[gentoo-announce] [ GLSA 201410-01 ] Bash: Multiple vulnerabilities - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201410-01 ] Bash: Multiple vulnerabilities
Date:	Sat, 04 Oct 2014 22:18:43
Message-Id:	`543071DD.8030104@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201410-01

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: Bash: Multiple vulnerabilities

9

     Date: October 04, 2014

10

     Bugs: #523742, #524256

11

       ID: 201410-01

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple parsing flaws in Bash could allow remote attackers to inject

19

code or cause a Denial of Service condition.

20

21

Background

22

==========

23

24

Bash is the standard GNU Bourne Again SHell.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  app-shells/bash             < 4.2_p52                *>= 3.1_p22

33

                                                          *>= 3.2_p56

34

                                                          *>= 4.0_p43

35

                                                          *>= 4.1_p16

36

                                                           >= 4.2_p52

37

38

Description

39

===========

40

41

Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further

42

parsing flaws in Bash. The unaffected Gentoo packages listed in this

43

GLSA contain the official patches to fix the issues tracked as

44

CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the

45

official patch known as "function prefix patch" is included which

46

prevents the exploitation of CVE-2014-6278.

47

48

Impact

49

======

50

51

A remote attacker could exploit these vulnerabilities to execute

52

arbitrary commands or cause a Denial of Service condition via various

53

vectors.

54

55

Workaround

56

==========

57

58

There is no known workaround at this time.

59

60

Resolution

61

==========

62

63

All Bash 3.1 users should upgrade to the latest version:

64

65

  # emerge --sync

66

  # emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p22:3.1"

67

68

All Bash 3.2 users should upgrade to the latest version:

69

70

  # emerge --sync

71

  # emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p56:3.2"

72

73

All Bash 4.0 users should upgrade to the latest version:

74

75

  # emerge --sync

76

  # emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p43:4.0"

77

78

All Bash 4.1 users should upgrade to the latest version:

79

80

  # emerge --sync

81

  # emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p16:4.1"

82

83

All Bash 4.2 users should upgrade to the latest version:

84

85

  # emerge --sync

86

  # emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p52"

87

88

References

89

==========

90

91

[ 1 ] CVE-2014-6277

92

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277

93

[ 2 ] CVE-2014-6278

94

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278

95

[ 3 ] CVE-2014-7186

96

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7186

97

[ 4 ] CVE-2014-7187

98

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7187

99

100

Availability

101

============

102

103

This GLSA and any updates to it are available for viewing at

104

the Gentoo Security Website:

105

106

 http://security.gentoo.org/glsa/glsa-201410-01.xml

107

108

Concerns?

109

=========

110

111

Security is a primary focus of Gentoo Linux and ensuring the

112

confidentiality and security of our users' machines is of utmost

113

importance to us. Any security concerns should be addressed to

114

security@g.o or alternatively, you may file a bug at

115

https://bugs.gentoo.org.

116

117

License

118

=======

119

120

Copyright 2014 Gentoo Foundation, Inc; referenced text

121

belongs to its owner(s).

122

123

The contents of this document are licensed under the

124

Creative Commons - Attribution / Share Alike license.

125

126

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201410-01
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Bash: Multiple vulnerabilities
9	Date: October 04, 2014
10	Bugs: #523742, #524256
11	ID: 201410-01
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple parsing flaws in Bash could allow remote attackers to inject
19	code or cause a Denial of Service condition.
20
21	Background
22	==========
23
24	Bash is the standard GNU Bourne Again SHell.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 app-shells/bash < 4.2_p52 *>= 3.1_p22
33	*>= 3.2_p56
34	*>= 4.0_p43
35	*>= 4.1_p16
36	>= 4.2_p52
37
38	Description
39	===========
40
41	Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further
42	parsing flaws in Bash. The unaffected Gentoo packages listed in this
43	GLSA contain the official patches to fix the issues tracked as
44	CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the
45	official patch known as "function prefix patch" is included which
46	prevents the exploitation of CVE-2014-6278.
47
48	Impact
49	======
50
51	A remote attacker could exploit these vulnerabilities to execute
52	arbitrary commands or cause a Denial of Service condition via various
53	vectors.
54
55	Workaround
56	==========
57
58	There is no known workaround at this time.
59
60	Resolution
61	==========
62
63	All Bash 3.1 users should upgrade to the latest version:
64
65	# emerge --sync
66	# emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p22:3.1"
67
68	All Bash 3.2 users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p56:3.2"
72
73	All Bash 4.0 users should upgrade to the latest version:
74
75	# emerge --sync
76	# emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p43:4.0"
77
78	All Bash 4.1 users should upgrade to the latest version:
79
80	# emerge --sync
81	# emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p16:4.1"
82
83	All Bash 4.2 users should upgrade to the latest version:
84
85	# emerge --sync
86	# emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p52"
87
88	References
89	==========
90
91	[ 1 ] CVE-2014-6277
92	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277
93	[ 2 ] CVE-2014-6278
94	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278
95	[ 3 ] CVE-2014-7186
96	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7186
97	[ 4 ] CVE-2014-7187
98	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7187
99
100	Availability
101	============
102
103	This GLSA and any updates to it are available for viewing at
104	the Gentoo Security Website:
105
106	http://security.gentoo.org/glsa/glsa-201410-01.xml
107
108	Concerns?
109	=========
110
111	Security is a primary focus of Gentoo Linux and ensuring the
112	confidentiality and security of our users' machines is of utmost
113	importance to us. Any security concerns should be addressed to
114	security@g.o or alternatively, you may file a bug at
115	https://bugs.gentoo.org.
116
117	License
118	=======
119
120	Copyright 2014 Gentoo Foundation, Inc; referenced text
121	belongs to its owner(s).
122
123	The contents of this document are licensed under the
124	Creative Commons - Attribution / Share Alike license.
125
126	http://creativecommons.org/licenses/by-sa/2.5