[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 63-1] bash security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package        : bash
Version        : 4.1-3+deb6u2
CVE ID         : CVE-2014-7169
Debian Bug     : 762760 762761

Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271
released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was
incomplete and could still allow some characters to be injected into
another environment (CVE-2014-7169). With this update prefix and suffix
for environment variable names which contain shell functions are added
as hardening measure.

Additionally two out-of-bounds array accesses in the bash parser are
fixed which were revealed in Red Hat's internal analysis for these
issues and also independently reported by Todd Sabin.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUJJZKAAoJEFb2GnlAHawEP1MIAJQJbCJ5Pn7SL+/olNoI1HqD
it2GXXCYoXb6bQiARNX/HoVfrvwq/DV59D4RQVOQPTe7YUHUQ9ua+URD0Mai/5Kf
nMAMjk71s769jdpiBDOj1S2dol2SWQ23WHOeJqIsMJmfQywF6skCZxhFcVzmIik9
Omka9ZfKESAL5NhXWUixRfTwam/1+YWx48kNNF84AWhzjKRl6E2BNjYNP2hCe2AH
Iq3MMzHxEvpxyX9YLzBT4ju3pFEkgjqsyQptHJOSlNIjlHL2Tz+SfXEUWr68Fx82
n1xdakgDKu7TqhlvuRPwdlml0ZM1IJWigfpNHkC6wOnNbIIIXTKNan9nfuMVw7k=
=5e+c
-----END PGP SIGNATURE-----


Reply to: