> On Sep 25, 2014, at 10:44 AM, Veencamp, Jonathon D. <jdveenc...@fedins.com> > wrote: > > Just a word of warning that Red Hat considers their current patch potentially > incomplete. It solves the test that everyone is using to test vulnerability, > but isn't necessarily comprehensive. So there may be more than one round of > patches on this, perhaps from all vendors > > https://bugzilla.redhat.com/show_bug.cgi?id=1141597 > > Statement: > Red Hat has become aware that the patches shipped for this issue are > incomplete. An attacker can provide specially-crafted environment variables > containing arbitrary commands that will be executed on vulnerable systems > under certain conditions. The new issue has been assigned CVE-2014-7169.
Here is a new CVE at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 CVE-2014-7169 Summary: GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. Published: 9/24/2014 9:55:04 PM CVSS Severity: 10.0 HIGH The difference is "NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271." I didn't mean to imply in my note that other distributers weren't also working on fixes. We are a Red Hat customer, so that is all the notices we have received. The previous CVE only referenced Red Hat links. I'm not surprised the Mac OS X is late -- they always are. Has anyone heard of any exploits? ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
