Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-63-1 bash

Debian Security Advisory

DLA-63-1 bash -- LTS security update

Date Reported:

26 Sep 2014

Affected Packages:

bash

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 762760, Bug 762761.
In Mitre's CVE dictionary: CVE-2014-7169.

More information:

Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DLA-59-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.

Additionally two out-of-bounds array accesses in the bash parser are fixed which were revealed in Red Hat's internal analysis for these issues and also independently reported by Todd Sabin.

For Debian 6 Squeeze, these issues have been fixed in bash version 4.1-3+deb6u2