lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.02.1409291233170.8846@connie.slackware.com>
Date: Mon, 29 Sep 2014 12:33:36 -0700 (PDT)
From: Slackware Security Team <security@...ckware.com>
To: slackware-security@...ckware.com
Subject: [slackware-security]  bash (SSA:2014-272-01)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  bash (SSA:2014-272-01)

New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix a security issue.


Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/bash-4.2.050-i486-1_slack14.1.txz:  Upgraded.
  Another bash update.  Here's some information included with the patch:
    "This patch changes the encoding bash uses for exported functions to avoid
    clashes with shell variables and to avoid depending only on an environment
    variable's contents to determine whether or not to interpret it as a shell
    function."
  After this update, an environment variable will not go through the parser
  unless it follows this naming structure:  BASH_FUNC_*%%
  Most scripts never expected to import functions from environment variables,
  so this change (although not backwards compatible) is not likely to break
  many existing scripts.  It will, however, close off access to the parser as
  an attack surface in the vast majority of cases.  There's already another
  vulnerability similar to CVE-2014-6271 for which there is not yet a fix,
  but this hardening patch prevents it (and likely many more similar ones).
  Thanks to Florian Weimer and Chet Ramey.
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.020-i486-1_slack13.0.txz

Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.020-x86_64-1_slack13.0.txz

Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz

Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.014-x86_64-1_slack13.1.txz

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.014-i486-1_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.014-x86_64-1_slack13.37.txz

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.050-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.050-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.050-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.050-x86_64-1_slack14.1.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.027-i486-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.027-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 13.0 package:
8b5f50012f3c7b18474d7cf19f2be2bb  bash-3.1.020-i486-1_slack13.0.txz

Slackware x86_64 13.0 package:
3cbe8607bf2209e694320f6416f1cd04  bash-3.1.020-x86_64-1_slack13.0.txz

Slackware 13.1 package:
c674f9b681c144c32aba0923303d789b  bash-4.1.014-i486-1_slack13.1.txz

Slackware x86_64 13.1 package:
223fc7505cd2dedd99b79d7f510e749c  bash-4.1.014-x86_64-1_slack13.1.txz

Slackware 13.37 package:
4b4e4df9e4e949637a641a94aab35765  bash-4.1.014-i486-1_slack13.37.txz

Slackware x86_64 13.37 package:
35f35367efd279d2001de989f366b972  bash-4.1.014-x86_64-1_slack13.37.txz

Slackware 14.0 package:
19cb9e04683c9020417490047f20b40d  bash-4.2.050-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
10bc930d1dd85cf3446f454b129e2bc7  bash-4.2.050-x86_64-1_slack14.0.txz

Slackware 14.1 package:
1d1f8137b674813bf7f070b66ad713b1  bash-4.2.050-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
e80cc985c6112aea20d0ba0eb2821d03  bash-4.2.050-x86_64-1_slack14.1.txz

Slackware -current package:
175685f32cfa87da1c9d7cdfb42786c5  a/bash-4.3.027-i486-1.txz

Slackware x86_64 -current package:
34a83642b058fa40e6f441c6161e2208  a/bash-4.3.027-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg bash-4.2.050-i486-1_slack14.1.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@...ckware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@...ckware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQpqCoACgkQakRjwEAQIjPD0QCfSmNXkeHavRJjRtENMC13Rtx6
DsYAn1fsM+SOgqVuB7URSJtSKrmtPvr8
=Xi8W
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