| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Sep 2014 12:33:36 -0700 (PDT)
From: Slackware Security Team <security@...ckware.com>
To: slackware-security@...ckware.com
Subject: [slackware-security] bash (SSA:2014-272-01)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] bash (SSA:2014-272-01)
New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix a security issue.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/bash-4.2.050-i486-1_slack14.1.txz: Upgraded.
Another bash update. Here's some information included with the patch:
"This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function."
After this update, an environment variable will not go through the parser
unless it follows this naming structure: BASH_FUNC_*%%
Most scripts never expected to import functions from environment variables,
so this change (although not backwards compatible) is not likely to break
many existing scripts. It will, however, close off access to the parser as
an attack surface in the vast majority of cases. There's already another
vulnerability similar to CVE-2014-6271 for which there is not yet a fix,
but this hardening patch prevents it (and likely many more similar ones).
Thanks to Florian Weimer and Chet Ramey.
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.020-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.020-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.014-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.014-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.014-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.050-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.050-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.050-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.050-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.027-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.027-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
8b5f50012f3c7b18474d7cf19f2be2bb bash-3.1.020-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
3cbe8607bf2209e694320f6416f1cd04 bash-3.1.020-x86_64-1_slack13.0.txz
Slackware 13.1 package:
c674f9b681c144c32aba0923303d789b bash-4.1.014-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
223fc7505cd2dedd99b79d7f510e749c bash-4.1.014-x86_64-1_slack13.1.txz
Slackware 13.37 package:
4b4e4df9e4e949637a641a94aab35765 bash-4.1.014-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
35f35367efd279d2001de989f366b972 bash-4.1.014-x86_64-1_slack13.37.txz
Slackware 14.0 package:
19cb9e04683c9020417490047f20b40d bash-4.2.050-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
10bc930d1dd85cf3446f454b129e2bc7 bash-4.2.050-x86_64-1_slack14.0.txz
Slackware 14.1 package:
1d1f8137b674813bf7f070b66ad713b1 bash-4.2.050-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
e80cc985c6112aea20d0ba0eb2821d03 bash-4.2.050-x86_64-1_slack14.1.txz
Slackware -current package:
175685f32cfa87da1c9d7cdfb42786c5 a/bash-4.3.027-i486-1.txz
Slackware x86_64 -current package:
34a83642b058fa40e6f441c6161e2208 a/bash-4.3.027-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg bash-4.2.050-i486-1_slack14.1.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@...ckware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@...ckware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlQpqCoACgkQakRjwEAQIjPD0QCfSmNXkeHavRJjRtENMC13Rtx6
DsYAn1fsM+SOgqVuB7URSJtSKrmtPvr8
=Xi8W
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists