about 9:30 CDT (Zulu -5).
That did it.
-
Christopher Myers -
Claudio ML -
Cristian Rodríguez -
David C. Rankin -
David Haller -
Felix Miata -
ianseeks -
James Knott -
John Andersen -
Marcus Meissner -
Patrick Shanahan -
Ruben Safir -
Urs Beyerle