lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NV86S-000885-Og@titan.mandriva.com>
Date: Wed, 13 Jan 2010 19:38:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:004 ] bash


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:004
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : bash
 Date    : January 13, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
           Enterprise Server 5.0, Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability have been discovered in Mandriva bash package, which
 could allow a malicious user to hide files from the ls command,
 or garble its output by crafting files or directories which contain
 special characters or escape sequences (CVE-2010-0002). This update
 fixes the issue by disabling the display of control characters
 by default.
 
 Additionally, this update fixes the unsafe file creation in bash-doc
 sample scripts (CVE-2008-5374).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5374
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0002
 https://qa.mandriva.com/56882
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 f2e4b9971f76eb8c6a32f980f8891b64  2008.0/i586/bash-3.2-5.1mdv2008.0.i586.rpm
 613aa4f62598754748fc09da5c695b13  2008.0/i586/bash-doc-3.2-5.1mdv2008.0.i586.rpm 
 85a72f0f23e359a0e05604f774c287b4  2008.0/SRPMS/bash-3.2-5.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 6bfad3cb4f655787250007cd74bdfd16  2008.0/x86_64/bash-3.2-5.1mdv2008.0.x86_64.rpm
 48288451f5a9112dfd35c38e91dcb774  2008.0/x86_64/bash-doc-3.2-5.1mdv2008.0.x86_64.rpm 
 85a72f0f23e359a0e05604f774c287b4  2008.0/SRPMS/bash-3.2-5.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 d27affe22ad63522d2b7542f94f986bb  2009.0/i586/bash-3.2-10.2mdv2009.0.i586.rpm
 e1da0b1b4c43833fa4912b839a355d84  2009.0/i586/bash-doc-3.2-10.2mdv2009.0.i586.rpm 
 50864f104fdbc0304a918c832080532a  2009.0/SRPMS/bash-3.2-10.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 722257da6630ef64d3cc1b5d2937b5d9  2009.0/x86_64/bash-3.2-10.2mdv2009.0.x86_64.rpm
 cf190a45a8464b8d4a889ea1cbdd4f58  2009.0/x86_64/bash-doc-3.2-10.2mdv2009.0.x86_64.rpm 
 50864f104fdbc0304a918c832080532a  2009.0/SRPMS/bash-3.2-10.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 6c3fbcb61646e15d2080c3b0c25d9554  2009.1/i586/bash-3.2.48-3.1mdv2009.1.i586.rpm
 0dea3f4c28cf56e5b89c148de06ea9a2  2009.1/i586/bash-doc-3.2.48-3.1mdv2009.1.i586.rpm 
 28f87d961cd64e32788fb6456c1825d4  2009.1/SRPMS/bash-3.2.48-3.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 95defbb4b2f16d98555416db6ce07d11  2009.1/x86_64/bash-3.2.48-3.1mdv2009.1.x86_64.rpm
 8753cfb24ec034cf7210093accfd24ba  2009.1/x86_64/bash-doc-3.2.48-3.1mdv2009.1.x86_64.rpm 
 28f87d961cd64e32788fb6456c1825d4  2009.1/SRPMS/bash-3.2.48-3.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 d64d774979139e95507fac57f5fee411  2010.0/i586/bash-4.0-7.1mdv2010.0.i586.rpm
 da8fe2f7aebc606b995ca95b61296955  2010.0/i586/bash-doc-4.0-7.1mdv2010.0.i586.rpm 
 3040686a1ac714a39e387d309a7dbcf8  2010.0/SRPMS/bash-4.0-7.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 fc60a281e86eca4b3a127f195ed7f4e4  2010.0/x86_64/bash-4.0-7.1mdv2010.0.x86_64.rpm
 2e5d9c83494a78bbd08c37fb654f877e  2010.0/x86_64/bash-doc-4.0-7.1mdv2010.0.x86_64.rpm 
 3040686a1ac714a39e387d309a7dbcf8  2010.0/SRPMS/bash-4.0-7.1mdv2010.0.src.rpm

 Corporate 4.0:
 10520a3ac742b3ea75f8f266a67109fc  corporate/4.0/i586/bash-3.0-6.1.20060mlcs4.i586.rpm
 e67c99653e24cca3dfc14a5db52f28ea  corporate/4.0/i586/bash-doc-3.0-6.1.20060mlcs4.i586.rpm 
 836d9e055da30f19c3a940b4c2c6b7bf  corporate/4.0/SRPMS/bash-3.0-6.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 f0bdaa60c3201841e2e3372e62ece170  corporate/4.0/x86_64/bash-3.0-6.1.20060mlcs4.x86_64.rpm
 3def0fcac2c23da7a5e1312c73e35de2  corporate/4.0/x86_64/bash-doc-3.0-6.1.20060mlcs4.x86_64.rpm 
 836d9e055da30f19c3a940b4c2c6b7bf  corporate/4.0/SRPMS/bash-3.0-6.1.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 5c62e881405cedd243385a783895bc14  mes5/i586/bash-3.2-10.2mdvmes5.i586.rpm
 84513f4df54a12c861e44d36bb0f700e  mes5/i586/bash-doc-3.2-10.2mdvmes5.i586.rpm 
 902376b0b61041449cf06be37ba40d63  mes5/SRPMS/bash-3.2-10.2mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 dab84af7d1b08e98ffaf5a0a08f4c97f  mes5/x86_64/bash-3.2-10.2mdvmes5.x86_64.rpm
 bee4dcbfa1d5e22b8d94d69bca227153  mes5/x86_64/bash-doc-3.2-10.2mdvmes5.x86_64.rpm 
 902376b0b61041449cf06be37ba40d63  mes5/SRPMS/bash-3.2-10.2mdvmes5.src.rpm

 Multi Network Firewall 2.0:
 5af56b5d52e8ba4ef591403098294ff1  mnf/2.0/i586/bash-2.05b-16.1.C30mdk.i586.rpm
 5ac71243bc151d3b0123f21d62f89449  mnf/2.0/i586/bash-doc-2.05b-16.1.C30mdk.i586.rpm 
 562bebc49856992e16d6add6c31bc4d8  mnf/2.0/SRPMS/bash-2.05b-16.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLTePJmqjQ0CJFipgRAk6kAKDCfdxFcPz4+qqiOZpdaUVMZYRoHACgpmzy
vXqabokF2ffkBdYBBSMdYsw=
=2wQJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