SUSE: 2014:1247-2 Important: Bash Environment Variable Issues
suse
September 29, 2014
An update that fixes three vulnerabilities is now available
Summary
The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates. Additionally, two other security issues have been fixed: * CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
References
#898346 #898603 #898604
Cross- CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
Affected Products:
SUSE Manager 1.7 for SLE 11 SP2
https://www.suse.com/security/cve/CVE-2014-7169.html
https://www.suse.com/security/cve/CVE-2014-7186.html
https://www.suse.com/security/cve/CVE-2014-7187.html
https://bugzilla.suse.com/show_bug.cgi?id=898346
https://bugzilla.suse.com/show_bug.cgi?id=898603
https://bugzilla.suse.com/show_bug.cgi?id=898604
https://scc.suse.com:443/patches/
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Announcement ID: SUSE-SU-2014:1247-2
Rating: important
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!