Mailinglist Archive: opensuse-security (51 mails)

< Previous Next >
Re: [opensuse-security] Re: [security-announce] SUSE-SU-2014:1247-1: important: Security update for bash
Hi,

Let me refer you to:
https://www.suse.com/support/shellshock/

"What if I'm a current customer but I'm using older operating systems
for some of my servers without a support contract like Long Term Service
Pack Support for those older versions? Can I still get the patches?

Yes. Our primary concern and first priority is to make sure that your
systems are secure.

Given the widespread use of Bash and its inclusion in multiple
generations of our operating system products, we consider this to be
an extraordinary circumstance. We want to make sure that all of your
systems are protected, even those that you may have chosen to run in
an unsupported fashion.

In order to get access to these patches, we've created a special process
for you. Please notify your local contact at our global technical
support organization. Once they have confirmed that you are a current
customer with active support subscriptions, they will help you open a
service request and provide you with instructions on how to access the
security patches for your earlier, unsupported operating systems.
"

Ciao, Marcus

On Mon, Sep 29, 2014 at 01:35:17PM +0200, Wilfred van Velzen wrote:
What about releasing this patch for the NON LTSS versions as well?
Considering the severity of this bug...!

On Sun, Sep 28, 2014 at 7:05 PM, <opensuse-security@xxxxxxxxxxxx> wrote:
SUSE Security Update: Security update for bash
______________________________________________________________________________

Announcement ID: SUSE-SU-2014:1247-1
Rating: important
References: #898346 #898603 #898604
Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187

Affected Products:
SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP2 LTSS
SUSE Linux Enterprise Server 11 SP1 LTSS
SUSE Linux Enterprise Server 10 SP4 LTSS
SUSE Linux Enterprise Server 10 SP3 LTSS
SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:


The command-line shell 'bash' evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).

Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and is less serious due to the
special, non-default system configuration that is needed to create an
exploitable situation.

To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_.
This hardening feature is work in progress and might be improved in later
updates.

Additionally, two other security issues have been fixed:

* CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
* CVE-2014-7187: Nesting of for loops could lead to a crash of bash.

Security Issues:

* CVE-2014-7169
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>
* CVE-2014-7186
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>
* CVE-2014-7187
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>


Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Software Development Kit 11 SP3:

zypper in -t patch sdksp3-bash-9780

- SUSE Linux Enterprise Server 11 SP3 for VMware:

zypper in -t patch slessp3-bash-9780

- SUSE Linux Enterprise Server 11 SP3:

zypper in -t patch slessp3-bash-9780

- SUSE Linux Enterprise Server 11 SP2 LTSS:

zypper in -t patch slessp2-bash-9781

- SUSE Linux Enterprise Server 11 SP1 LTSS:

zypper in -t patch slessp1-bash-9782

- SUSE Linux Enterprise Desktop 11 SP3:

zypper in -t patch sledsp3-bash-9780

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64
s390x x86_64):

readline-devel-5.2-147.22.1

- SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x
x86_64):

readline-devel-32bit-5.2-147.22.1

- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):

libreadline5-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64):

bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64):

libreadline5-32bit-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64):

bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64):

libreadline5-32bit-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 (ia64):

bash-x86-3.2-147.22.1
libreadline5-x86-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64):

bash-3.2-147.14.22.1
bash-doc-3.2-147.14.22.1
libreadline5-5.2-147.14.22.1
readline-doc-5.2-147.14.22.1

- SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64):

libreadline5-32bit-5.2-147.14.22.1

- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):

bash-3.2-147.14.22.1
bash-doc-3.2-147.14.22.1
libreadline5-5.2-147.14.22.1
readline-doc-5.2-147.14.22.1

- SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):

libreadline5-32bit-5.2-147.14.22.1

- SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):

bash-3.1-24.34.1
readline-5.1-24.34.1
readline-devel-5.1-24.34.1

- SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64):

readline-32bit-5.1-24.34.1
readline-devel-32bit-5.1-24.34.1

- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):

bash-3.1-24.34.1
readline-5.1-24.34.1
readline-devel-5.1-24.34.1

- SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):

readline-32bit-5.1-24.34.1
readline-devel-32bit-5.1-24.34.1

- SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64):

bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1

- SUSE Linux Enterprise Desktop 11 SP3 (x86_64):

libreadline5-32bit-5.2-147.22.1


References:

http://support.novell.com/security/cve/CVE-2014-7169.html
http://support.novell.com/security/cve/CVE-2014-7186.html
http://support.novell.com/security/cve/CVE-2014-7187.html
https://bugzilla.suse.com/show_bug.cgi?id=898346
https://bugzilla.suse.com/show_bug.cgi?id=898603
https://bugzilla.suse.com/show_bug.cgi?id=898604

http://download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e84591918b9e

http://download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba93df6f

http://download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7a7f43

http://download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd7491f09f

http://download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2ada90

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail:
opensuse-security-announce+help@xxxxxxxxxxxx




--
Met vriendelijke groet / Best regards,
Wilfred van Velzen
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
References