Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Mark Post
On 9/24/2014 at 10:00 PM, Mauro Souza thoriu...@gmail.com wrote: The fix for SuSE must be in production right now. Maybe we can install the RedHat version on SuSE until the official fix? No. Don't even think about trying that. The result will likely be uglier than the vulnerability.

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Gerard Howells
Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a similar patch for SLES 10 SP4? Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Marcy Cortes
You'd have to have LTSS for that since it is out of support. I was told it is available for all of these SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Server 10 SP3 LTSS for AMD64 and Intel EM64T SUSE Linux Enterprise Server 10 SP3 LTSS for IBM zSeries 64bit SUSE Linux Enterprise

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Michael O'Reilly
Gerard, CVE-2014-0475 Common Vulnerabilities and Exposures http://support.novell.com/security/cve/CVE-2014-0475.html Mike O'Reilly IBM Linux Change Team

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Veencamp, Jonathon D.
Just a word of warning to everyone, that Red Hat considers their current patch potentially incomplete. It solves the test that everyone is using to test vulnerability, but isn't necessarily comprehensive. So there may be more than one round of patches on this, perhaps from all vendors

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Mark Post
On 9/25/2014 at 01:16 PM, Gerard Howells ghowe...@americafirst.com wrote: Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a similar patch for SLES 10 SP4? As Marcy noted, only for customers that are paying for LTSS. Perhaps this vulnerability might help people make

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Veencamp, Jonathon D.
Just a word of warning that Red Hat considers their current patch potentially incomplete. It solves the test that everyone is using to test vulnerability, but isn't necessarily comprehensive. So there may be more than one round of patches on this, perhaps from all vendors

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Alan Ackerman
On Sep 25, 2014, at 10:44 AM, Veencamp, Jonathon D. jdveenc...@fedins.com wrote: Just a word of warning that Red Hat considers their current patch potentially incomplete. It solves the test that everyone is using to test vulnerability, but isn't necessarily comprehensive. So there may

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Gerard Howells
Thanks Marcy and Mike! Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Michael O'Reilly Sent: Thursday,