Sorry for top posting. The initial fix, does cover the main vulnerability and there will be additional fixes coming soon.
If you are running a version outside of the current supported versions and you do NOT have LTSS, there is a mechanism to provide patches outside of the normal subscription contract. You would need to contact your account rep for details on getting these patches through a special process. We have done so, in the interest of security first. Thanks, Peter Peter Linnell SUSECon 2014 Register at suse.com/susecon Follow us at twitter.com/susecon14 >>> Ted Rodriguez-Bell <te...@wellsfargo.com> 9/26/2014 12:56 PM >>> This is a bit off-topic, but you can see in the package dates that an embargo was done. The SLES package was signed on Friday, 19 Feb at 6:20 PDT; the corresponding Fedora packages were signed on Wednesday the 24th. Both announcements arrived in the wee hours (US Pacific time) on Thursday morning. Fedora and Red Hat, by the way, have issued a fix for CVE-2014-7169; I'm expecting Suse's any hour now. Just as far afield but in a different direction, the 11SP2 LTSS and 10SP4 LTSS updates were mentioned in the same message as the SP3 ones. This was a clue that the "critical" rating on this means "really, really critical"; usually LTSS updates come days or weeks later. Ted Rodriguez-Bell Wells Fargo Company policy requires: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: Mark Post [mailto:mp...@suse.com] Sent: Wednesday, September 24, 2014 11:35 PM Subject: Re: Bash specially-crafted environment variables code injection attack >>> On 9/24/2014 at 10:00 PM, Mauro Souza <thoriu...@gmail.com> wrote: > The fix for SuSE must be in production right now. > > Maybe we can install the RedHat version on SuSE until the official fix? No. Don't even think about trying that. The result will likely be uglier than the vulnerability. And, as Marcy noted, the fix from SUSE was released today, just as everyone else has done. The way things like this work is that (assuming a discreet vulnerability report was made initially), the various Linux vendors "embargo" any public mention of the bug or fixes for it. Then, when the appropriate date arrives to end the embargo, public announcements are made, concurrent with publication of the fix. Mark Post ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
