Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in bash
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in bash
ID: MDVSA-2015:164
Distribution: Mandriva
Plattformen: Mandriva Business Server 2.0
Datum: So, 29. März 2015, 22:34
Referenzen: http://advisories.mageia.org/MGASA-2014-0388.html
http://advisories.mageia.org/MGASA-2014-0393.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
https://access.redhat.com/articles/1200223
Applikationen: GNU Bash

Originalnachricht

This is a multi-part message in MIME format...

------------=_1427654562-10360-66

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:164
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : bash
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated bash packages fix security vulnerability:

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-6271).

This vulnerability can be exposed and exploited through several
other pieces of software and should be considered highly critical.
Please refer to the RedHat Knowledge Base article and blog post for
more information.

It was found that the fix for CVE-2014-6271 was incomplete, and
Bash still allowed certain characters to be injected into other
environments via specially crafted environment variables. An
attacker could potentially use this flaw to override or bypass
environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-7169).

Bash has been updated to version 4.2 patch level 50, which further
mitigates ShellShock-type vulnerabilities. Two such issues have
already been discovered (CVE-2014-6277, CVE-2014-6278).

See the RedHat article on the backward-incompatible changes introduced
by the latest patch, caused by adding prefixes and suffixes to the
variable names used for exporting functions. Note that the RedHat
article mentions these variable names will have parentheses
"()"
at the end of their names, however, the latest upstream patch uses
two percent signs "%%" at the end instead.

Two other unrelated security issues in the parser have also been
fixed in this update (CVE-2014-7186, CVE-2014-7187).

All users and sysadmins are advised to update their bash package
immediately.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://advisories.mageia.org/MGASA-2014-0388.html
http://advisories.mageia.org/MGASA-2014-0393.html
http://advisories.mageia.org/MGASA-2014-0388.html
https://access.redhat.com/articles/1200223
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
ebf6cac32e8da7f0ab0e083ecb6de7e2 mbs2/x86_64/bash-4.2-53.1.mbs2.x86_64.rpm
3890f0026741d63daec44302d872a8d6
mbs2/x86_64/bash-doc-4.2-53.1.mbs2.x86_64.rpm
b44e2a3c7978c291964aee99ac3b2505 mbs2/SRPMS/bash-4.2-53.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDlPmqjQ0CJFipgRAgZqAKCOGmz4PsgRwFYU2B+vk3VTyX205QCg8eC/
m5oihNthH+rhu6BJ7GeCQ5o=
=hcA1
-----END PGP SIGNATURE-----


------------=_1427654562-10360-66
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________


------------=_1427654562-10360-66--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung