Explore top 10 tips to secure your open-source projects now. Read More
×
Update pnpm to version 10.9.0 to fix CVE-2024-47829 and nodejs-bash-language- server to version 5.6.0. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-f68a9b835d 2025-05-03 01:10:16.988304+00:00 -------------------------------------------------------------------------------- Name : nodejs-bash-language-server Product : Fedora 40 Version : 5.6.0 Release : 1.fc40 URL : server Summary : A language server for Bash Description : Bash language server implementation based on Tree Sitter and its grammar for Bash with explainshell integration. -------------------------------------------------------------------------------- Update Information: Update pnpm to version 10.9.0 to fix CVE-2024-47829 and nodejs-bash-language- server to version 5.6.0 -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 24 2025 Andreas Schneider - 5.6.0-1 - Update to version 5.6.0 - server/releases/tag/server-5.6.0 * Thu Apr 24 2025 Andreas Schneider - 5.4.3-1 - Update to version 5.4.3 - server/blob/server-5.4.3/server/CHANGELOG.md * Thu Apr 24 2025 Andreas Schneider - 5.4.0-1 - Update to version 5.4.0 - server/blob/server-5.4.0/server/CHANGELOG.md -------------------------------------------------------------------------------- References: [ 1 ] Bug #2361974 - CVE-2024-47829 nodejs-pnpm: pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2361974 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-f68a9b835d' at the command line. For more information, refer to the dnf documentation availableat http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Bash could be made to crash or run programs as your login if it opened a specially crafted file.. ========================================================================== Ubuntu Security Notice USN-6697-1 March 18, 2024 bash vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Bash could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - bash: GNU Bourne Again SHell Details: It was discovered that Bash incorrectly handled certain memory operations when processing commands. If a user or automated system were tricked into running a specially crafted bash file, a remote attacker could use this issue to cause Bash to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: bash 5.1-6ubuntu1.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6697-1 CVE-2022-3715 Package Information: https://launchpad.net/ubuntu/+source/bash/5.1-6ubuntu1.1 . A security flaw in Bash may lead to system crashes or unauthorized code execution upon user login; it is advised to apply updates for Ubuntu 22.04.. bash Vulnerability, System Update, Ubuntu Security. . Severity: Critical. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2023-0340 https://linux.oracle.com/errata/ELSA-2023-0340.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: bash-5.1.8-6.el9_1.x86_64.rpm bash-devel-5.1.8-6.el9_1.x86_64.rpm aarch64: bash-5.1.8-6.el9_1.aarch64.rpm bash-devel-5.1.8-6.el9_1.aarch64.rpm SRPMS: https://oss.oracle.com:443/ol9/SRPMS-updates//bash-5.1.8-6.el9_1.src.rpm Related CVEs: CVE-2022-3715 Description of changes: [5.1.8-6] - Add a null check in parameter_brace_transform() function Resolves: CVE-2022-3715 _______________________________________________ El-errata mailing list
