Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
Hello, I was wondering if CVE-2014-7186 and CVE-2014-7187 been addressed yet for Debian. I note that Ubuntu pushed another patch addressing these earlier today. Thanks! John
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
Hi, Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. Cheers. [1] https://security-tracker.debian.org/tracker/CVE-2014-7186 [2] https://security-tracker.debian.org/tracker/CVE-2014-7187 On 27/09/14 20:18, john wrote: Hello, I was wondering if CVE-2014-7186 and CVE-2014-7187 been addressed yet for Debian. I note that Ubuntu pushed another patch addressing these earlier today. Thanks! John -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/542701f8.3030...@fileserver.v6.amspitz.at
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
On Sat, 27 Sep 2014 20:29:12 +0200 Martin Holub lu...@fileserver.v6.amspitz.at wrote: Hi, Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. And unstable, I don't have a testing installation, but I'd have thought that should also be done by now. [1] https://security-tracker.debian.org/tracker/CVE-2014-7186 [2] https://security-tracker.debian.org/tracker/CVE-2014-7187 On 27/09/14 20:18, john wrote: Hello, I was wondering if CVE-2014-7186 and CVE-2014-7187 been addressed yet for Debian. I note that Ubuntu pushed another patch addressing these earlier today. The first patch for this problem didn't fix it completely, so there were two. Updating now should certainly solve the problem. Here's a couple of tests, and the results expected after neither, the first, and the second patches: https://access.redhat.com/articles/1200223 -- Joe -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140927203808.12db7...@jresid.jretrading.com
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( Cheers A. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iF4EAREIAAYFAlQnHwcACgkQqBZry7fv4vvwvwEAvyOLseQFtGPpRVgKACCMJLz0 TDB8s+yhSRm1B6hF7N8A/2EtYBzUYE27bOiJPy5Wd9v2hf6K1iZNBnhnOhp8gpS6 =CYzm -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54271f09.8010...@affinityvision.com.au
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
On Sun, 2014-09-28 at 06:33 +1000, Andrew McGlashan wrote: On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( Cheers A. What about Jessie? Conrad -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1411850163.7215.1.ca...@marupa.net
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
On Sun, 28 Sep 2014 06:33:13 +1000 Andrew McGlashan andrew.mcglas...@affinityvision.com.au wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( But just add the right incantations to sources.list and all will be well. -- Joe -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140927215855.6a10f...@jresid.jretrading.com
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
Conrad Nelson y...@marupa.net (2014-09-27): On Sun, 2014-09-28 at 06:33 +1000, Andrew McGlashan wrote: On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( Cheers A. What about Jessie? kibi@arya:~$ rmadison -a source bash -s testing,unstable bash | 4.3-9.2 |testing | source bash | 4.3-9.2 | unstable | source Mraw, KiBi. signature.asc Description: Digital signature
AW: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
Sorry, but I don't get it why the package update should be in oldstable... It's clear that squeeze is not supported anymore and the important packages will get security updates via squeeze-LTS (other security team than stable sec team) So where is the problem to add squeeze LTS in apt/sources.list ? Why to update a package in a repository which is out of date? -Ursprüngliche Nachricht- Von: Andrew McGlashan [mailto:andrew.mcglas...@affinityvision.com.au] Gesendet: Samstag, 27. September 2014 22:33 An: debian-security@lists.debian.org Betreff: Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28/09/2014 4:29 AM, Martin Holub wrote: Please according to the Security Tracker [1,2] booth are fixed in stable and oldstable. NOT QUITE . fixed in stable [wheezy] and oldstable-LTS [squeeze-lts] BUT NOT oldstable [squeeze] it is NOT fixed, nor is it still supported. :( Cheers A. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iF4EAREIAAYFAlQnHwcACgkQqBZry7fv4vvwvwEAvyOLseQFtGPpRVgKACCMJ Lz0 TDB8s+yhSRm1B6hF7N8A/2EtYBzUYE27bOiJPy5Wd9v2hf6K1iZNBnhnOhp8gp S6 =CYzm -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54271f09.8010...@affinityvision.com.au
Re: Shellshock: Has CVE-2014-7186 and CVE-2014-7187 been addressed for debian
On Sat, 27 Sep 2014, john wrote: I was wondering if CVE-2014-7186 and CVE-2014-7187 been addressed yet for Debian. I note that Ubuntu pushed another patch addressing these earlier today. Yes, both are addressed by DSA-3035-1. AFAIK, these CVE numbers were not yet assigned at the time of the upload, so they were not mentioned in the changelog. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140928013915.ga30...@khazad-dum.debian.net