Alerts This Week
Warning Icon 1 525
Alerts This Week
Warning Icon 1 525

openSUSE 13.1: 2014:1226-1 Critical Security: Bash Remote Code Execution

opensuse
Calendar Grey September 28, 2014
Dist Opensuse Esm H88
Important revision for openSUSE resolving two vulnerabilities in bash, improving system security and reliability.
An update that solves two vulnerabilities and has one An update that solves two vulnerabilities and has one An update that solves two vulnerabilities and has one errata is now avai...

Description

bash was updated to fix a critical security issue, a minor security issue

and bugs:

In some circumstances, the shell would evaluate shellcode in environment

variables passed at startup time. This allowed code execution by local or

remote attackers who could pass environment variables to bash scripts.

(CVE-2014-6271)

Fixed a temporary file misuse in _rl_tropen (bnc#868822) Even if used only

by developers to debug readline library do not

open temporary files from public location without O_EXCL (CVE-2014-2524)

Additional bugfixes:

- Backported corrected german error message for a failing getpwd

(bnc#895475)

- Add bash upstream patch 47 to fix a problem where the function that

shortens pathnames for $PS1 according to the value of $PROMPT_DIRTRIM

uses memcpy on potentially-overlapping regions

of memory, when it should use memmove. The result is garbled pathnames

in prompt strings.

- Add bash upstream patch 46 to fix a...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory security issue critical remote code execution environment variable bash openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-559

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-559

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 13.1 (i586 x86_64):

bash-4.2-68.4.1

bash-debuginfo-4.2-68.4.1

bash-debugsource-4.2-68.4.1

bash-devel-4.2-68.4.1

bash-loadables-4.2-68.4.1

bash-loadables-debuginfo-4.2-68.4.1

libreadline6-6.2-68.4.1

libreadline6-debuginfo-6.2-68.4.1

readline-devel-6.2-68.4.1

- openSUSE 13.1 (x86_64):

bash-debuginfo-32bit-4.2-68.4.1

libreadline6-32bit-6.2-68.4.1

libreadline6-debuginfo-32bit-6.2-68.4.1

readline-devel-32bit-6.2-68.4.1

- openSUSE 13.1 (noarch):

bash-doc-4.2-68.4.1

bash-lang-4.2-68.4.1

readline-doc-6.2-68.4.1

- openSUSE 12.3 (i586 x86_64):

bash-4.2-61.9.1

bash-debuginfo-4.2-61.9.1

bash-debugsource-4.2-61.9.1

bash-devel-4.2-61.9.1

bash-loadables-4.2-61.9.1

bash-loadables-debuginfo-4.2-61.9.1

libreadline6-6.2-61.9.1

libreadline6-debuginfo-6.2-61.9.1

readline-devel-6.2-61.9.1

- openSUSE 12.3 (x86_64):

bash-debuginfo-32bit-4.2-61.9.1

libreadline6-32bit-6.2-61.9.1

libreadline6-debuginfo-32bit-6.2-61.9.1

readline-devel-32bit-6.2-61.9.1

- openSUSE 12.3 (noarch):

bash-doc-4.2-61.9.1

bash-lang-4.2-61.9.1

readline-doc-6.2-61.9...

Read the Full Advisory

References

https://www.suse.com/security/cve/CVE-2014-2524.html

https://www.suse.com/security/cve/CVE-2014-6271.html

https://bugzilla.suse.com/show_bug.cgi?id=868822

https://bugzilla.suse.com/show_bug.cgi?id=895475

https://bugzilla.suse.com/show_bug.cgi?id=896776

Severity
critical
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2014:1226-1
Rating: critical
Affected Products: openSUSE 13.1 openSUSE 12.3

Topics%20covered

Topics Covered

security advisory security issue critical remote code execution environment variable bash openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here