Re: [gentoo-user] [Security] Update bash *NOW*
On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 --Kerin
Re: [gentoo-user] [Security] Update bash *NOW*
On 25/09/2014 13:54, Kerin Millar wrote: On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 Oops. Obviously, I meant to write did not fully address the problem. --Kerin
Re: [gentoo-user] [Security] Update bash *NOW*
Kerin Millar kerfra...@fastmail.co.uk wrote: On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 I cannot update to that, its not in the tree as of last night. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] [Security] Update bash *NOW*
On 2014-09-25 16:02, cov...@ccs.covici.com wrote: Kerin Millar kerfra...@fastmail.co.uk wrote: On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 I cannot update to that, its not in the tree as of last night. Try to rsync from some other mirror.
Re: [gentoo-user] [Security] Update bash *NOW*
On Thu, Sep 25, 2014 at 01:54:10PM +0100, Kerin Millar wrote On 25/09/2014 02:58, Walter Dnes wrote: [snip] ...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48 has been pushed to Gentoo stable. The same env command results in... Unfortunately, that version did fully address the problem. Instead, upgrade to 4.2_p48-r1 or any of the -r1 revision bumps that were recently committed. For further details: https://bugs.gentoo.org/show_bug.cgi?id=523592 --Kerin OK, I've got app-shells/bash-4.2_p48-r1 installed now. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
[gentoo-user] [Security] Update bash *NOW*
Slashdot article
http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash
Story at
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650
Summary... bash scripts, CGI, perl via system(), and various other
commands invoke a bash shell at times, passing environmental variables
in the process. Problem is that an environmental variable ***CAN
CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW
SHELL***. E.g. execute the command...
env x='() { :;}; echo vulnerable' bash -c echo this is a test
...and you get the following...
vulnerable
this is a test
Replace...
x='() { :;}; echo vulnerable'
...with malicious stuff, and it could get ugly. app-shells/bash-4.2_p48
has been pushed to Gentoo stable. The same env command results in...
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
--
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications
