FAQ about the bash Shellshock issue
All,
Our collegues at Red Hat have published a list of frequently asked questions
regarding the bash ('shellshock') flaws:
https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-
the-shellshock-bash-flaws/
Basically, all answers that are given there apply to Debian just as well.
Debian is using essentially the same patches as Red Hat does.
Cheers,
Thijs
signature.asc
Description: This is a digitally signed message part.
Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
Hello, I was wondering if CVE-2014-7186 and CVE-2014-7187 been addressed yet for Debian. I note that Ubuntu pushed another patch addressing these earlier today. Thanks! John
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
Hi, Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. Cheers. [1] https://security-tracker.debian.org/tracker/CVE-2014-7186 [2] https://security-tracker.debian.org/tracker/CVE-2014-7187 On 27/09/14 20:18, john wrote: Hello, I was wondering if CVE-2014-7186 and CVE-2014-7187 been addressed yet for Debian. I note that Ubuntu pushed another patch addressing these earlier today. Thanks! John -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/542701f8.3030...@fileserver.v6.amspitz.at
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
On Sat, 27 Sep 2014 20:29:12 +0200 Martin Holub lu...@fileserver.v6.amspitz.at wrote: Hi, Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. And unstable, I don't have a testing installation, but I'd have thought that should also be done by now. [1] https://security-tracker.debian.org/tracker/CVE-2014-7186 [2] https://security-tracker.debian.org/tracker/CVE-2014-7187 On 27/09/14 20:18, john wrote: Hello, I was wondering if CVE-2014-7186 and CVE-2014-7187 been addressed yet for Debian. I note that Ubuntu pushed another patch addressing these earlier today. The first patch for this problem didn't fix it completely, so there were two. Updating now should certainly solve the problem. Here's a couple of tests, and the results expected after neither, the first, and the second patches: https://access.redhat.com/articles/1200223 -- Joe -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140927203808.12db7...@jresid.jretrading.com
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( Cheers A. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iF4EAREIAAYFAlQnHwcACgkQqBZry7fv4vvwvwEAvyOLseQFtGPpRVgKACCMJLz0 TDB8s+yhSRm1B6hF7N8A/2EtYBzUYE27bOiJPy5Wd9v2hf6K1iZNBnhnOhp8gpS6 =CYzm -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54271f09.8010...@affinityvision.com.au
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
On Sun, 2014-09-28 at 06:33 +1000, Andrew McGlashan wrote: On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( Cheers A. What about Jessie? Conrad -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1411850163.7215.1.ca...@marupa.net
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
On Sun, 28 Sep 2014 06:33:13 +1000 Andrew McGlashan andrew.mcglas...@affinityvision.com.au wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( But just add the right incantations to sources.list and all will be well. -- Joe -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140927215855.6a10f...@jresid.jretrading.com
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
Conrad Nelson y...@marupa.net (2014-09-27): On Sun, 2014-09-28 at 06:33 +1000, Andrew McGlashan wrote: On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( Cheers A. What about Jessie? kibi@arya:~$ rmadison -a source bash -s testing,unstable bash | 4.3-9.2 |testing | source bash | 4.3-9.2 | unstable | source Mraw, KiBi. signature.asc Description: Digital signature
AW: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
Sorry, but I don't get it why the package update should be in oldstable... It's clear that squeeze is not supported anymore and the important packages will get security updates via squeeze-LTS (other security team than stable sec team) So where is the problem to add squeeze LTS in apt/sources.list ? Why to update a package in a repository which is out of date? -Ursprüngliche Nachricht- Von: Andrew McGlashan [mailto:andrew.mcglas...@affinityvision.com.au] Gesendet: Samstag, 27. September 2014 22:33 An: debian-security@lists.debian.org Betreff: Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( Cheers A. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iF4EAREIAAYFAlQnHwcACgkQqBZry7fv4vvwvwEAvyOLseQFtGPpRVgKACCMJ Lz0 TDB8s+yhSRm1B6hF7N8A/2EtYBzUYE27bOiJPy5Wd9v2hf6K1iZNBnhnOhp8gp S6 =CYzm -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54271f09.8010...@affinityvision.com.au
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
On Sat, 27 Sep 2014, john wrote: I was wondering if CVE-2014-7186 and CVE-2014-7187 been addressed yet for Debian. I note that Ubuntu pushed another patch addressing these earlier today. Yes, both are addressed by DSA-3035-1. AFAIK, these CVE numbers were not yet assigned at the time of the upload, so they were not mentioned in the changelog. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140928013915.ga30...@khazad-dum.debian.net
Bug#763074: marked as done (security-tracker: DSA-3037-1 vs. tracker)
Your message dated Sat, 27 Sep 2014 19:37:16 +0200 with message-id 20140927173716.GA29078@eldamar.local and subject line Re: Bug#763074: security-tracker: DSA-3037-1 vs. tracker has caused the Debian Bug report #763074, regarding security-tracker: DSA-3037-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 763074: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763074 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: security-tracker Severity: normal Hi all! I am under the impression that DSA-3037-1 [1] has a typo in the version that fixes CVE-2014-1568 for stable. The correct version number seems [2] to be 24.8.1-1~deb7u1 (even though the changelog seems to have a typo in the CVE number: it's CVE-2014-1568, not CVE-2024-1568!). The tracker reflects the DSA [3]: please fix the tracker data! Thanks for your time (and for the significant improvements that the tracker has recently had!). [1] https://lists.debian.org/debian-security-announce/2014/msg00225.html [2] https://tracker.debian.org/media/packages/i/icedove/changelog-24.8.1-1~deb7u1 [3] https://security-tracker.debian.org/tracker/DSA-3037-1 ---End Message--- ---BeginMessage--- Hi Francesco, On Sat, Sep 27, 2014 at 07:13:35PM +0200, Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hi all! I am under the impression that DSA-3037-1 [1] has a typo in the version that fixes CVE-2014-1568 for stable. The correct version number seems [2] to be 24.8.1-1~deb7u1 (even though the changelog seems to have a typo in the CVE number: it's CVE-2014-1568, not CVE-2024-1568!). The tracker reflects the DSA [3]: please fix the tracker data! Thanks for your time (and for the significant improvements that the tracker has recently had!). Thanks for spotting this! I have corrected the version for the icedove DSA. Regards, Salvatore---End Message---
