Date:         Fri, 26 Sep 2014 13:33:11 +0000
Reply-To:     scientific-linux-users@listserv.fnal.gov
Sender:       Security Errata for Scientific Linux
              
From:         Pat Riehecky 
Subject:      Security ERRATA Important: bash on SL5.x, SL6.x i386/x86_64
MIME-Version: 1.0

Synopsis:          Important: bash security update
Advisory ID:       SLSA-2014:1306-1
Issue Date:        2014-09-26
CVE Numbers:       CVE-2014-7169
--

It was found that the fix for CVE-2014-6271 was incomplete, and Bash still
allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use
this flaw to override or bypass environment restrictions to execute shell
commands. Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit this
issue. (CVE-2014-7169)

Applications which directly create bash functions as environment variables
need to be made aware of changes to the way names are handled by this
update.

Note: Docker users are advised to use "yum update" within their
containers, and to commit the resulting changes.

For additional information on CVE-2014-6271 and CVE-2014-7169, refer to
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
--

SL5
  x86_64
    bash-3.2-33.el5_11.4.x86_64.rpm
    bash-debuginfo-3.2-33.el5_11.4.x86_64.rpm
  i386
    bash-3.2-33.el5_11.4.i386.rpm
    bash-debuginfo-3.2-33.el5_11.4.i386.rpm
SL6
  x86_64
    bash-4.1.2-15.el6_5.2.x86_64.rpm
    bash-debuginfo-4.1.2-15.el6_5.2.x86_64.rpm
    bash-doc-4.1.2-15.el6_5.2.x86_64.rpm
  i386
    bash-4.1.2-15.el6_5.2.i686.rpm
    bash-debuginfo-4.1.2-15.el6_5.2.i686.rpm
    bash-doc-4.1.2-15.el6_5.2.i686.rpm

- Scientific Linux Development Team