

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



[slackware-security] bash (SSA:2017-251-01)



New bash packages are available for Slackware 13.1, 13.37, 14.0, 14.1, and 14.2

to fix security issues.





Here are the details from the Slackware 14.2 ChangeLog:

+--------------------------+

patches/packages/bash-4.3.048-i586-1_slack14.2.txz: Upgraded.

This update fixes two security issues found in bash before 4.4:

The expansion of '\h' in the prompt string allows remote

authenticated users

to execute arbitrary code via shell metacharacters placed in

'hostname' of a

machine. The theoretical attack vector is a hostile DHCP server providing a

crafted hostname, but this is unlikely to occur in a normal Slackware

configuration as we ignore the hostname provided by DHCP.

Specially crafted SHELLOPTS+PS4 environment variables used against bogus

setuid binaries using system()/popen() allowed local attackers to execute

arbitrary code as root.

For more information, see:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543

(* Security fix *)

+--------------------------+





Where to find the new packages:

+-----------------------------+



Thanks to the friendly folks at the OSU Open Source Lab

(http://osuosl.org) for donating FTP and rsync hosting

to the Slackware project! :-)



Also see the "Get Slack" section on http://slackware.com for

additional mirror sites near you.



Updated package for Slackware 13.1:

bash-4.1.017-i486-2_slack13.1.txz



Updated package for Slackware x86_64 13.1:

bash-4.1.017-x86_64-2_slack13.1.txz



Updated package for Slackware 13.37:

bash-4.1.017-i486-2_slack13.37.txz



Updated package for Slackware x86_64 13.37:

bash-4.1.017-x86_64-2_slack13.37.txz



Updated package for Slackware 14.0:

bash-4.2.053-i486-2_slack14.0.txz



Updated package for Slackware x86_64 14.0:

bash-4.2.053-x86_64-2_slack14.0.txz



Updated package for Slackware 14.1:

bash-4.2.053-i486-2_slack14.1.txz



Updated package for Slackware x86_64 14.1:

bash-4.2.053-x86_64-2_slack14.1.txz



Updated package for Slackware 14.2:

bash-4.3.048-i586-1_slack14.2.txz



Updated package for Slackware x86_64 14.2:

bash-4.3.048-x86_64-1_slack14.2.txz





MD5 signatures:

+-------------+



Slackware 13.1 package:

9abb18ec9eca5dc861c048b1ea355d1d bash-4.1.017-i486-2_slack13.1.txz



Slackware x86_64 13.1 package:

1224b57cfde4e26d0c4168b932626cb6 bash-4.1.017-x86_64-2_slack13.1.txz



Slackware 13.37 package:

a198fa801fe0fbc7dfc90519c4f0a4dd bash-4.1.017-i486-2_slack13.37.txz



Slackware x86_64 13.37 package:

540f83ad5562accafc9817755237fc88 bash-4.1.017-x86_64-2_slack13.37.txz



Slackware 14.0 package:

78991c651987b6a385f25427db991b72 bash-4.2.053-i486-2_slack14.0.txz



Slackware x86_64 14.0 package:

f32fc974dd445aeff02b26326558a1f8 bash-4.2.053-x86_64-2_slack14.0.txz



Slackware 14.1 package:

1904564bd3ff4d511ac426f0a7357208 bash-4.2.053-i486-2_slack14.1.txz



Slackware x86_64 14.1 package:

c4af5b385df7d367073234b08b8a719c bash-4.2.053-x86_64-2_slack14.1.txz



Slackware 14.2 package:

f731b645002567ad7c6e536753fe7865 bash-4.3.048-i586-1_slack14.2.txz



Slackware x86_64 14.2 package:

702caa59bcbb6eb1e5d3fb1afb9922eb bash-4.3.048-x86_64-1_slack14.2.txz





Installation instructions:

+------------------------+



Upgrade the package as root:

# upgradepkg bash-4.3.048-i586-1_slack14.2.txz





+-----+



Slackware Linux Security Team

http://slackware.com/gpg-key

security@slackware.com



-----BEGIN PGP SIGNATURE-----



iEYEARECAAYFAlmy2/8ACgkQakRjwEAQIjM1UgCeLXFjNy3Rad82J/MfvPUxAL38

AjMAn35d156UkyqRP1Bu4a8cAt/0ziqo

=27Gu

-----END PGP SIGNATURE-----

