Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
91
security advisorygentooarbitrary code executionGentoo: GLSA 201511-01 Normal: MirBSD Korn Shell Arbitrary Code Execution
An attacker who already had access to the environment could so append values to parameters passed through programs.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201511-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MirBSD Korn Shell: Arbitrary code execution Date: November 02, 2015 Bugs: #524414 ID: 201511-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= An attacker who already had access to the environment could so append values to parameters passed through programs. Background ========= MirBSD Korn Shell is an actively developed free implementation of the Korn Shell programming language and a successor to the Public Domain Korn Shell. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-shells/mksh < 50c > = 50c Description ========== Improper sanitation of environment import allows for appending of values to passed parameters. Impact ===== An attacker who already had access to the environment could so append values to parameters passed through programs (including sudo(8) or setuid) to shell scripts, including indirectly, after those programs intended to sanitise the environment, e.g. invalidating the last $PATH component. Workaround ========= There is no known workaround at this time. Resolution ========= All mksh users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =app-shells/mksh-50c" References ========= [ 1 ] mksh R50c released, securityfix Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201511-01 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Nov 02, 2015
Gentoo
89
security advisorysoftware updateFedoraFedora 21: mksh 50f Security Advisory for History Issues and Critical Fixes
R50f is a required security and bugfix release: * Add a patch marker for vendor patch versioning to mksh.1 * SECURITY: make unset HISTFILE actually work * Document some more issues with the current history code * Remove some unused code. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-6550 2015-04-21 13:45:37 -------------------------------------------------------------------------------- Name : mksh Product : Fedora 21 Version : 50f Release : 1.fc21 URL : Summary : MirBSD enhanced version of the Korn Shell Description : mksh is the MirBSD enhanced version of the Public Domain Korn shell (pdksh), a bourne-compatible shell which is largely similar to the original AT&T Korn shell. It includes bug fixes and feature improvements in order to produce a modern, robust shell good for interactive and especially script use, being a bourne shell replacement, pdksh successor and an alternative to the C shell. -------------------------------------------------------------------------------- Update Information: R50f is a required security and bugfix release: * Add a patch marker for vendor patch versioning to mksh.1 * SECURITY: make unset HISTFILE actually work * Document some more issues with the current history code * Remove some unused code * RCSID-only sync with OpenBSD, for bogus and irrelevant changes * Also disable field splitting for alias 'local= ypeset' * Fix read -n-1 to not be identical to read -N-1 * Several fixes and improvements to lksh(1) and mksh(1) manpages * More code (int → size_t), comment and testsuite fixes * Make dot.mkshrc more robust (LP#1441853) * Fix issues with IFS=' read, found by edualbus * Fix integer overflows related to file descriptor parsing, found by Pawel Wylecial (LP#1440685); reduce memory usage for I/O redirs * Document in the manpage how to set ±U according to the current locale settings via LANG/LC_* parameters (cf. Debian#782225) * Some code cleanup and restructuring * Handle number parsing and storing more carefully -------------------------------------------------------------------------------- ChangeLog: * Mon Apr 20 2015 Robert Scheck 50f-1 - Upgrade to 50f * Thu Mar 19 2015 Robert Scheck 50e-1 - Upgrade to 50e - Apply https://fedoraproject.org/wiki/Features/UsrMove -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update mksh' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Apr 30, 2015
•Critical
Fedora
89
security advisoryfedorabug fixFedora 20: Security Advisory for mksh R50f Critical Fix
