Re: [tech:04946] [SECURITY] [DSA 3035-1] bash security update

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>, "tech@netlab.jp" <tech@netlab.jp>
Subject: Re: [tech:04946] [SECURITY] [DSA 3035-1] bash security update
From: Ando Yoko <ando@netlab.jp>
Date: Sat, 27 Sep 2014 01:18:40 +0900
Message-id: <[🔎] 4B67BB08-6BA7-457B-AAF2-F9448C4F4C7F@netlab.jp>
In-reply-to: <E1XXGR4-00012y-7y@master.debian.org>
References: <E1XXGR4-00012y-7y@master.debian.org>

安藤です。おつかれさまです。
今日の夕方、小田くん、ゆうぞうさんとpassengerはどうか、
という話をしていましたが、全滅という報告が
あるようです。

http://d.hatena.ne.jp/nekoruri/touch/20140926/shellshock

社内が関係しているサービスのステータスは
supportなどで共有されているのでしょうか？

ando yoko

2014/09/26 6:18、Salvatore Bonaccorso <carnil@debian.org> のメッセージ:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3035-1                   security@debian.org
> http://www.debian.org/security/                      Salvatore Bonaccorso
> September 25, 2014                     http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
> 
> Package        : bash
> CVE ID         : CVE-2014-7169
> Debian Bug     : 762760 762761
> 
> Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271
> released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was
> incomplete and could still allow some characters to be injected into
> another environment (CVE-2014-7169). With this update prefix and suffix
> for environment variable names which contain shell functions are added
> as hardening measure.
> 
> Additionally two out-of-bounds array accesses in the bash parser are
> fixed which were revealed in Red Hat's internal analysis for these
> issues and also independently reported by Todd Sabin.
> 
> For the stable distribution (wheezy), these problems have been fixed in
> version 4.2+dfsg-0.1+deb7u3.
> 
> We recommend that you upgrade your bash packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBCgAGBQJUJIZRAAoJEAVMuPMTQ89EBjMP/3QWVLlaIlKEiZ84LAwsyf5h
> DZXP9mTEnXOyPlwbsydG4qJNuv0QQvkDmy0nQm8J8U9tWtRuAPqfdE1O6qHnNQHY
> 9xFAMk+sro+F4gVuesiRshACy6qII2Ie20ypUT0uyj53Yd0FQwecKtHIMbbOW7AM
> xDNiMGlv4hzaVOTV3i9z+USsbbaqpTR1QSQMSzP0MPBnc+9idCIyg/LPU0ZJTirL
> Hdx9AMGk9tlD5BzU9CCA83xigOQ2c3DrAqxT2zidhGsHUVIE4+L2Q0jXwfIXi9B5
> wp5DEbGdmfPO0ZuGP40m9T5todlCCPX2/sANePROLkYZjaBKFkptK1l2Kutk7pbE
> rPevXBUpLzwCN+nS0RRTDaqPyeAA9SIgaKHKeJ03cqs15LXJLbChJLVIwtw1TY35
> /ZJaTthGxMwEfLzCvM/O/mwooFl5C7rhEMiDsE3dqVJer5UmbS2uUa0O6s5jFlbS
> azeEaat25RLQB96Q44gGM0BUvOWtyImApACEa4AW7EA4ElcjlqOlFszVqWL+8mXe
> uucRq2v14CUgSdo2WRC5WWIaYTtdgDcPqfzrL1ZwzO1QBggCOOgfTscUzvXQzcR3
> oB30GhH3Wt8WcyjpMRsJsoU2gtA2QKMHKF252hNmuUsdYlYDxOQBr4Qdf0/t+dOg
> 2HiapmyVDkvxwSj70zlk
> =hYD1
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: https://lists.debian.org/E1XXGR4-00012y-7y@master.debian.org
>

Reply to:

Next by Date: AUTO: Jan Hübner ist außer Haus (Rückkehr am 06.10.2014)
Next by thread: AUTO: Jan Hübner ist außer Haus (Rückkehr am 06.10.2014)
Index(es):
- Date
- Thread