*** This bug is a security vulnerability *** Public security bug reported:
I think I must be missing something: CVE-2016-7543 is a high-impact code execution vulnerability for bash. https://people.canonical.com/~ubuntu- security/cve/2016/CVE-2016-7543.html Is listed as needed for Precise/Trusty/Xenial. The patch has been released for a few months, and is available as an upstream package in debian: https://security- tracker.debian.org/tracker/CVE-2016-7543 But I can't find any tracking of whether Canonical maintainers will or intend to release an updated package for the supported operating systems. I thought maybe it was fixed in a later release or is otherwise deemed to be not-applicable. But as far as I can tell, the issue is still open. An open high danger (CVSS 3 Score: 8.4) CVE shows up on all our security scans. Is there any sanctioned way to address this? Is an updated package planned? -- I previously asked this as a question and was told to report a security bug: https://answers.launchpad.net/ubuntu/+source/bash/+question/631268 ** Affects: bash (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1689304 Title: Unfixed Code Execution Vulnerability CVE-2016-7543 Status in bash package in Ubuntu: New Bug description: I think I must be missing something: CVE-2016-7543 is a high-impact code execution vulnerability for bash. https://people.canonical.com/~ubuntu- security/cve/2016/CVE-2016-7543.html Is listed as needed for Precise/Trusty/Xenial. The patch has been released for a few months, and is available as an upstream package in debian: https://security- tracker.debian.org/tracker/CVE-2016-7543 But I can't find any tracking of whether Canonical maintainers will or intend to release an updated package for the supported operating systems. I thought maybe it was fixed in a later release or is otherwise deemed to be not-applicable. But as far as I can tell, the issue is still open. An open high danger (CVSS 3 Score: 8.4) CVE shows up on all our security scans. Is there any sanctioned way to address this? Is an updated package planned? -- I previously asked this as a question and was told to report a security bug: https://answers.launchpad.net/ubuntu/+source/bash/+question/631268 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1689304/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
