All,
I stumbled across the following bulletin regarding bash vulnerability:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
What's the status of a patched version for 13.1?
It looks like the full SLES versions have a patch in QA at the moment: http://support.novell.com/security/cve/CVE-2014-6271.html So I would assume that oS will come soon?
On Wed, Sep 24, 2014 at 04:07:40PM -0500, Christopher Myers wrote:
It looks like the full SLES versions have a patch in QA at the moment: http://support.novell.com/security/cve/CVE-2014-6271.html So I would assume that oS will come soon?
It is waiting only for the review team.
SR 251834
Ciao, Marcus
On Wednesday, September 24, 2014 11:18:41 PM Marcus Meissner wrote:
On Wed, Sep 24, 2014 at 04:07:40PM -0500, Christopher Myers wrote:
It looks like the full SLES versions have a patch in QA at the moment: http://support.novell.com/security/cve/CVE-2014-6271.html So I would assume that oS will come soon?
It is waiting only for the review team.
SR 251834
Ciao, Marcus
It has been already patched. Updated to bash-4.2-68.4.1
On 09/24/2014 04:03 PM, David C. Rankin wrote:
All,
I stumbled across the following bulletin regarding bash vulnerability:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
What's the status of a patched version for 13.1?
Per the security blog, you can confirm that the vulnerability is closed with:
$ ( env x='() { :;}; echo vulnerable' bash -c "echo this is a test" )
I just executed the test in a subshell to prevent adding the function to my current session.
If you are vulnerable, you will see:
vulnerable this is a test
After upgrading bash you will see the vulnerability has been closed:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Hello,
On Wed, 24 Sep 2014, David C. Rankin wrote:
On 09/24/2014 04:03 PM, David C. Rankin wrote:
I stumbled across the following bulletin regarding bash vulnerability:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
What's the status of a patched version for 13.1?
Per the security blog, you can confirm that the vulnerability is closed with:
$ ( env x='() { :;}; echo vulnerable' bash -c "echo this is a test" )
JFTR: I'm building bash for 12.1 and some more, not sure if what others that build for 12.1, .2 etc. are already patched (and keep it updated for now).
$ ( env x='() { :;}; echo vulnerable' bash -c "echo this is a test" ) bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test $ rpm -q bash bash-4.2-245.1.x86_64 $ grep PRETTY /etc/os-release PRETTY_NAME="openSUSE 12.1 (Asparagus) (x86_64)" $ rpm -q --changelog bash | head * Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776) [..]
Repo: http://download.opensuse.org/repositories/home:/dnh/
It's just a link to Base:System. Feel free to PM me though, -dnh
-
Christopher Myers -
David C. Rankin -
David Haller -
Marcus Meissner -
Ricardo Chung