An update for bash is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: bash security update Advisory ID: RHSA-2023:0340-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:0340 Issue date: 2023-01-23 CVE Names: CVE-2022-3715 ==================================================================== 1. Summary: An update for bash is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es): * bash: a heap-buffer-overflow in valid_parameter_transform (CVE-2022-3715) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2126720 - CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform 6. PackageList: Red Hat Enterprise Linux BaseOS (v. 9): Source: bash-5.1.8-6.el9_1.src.rpm aarch64: bash-5.1.8-6.el9_1.aarch64.rpm bash-debuginfo-5.1.8-6.el9_1.aarch64.rpm bash-debugsource-5.1.8-6.el9_1.aarch64.rpm ppc64le: bash-5.1.8-6.el9_1.ppc64le.rpm bash-debuginfo-5.1.8-6.el9_1.ppc64le.rpm bash-debugsource-5.1.8-6.el9_1.ppc64le.rpm s390x: bash-5.1.8-6.el9_1.s390x.rpm bash-debuginfo-5.1.8-6.el9_1.s390x.rpm bash-debugsource-5.1.8-6.el9_1.s390x.rpm x86_64: bash-5.1.8-6.el9_1.x86_64.rpm bash-debuginfo-5.1.8-6.el9_1.x86_64.rpm bash-debugsource-5.1.8-6.el9_1.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: bash-debuginfo-5.1.8-6.el9_1.aarch64.rpm bash-debugsource-5.1.8-6.el9_1.aarch64.rpm bash-devel-5.1.8-6.el9_1.aarch64.rpm ppc64le: bash-debuginfo-5.1.8-6.el9_1.ppc64le.rpm bash-debugsource-5.1.8-6.el9_1.ppc64le.rpm bash-devel-5.1.8-6.el9_1.ppc64le.rpm s390x: bash-debuginfo-5.1.8-6.el9_1.s390x.rpm bash-debugsource-5.1.8-6.el9_1.s390x.rpm bash-devel-5.1.8-6.el9_1.s390x.rpm x86_64: bash-debuginfo-5.1.8-6.el9_1.x86_64.rpm bash-debugsource-5.1.8-6.el9_1.x86_64.rpm bash-devel-5.1.8-6.el9_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2022-3715 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/security/cve/CVE-2022-3715 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBY863KNzjgjWX9erEAQhIZBAAo/lY8ek5dJ6LlRQ8351XJZLUfligGFh0 1bv+iPZVNZQRBuPV/Xeuw7sUdaWRYbU6K4AbfvhVIkg4ACULbdE+Y/kIHTjdVJps swV2+JTloh/66ogRemVatLoghmYnBjtviXz+GerKxLgy43FCtGrbh/i9tvdbEaEy 81boSU/rfbNFX5N8R90b4TSm6jtRXTnoMpvn+Bn71KrTMPEPmf8qfJX7xLOd6Ox2 ciA8Dzo++xS3L4LR/LEOlyb/gF6nnFzEkhxaGsGMy/yD3qGzyQPrK62AnsQ6l8B7 5kHCtio3YIrT5Ok3Gftm1oXu2RvcKBX/Uqv8ZptAvFd9Ish9mFa0P4eqs1rJnaDW moabz4QUywwjP2mx5qx/4N9Wni9/Sk2NKxJKsI6UVhzJuqLDsqTC8A9a+9p+8D1s XiksypV2DRPp++HTzVn+ttx8VUYKr7M7XvEcDAKFUSVyQ424/uwyzPjdPc5HlwgX qVbp8rtFjktkcmYEGc974nt2aNNCv3AjP/deNOIK51jG0q/BkSJryt/vPBa2FaSe SVz0EUb9sDbwnfQ6rmQ3lgpRZOfjX5IVZtLMztJBOC6E2UpPckveHxYWdeR/DOYA fJ4946krE+4vtXyA+2l6URsxTJAp8ZUrOzPXgOz1sRKFWnIu7P4IKVwWuKl0Lbu+ hZv7kALzBgY=c7wc -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Moderate: bash security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2023:0340", "synopsis": "Moderate: bash security update", "severity": "SEVERITY_MODERATE", "topic": "An update is available for bash.\nThis update affects Rocky Linux 9.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The bash packages provide Bash (Bourne-again shell), which is the default shell for Rocky Linux.\n\nSecurity Fix(es):\n\n* bash: a heap-buffer-overflow in valid_parameter_transform (CVE-2022-3715)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 9"], "fixes": [{"ticket": "2126720", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2126720", "description": ""}], "cves": [{"name": "CVE-2022-3715", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2022-3715", "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H", "cvss3BaseScore": "5.5", "cwe": "CWE-119-> CWE-787"}], "references": [], "publishedAt": "2023-01-23T14:30:41Z", "rpms": {"Rocky Linux 9": {"nvras": ["bash-0:5.1.8-6.el9_1.aarch64.rpm", "bash-0:5.1.8-6.el9_1.ppc64le.rpm", "bash-0:5.1.8-6.el9_1.s390x.rpm", "bash-0:5.1.8-6.el9_1.src.rpm", "bash-0:5.1.8-6.el9_1.x86_64.rpm", "bash-debuginfo-0:5.1.8-6.el9_1.aarch64.rpm", "bash-debuginfo-0:5.1.8-6.el9_1.ppc64le.rpm", "bash-debuginfo-0:5.1.8-6.el9_1.s390x.rpm", "bash-debuginfo-0:5.1.8-6.el9_1.x86_64.rpm", "bash-debugsource-0:5.1.8-6.el9_1.aarch64.rpm", "bash-debugsource-0:5.1.8-6.el9_1.ppc64le.rpm", "bash-debugsource-0:5.1.8-6.el9_1.s390x.rpm", "bash-debugsource-0:5.1.8-6.el9_1.x86_64.rpm", "bash-devel-0:5.1.8-6.el9_1.aarch64.rpm", "bash-devel-0:5.1.8-6.el9_1.ppc64le.rpm", "bash-devel-0:5.1.8-6.el9_1.s390x.rpm","bash-devel-0:5.1.8-6.el9_1.