Stay Secure with the Latest Linux Advisories

security advisorysystem crashimportant update

SUSE: 2014:1247-2 Important: Bash Environment Variable Issues

An update that fixes three vulnerabilities is now available. An update that fixes three vulnerabilities is now available. An update that fixes three vulnerabilities is now available.. SUSE Security Update: Security update for bash ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1247-2 Rating: important References: #898346 #898603 #898604 Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Affected Products: SUSE Manager 1.7 for SLE 11 SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates. Additionally, two other security issues have been fixed: * CVE-2014-7186: Nested HERE documents could lead to a crash of bash. * CVE-2014-7187: Nesting of for loops could lead to a crash of bash. Security Issues: * CVE-2014-7169 * CVE-2014-7186 * CVE-2014-7187 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-bash-9779 To bring your system up-to-date, use "zypperpatch". Package List: - SUSE Manager 1.7 for SLE 11 SP2 (x86_64): bash-3.2-147.14.22.1 bash-doc-3.2-147.14.22.1 libreadline5-32bit-5.2-147.14.22.1 libreadline5-5.2-147.14.22.1 readline-doc-5.2-147.14.22.1 References: https://www.suse.com/security/cve/CVE-2014-7169.html https://www.suse.com/security/cve/CVE-2014-7186.html https://www.suse.com/security/cve/CVE-2014-7187.html https://bugzilla.suse.com/show_bug.cgi?id=898346 https://bugzilla.suse.com/show_bug.cgi?id=898603 https://bugzilla.suse.com/show_bug.cgi?id=898604 https://scc.suse.com:443/patches/ . SUSE Patch addresses critical bash vulnerabilities concerning environment variable limits, effectively blocking potential remote access threats.. SUSE Manager Security,Bash Patches,Security Fixes,Important Updates. . Severity: Important. LinuxSecurity.com Team

Sep 29, 2014 •Important SuSE