I got a newsletter about a remote exploit vulnerability in bash.
More information here: http://www.csoonline.com/artic…n-bash-cve-2014-6271.html
in german: http://www.golem.de/news/linux…-servern-1409-109439.html
Remote exploit vulnerability in bash
-
- not i-MSCP related
- TheCry
- Closed
- Thread is marked as Resolved.
-
-
As i see, Debian ship allready a new Version von Bash...
-
-
Under Wheezy and Jessi a new version was shiped out!
-
Today "minimum" list of update for Debian 7:
QuoteDisplay MoreThe following packages are currently pending an upgrade:
apt 0.9.7.9+deb7u5
apt-utils 0.9.7.9+deb7u5
bash 4.2+dfsg-0.1+deb7u1
libapt-inst1.5 0.9.7.9+deb7u5
libapt-pkg4.12 0.9.7.9+deb7u5========================================================================
Package Details:
Lecture des fichiers de modifications ( changelog )...
--- Modifications pour apt (apt apt-utils libapt-inst1.5 libapt-pkg4.12) --- apt (0.9.7.9+deb7u5) wheezy-security; urgency=high* SECURITY UPDATE:
- methods/http.cc: fix potential buffer overflow, thanks to the
Google Security Team (CVE-2014-6273)
* fix regression when Dir::state::lists is set to a relative
path (closes: 762160)
* fix regression when cdrom: sources got rewriten by apt-cdrom
add-- Michael Vogt <mvo@debian.org> Tue, 23 Sep 2014 08:56:27 +0200
--- Modifications pour bash ---
bash (4.2+dfsg-0.1+deb7u1) wheezy-security; urgency=high* Apply patch from Chet Ramey to fix CVE-2014-6271.
-- Florian Weimer <fw@deneb.enyo.de> Tue, 16 Sep 2014 21:28:27 +0200
========================================================================
-
-
Hello
The vulnerability has been also fixed for Squeeze (LTS repository). See the link below for the official status.
Note: Ubuntu is also concerned (see the link below).
Refs:
-
Yep, I just did it (after the movie I looked^^ don't read the mail before)
Just for information, as before:
QuoteDisplay MoreThe following packages are currently pending an upgrade:
bash 4.2+dfsg-0.1+deb7u3
========================================================================
Package Details:
Lecture des fichiers de modifications ( changelog )...
--- Modifications pour bash ---
bash (4.2+dfsg-0.1+deb7u3) wheezy-security; urgency=high* Non-maintainer upload by the Security Team.
* Add variables-affix.patch patch.
Apply patch from Florian Weimer to add prefix and suffix for environment
variable names which contain shell functions.
* Add parser-oob.patch patch.
Fixes two out-of-bound array accesses in the bash parser.-- Salvatore Bonaccorso <carnil@debian.org> Thu, 25 Sep 2014 21:43:01 +0200
bash (4.2+dfsg-0.1+deb7u2) wheezy-security; urgency=high
* Non-maintainer upload by the Security Team.
* Add CVE-2014-7169.diff diff.
CVE-2014-7169: Incomplete fix for CVE-2014-6271. (Closes: #762760, #762761)-- Salvatore Bonaccorso <carnil@debian.org> Thu, 25 Sep 2014 07:23:43 +0200
========================================================================
So in fact, this is 2 new patches for Debian, one that should complete the primary fast-bugfix, the second to add some more security.
-