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. A crucial update for the Bash shell has been released for Rocky Linux 9, rectifying a significant heap overflow vulnerability that poses serious risks.. Rocky Linux Security Update, Bash Security Patch, Heap Overflow Issue. . LinuxSecurity.com Team
Bash has been updated to version 5.1.16 using a patch from Fedora to fix a security issue by adding a null check in the parameter_brace_transform() function. References: . MGASA-2022-0358 - Updated bash packages fix security vulnerability Publication date: 05 Oct 2022 URL: https://advisories.mageia.org/MGASA-2022-0358.html Type: security Affected Mageia releases: 8 Bash has been updated to version 5.1.16 using a patch from Fedora to fix a security issue by adding a null check in the parameter_brace_transform() function. References: - https://bugs.mageia.org/show_bug.cgi?id=30919 - https://lists.fedoraproject.org/archives/list/
Add a null check in parameter_brace_transform() function. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-5b644a935b 2022-10-05 01:03:41.175274 --------------------------------------------------------------------------------Name : bash Product : Fedora 35 Version : 5.1.8 Release : 3.fc35 URL : Summary : The GNU Bourne Again shell Description : The GNU Bourne Again shell (Bash) is a shell or command language interpreter that is compatible with the Bourne shell (sh). Bash incorporates useful features from the Korn shell (ksh) and the C shell (csh). Most sh scripts can be run by bash without modification. --------------------------------------------------------------------------------Update Information: Add a null check in parameter_brace_transform() function --------------------------------------------------------------------------------ChangeLog: * Mon Sep 26 2022 Siteshwar Vashisht - 5.1.8-3 - Add a null check in parameter_brace_transform() function Resolves: #2122331 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-5b644a935b' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Add a null check in parameter_brace_transform() function. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-4ff296fe8e 2022-09-30 01:18:38.677711 --------------------------------------------------------------------------------Name : bash Product : Fedora 36 Version : 5.1.16 Release : 3.fc36 URL : Summary : The GNU Bourne Again shell Description : The GNU Bourne Again shell (Bash) is a shell or command language interpreter that is compatible with the Bourne shell (sh). Bash incorporates useful features from the Korn shell (ksh) and the C shell (csh). Most sh scripts can be run by bash without modification. --------------------------------------------------------------------------------Update Information: Add a null check in parameter_brace_transform() function --------------------------------------------------------------------------------ChangeLog: * Mon Sep 26 2022 Siteshwar Vashisht - 5.1.16-3 - Add a null check in parameter_brace_transform() function Resolves: #2122331 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-4ff296fe8e' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Get the latest Linux and open source security news straight to your inbox.