Bugzilla – Bug 896776
VUL-0: CVE-2014-6271: bash: unexpected code execution with environment variables
Last modified: 2019-05-01 16:20:46 UTC
An update workflow for this issue was started. This issue was rated as critical. Please submit fixed packages until 2014-09-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58971
Created attachment 606872 [details] funcdef-import-3.0.patch from chet, 3.0 patch
Created attachment 606873 [details] funcdef-import-3.1.patch 3.1 patch
Created attachment 606874 [details] funcdef-import-3.2.patch 3.2 patch
Created attachment 606875 [details] funcdef-import-4.0.patch 4.0 patch
Created attachment 606876 [details] funcdef-import-4.1.patch 4.1 patch
Created attachment 606877 [details] funcdef-import-4.2.patch 4.2 patch
Created attachment 606878 [details] funcdef-import-4.3.patch 4.3 patch
final CRD 2014-09-24 14:00 UTC now set (Wednesday, 16:00 CEST)
is public now Date: Wed, 24 Sep 2014 16:05:51 +0200 Subject: [oss-security] CVE-2014-6271: remote code execution through bash From: Florian Weimer <fw@deneb.enyo.de> Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations, this vulnerability is exploitable over the network. Chet Ramey, the GNU bash upstream maintainer, will soon release official upstream patches.
This is an autogenerated message for OBS integration: This bug (896776) was mentioned in https://build.opensuse.org/request/show/251815 Factory / bash https://build.opensuse.org/request/show/251817 13.1 / bash https://build.opensuse.org/request/show/251818 12.3 / bash https://build.opensuse.org/request/show/251819 12.3 / bash
This is an autogenerated message for OBS integration: This bug (896776) was mentioned in https://build.opensuse.org/request/show/251830 Factory / bash
Is there an ETA for release of an updated bash rpm for SLES11SP1 and SLES11SP3?
SLE updates are just going out as you read this.
Still not seeing them for SLES 11 SP3...
This is an autogenerated message for OBS integration: This bug (896776) was mentioned in https://build.opensuse.org/request/show/251985 Evergreen:11.4 / bash
FWIW, i see the 11-sp3 bash update on my server.
Yep, we're pulling in patches now. Thanks folks.
SUSE-SU-2014:1214-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (critical) Bug References: 688469,770795,896776 CVE References: CVE-2012-3410,CVE-2014-0475 Sources used: SUSE Linux Enterprise Server 10 SP3 LTSS (src): bash-3.1-24.32.1
An update workflow for this issue was started. This issue was rated as critical. Please submit fixed packages until 2014-09-30. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59113
my customer(has LTSS) asked new bash version for sles10sp2 x86_64 too.
I am still missing a new version for SLES 10 SP4, is there an ETA for the patch?
The SLES 10 SP4 LTSS update has been released. https://download.suse.com/patch/finder/?keywords=5aa8890d421145a022bf2205e01b3c68 Note that this needs a special LTSS contract.
Note: massPTFs including fix for CVE-2014-7169 are in bug 898762.
openSUSE-SU-2014:1226-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (critical) Bug References: 868822,895475,896776 CVE References: CVE-2014-2524,CVE-2014-6271 Sources used: openSUSE 13.1 (src): bash-4.2-68.4.1 openSUSE 12.3 (src): bash-4.2-61.9.1
openSUSE-SU-2014:1238-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 896776 CVE References: CVE-2014-6271 Sources used: openSUSE Evergreen 11.4 (src): bash-4.1-20.31.1
openSUSE-SU-2014:1248-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 896776 CVE References: Sources used: openSUSE Evergreen 11.4 (src): bash-4.1-20.35.1
This is an autogenerated message for OBS integration: This bug (896776) was mentioned in https://build.opensuse.org/request/show/252752 13.2 / bash
openSUSE-SU-2014:1254-1: An update that fixes four vulnerabilities is now available. Category: security (critical) Bug References: 895475,896776 CVE References: CVE-2014-6271,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 Sources used: openSUSE 13.2 (src): bash-4.2-75.4.1
See also https://www.suse.com/support/shellshock/ for how to get a fix on outdated/unsupported code streams.
SUSE-SU-2014:1260-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 896776 CVE References: CVE-2014-6271 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): bash-4.2-77.1 SUSE Linux Enterprise Server 12 (src): bash-4.2-77.1 SUSE Linux Enterprise Desktop 12 (src): bash-4.2-77.1 12 (src): bash-4.2-77.1
Closing L3:41648 (PTFs were provided). Ales Novak
Closing L3:41647 (PTFs were provided). Ales Novak
*** Bug 898477 has been marked as a duplicate of this bug. ***
openSUSE-SU-2014:1308-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 896776,898346 CVE References: CVE-2014-6271,CVE-2014-7169,CVE-2014-7187 Sources used: openSUSE 12.3 (src): bash-4.2-61.19.1
This is an autogenerated message for OBS integration: This bug (896776) was mentioned in https://build.opensuse.org/request/show/259512 Factory / bash
This CVE was and is fixed for SLE 12 before the GA shipment. There is incorrect version on our announcement pages, as we shipped a update during the RC phase of SLES 12.