R50f is a required security and bugfix release: * Add a patch marker for vendor patch versioning to mksh.1 * SECURITY: make unset HISTFILE actually work * Document some more issues with the current history code * Remove some unused code. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-6505 2015-04-21 13:43:40 -------------------------------------------------------------------------------- Name : mksh Product : Fedora 20 Version : 50f Release : 1.fc20 URL : Summary : MirBSD enhanced version of the Korn Shell Description : mksh is the MirBSD enhanced version of the Public Domain Korn shell (pdksh), a bourne-compatible shell which is largely similar to the original AT&T Korn shell. It includes bug fixes and feature improvements in order to produce a modern, robust shell good for interactive and especially script use, being a bourne shell replacement, pdksh successor and an alternative to the C shell. -------------------------------------------------------------------------------- Update Information: R50f is a required security and bugfix release: * Add a patch marker for vendor patch versioning to mksh.1 * SECURITY: make unset HISTFILE actually work * Document some more issues with the current history code * Remove some unused code * RCSID-only sync with OpenBSD, for bogus and irrelevant changes * Also disable field splitting for alias 'local= ypeset' * Fix read -n-1 to not be identical to read -N-1 * Several fixes and improvements to lksh(1) and mksh(1) manpages * More code (int → size_t), comment and testsuite fixes * Make dot.mkshrc more robust (LP#1441853) * Fix issues with IFS=' read, found by edualbus * Fix integer overflows related to file descriptor parsing, found by Pawel Wylecial (LP#1440685); reduce memory usage for I/O redirs * Document in the manpage how to set ±U according to the current locale settings via LANG/LC_* parameters (cf. Debian#782225) * Some code cleanup and restructuring * Handle number parsing and storing more carefully -------------------------------------------------------------------------------- ChangeLog: * Mon Apr 20 2015 Robert Scheck 50f-1 - Upgrade to 50f * Thu Mar 19 2015 Robert Scheck 50e-1 - Upgrade to 50e - Apply https://fedoraproject.org/wiki/Features/UsrMove * Wed Oct 8 2014 Robert Scheck 50d-1 - Upgrade to 50d (#1150493) * Fri Oct 3 2014 Robert Scheck 50c-1 - Upgrade to 50c * Thu Sep 11 2014 Robert Scheck 50b-1 - Upgrade to 50b * Sun Aug 17 2014 Fedora Release Engineering - 50-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Thu Jul 3 2014 Robert Scheck 50-1 - Upgrade to 50 * Sat Jun 7 2014 Fedora Release Engineering - 49-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Tue Jan 14 2014 Robert Scheck 49-1 - Upgrade to 49 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update mksh' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Apr 30, 2015
•Critical
Fedora
89
security advisoryFedorasecurity fixFedora 22 mksh Security Fix: 2015-04-21 High Severity Issues Resolved
R50f is a required security and bugfix release: * Add a patch marker for vendor patch versioning to mksh.1 * SECURITY: make unset HISTFILE actually work * Document some more issues with the current history code * Remove some unused code. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-6558 2015-04-21 13:46:01 -------------------------------------------------------------------------------- Name : mksh Product : Fedora 22 Version : 50f Release : 1.fc22 URL : Summary : MirBSD enhanced version of the Korn Shell Description : mksh is the MirBSD enhanced version of the Public Domain Korn shell (pdksh), a bourne-compatible shell which is largely similar to the original AT&T Korn shell. It includes bug fixes and feature improvements in order to produce a modern, robust shell good for interactive and especially script use, being a bourne shell replacement, pdksh successor and an alternative to the C shell. -------------------------------------------------------------------------------- Update Information: R50f is a required security and bugfix release: * Add a patch marker for vendor patch versioning to mksh.1 * SECURITY: make unset HISTFILE actually work * Document some more issues with the current history code * Remove some unused code * RCSID-only sync with OpenBSD, for bogus and irrelevant changes * Also disable field splitting for alias 'local= ypeset' * Fix read -n-1 to not be identical to read -N-1 * Several fixes and improvements to lksh(1) and mksh(1) manpages * More code (int → size_t), comment and testsuite fixes * Make dot.mkshrc more robust (LP#1441853) * Fix issues with IFS=' read, found by edualbus * Fix integer overflows related to file descriptor parsing, found by Pawel Wylecial (LP#1440685); reduce memory usage for I/O redirs * Document in the manpage how to set ±U according to the current locale settings via LANG/LC_* parameters (cf. Debian#782225) * Some code cleanup and restructuring * Handle number parsing and storing more carefully -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update mksh' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Apr 26, 2015
•Important
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!