openSUSE 13.1: 2014:1242-1 Critical Problems with Core Shell Functionality

opensuse

September 28, 2014

An update that fixes three vulnerabilities is now available

Description

The command-line shell 'bash' evaluates environment variables, which

allows the injection of characters and might be used to access files on

the system in some circumstances (CVE-2014-7169).

Please note that this issue is different from a previously fixed

vulnerability tracked under CVE-2014-6271 and it is less serious due to

the special, non-default system configuration that is needed to create an

exploitable situation.

To remove further exploitation potential we now limit the

function-in-environment variable to variables prefixed with BASH_FUNC_ .

This hardening feature is work in progress and might be improved in later

updates.

Additionaly two more security issues were fixed in bash: CVE-2014-7186:

Nested HERE documents could lead to a crash of bash.

CVE-2014-7187: Nesting of for loops could lead to a crash of bash.

Topics Covered

security advisory important security threat mitigation bash openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-564

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 13.1 (i586 x86_64):

bash-4.2-68.8.1

bash-debuginfo-4.2-68.8.1

bash-debugsource-4.2-68.8.1

bash-devel-4.2-68.8.1

bash-loadables-4.2-68.8.1

bash-loadables-debuginfo-4.2-68.8.1

libreadline6-6.2-68.8.1

libreadline6-debuginfo-6.2-68.8.1

readline-devel-6.2-68.8.1

- openSUSE 13.1 (x86_64):

bash-debuginfo-32bit-4.2-68.8.1

libreadline6-32bit-6.2-68.8.1

libreadline6-debuginfo-32bit-6.2-68.8.1

readline-devel-32bit-6.2-68.8.1

- openSUSE 13.1 (noarch):

bash-doc-4.2-68.8.1

bash-lang-4.2-68.8.1

readline-doc-6.2-68.8.1

References

https://www.suse.com/security/cve/CVE-2014-7169.html

https://www.suse.com/security/cve/CVE-2014-7186.html

https://www.suse.com/security/cve/CVE-2014-7187.html

https://bugzilla.suse.com/show_bug.cgi?id=898346

https://bugzilla.suse.com/show_bug.cgi?id=898603

https://bugzilla.suse.com/show_bug.cgi?id=898604

Severity

important

Lowest

Low

Medium

High

Critical

Announcement ID: openSUSE-SU-2014:1242-1

Rating: important

Affected Products: openSUSE 13.1 .

Topics Covered

security advisory important security threat mitigation bash openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

openSUSE 13.1: 2014:1242-1 Critical Problems with Core Shell Functionality

Description

Topics Covered

Patch

Package List

References

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

openSUSE 13.1: 2014:1242-1 Critical Problems with Core Shell Functionality

Description

Topics Covered

Patch

Package List

References

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!