ID

VAR-201409-1155

CVE

CVE-2014-7169

TITLE

GNU Bash shell executes commands in exported functions in environment variables

DESCRIPTION

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. ============================================================================ Ubuntu Security Notice USN-2363-2 September 26, 2014 bash vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Bash allowed bypassing environment restrictions in certain environments. Due to a build issue, the patch for CVE-2014-7169 didn't get properly applied in the Ubuntu 14.04 LTS package. This update fixes the problem. We apologize for the inconvenience. (CVE-2014-7169) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.3 In general, a standard system update will make all the necessary changes. NOTE: The vCAS product is vulnerable only if DHCP is enabled. NOTE: HP recommends to not power-down or disconnect the vCAS until the update is available. MITIGATION INFORMATION A Shellshock attack requires the definition of an environment variable introduced into Bash. The vCAS has three attack vectors: SSH, the lighttpd web server, and the DHCP client. - The exploit does not elevate privileges. The DHCP client uses Bash scripts and is vulnerable to Shellshock. The DHCP exploit can be mitigated by ensuring that DHCP is disabled on the vCAS. Note: HP strongly discourages the use of DHCP on the vCAS. The web UI forces the vCAS user to assign a static IP address and change the hp-admin password. A vCAS user must manually configure DHCP for use on the vCAS. A vCAS user can verify that DHCP is disabled by inspecting the file "/etc/network/interfaces" and ensuring that the "iface" line for device "eth0" is set for a static IP. Please refer to the RESOLUTION section below for a list of impacted products. Bash shipped with GNV 3.0-1 and previous versions are impacted by .Shellshock. vulnerability. Note: all versions of HP Thin Pro and HP Smart Zero Core operating systems prior to version 5.1.0 are affected by this vulnerability. If you participated in the ThinPro 5.1.0 beta program upgrade to the release version as soon as it becomes available. The update can be also downloaded directly from ftp://ftp.hp.com/pub/tcdebian /updates/5.0/service_packs/SecurityUpdate-CVE20146271-CVE20147169-all-5.0-x86 .xar Or via softpaq delivery at: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69071.exe HP ThinPro and HP Smart Zero Core (x86) v4.4.x A component update is currently available through Easy Update as: SecurityUpdate-CVE20146271-CVE20147169-all-4.4-x86.xar . Or can be downloaded directly from ftp://ftp.hp.com/pub/tcdebian/updates/4.4/ service_packs/SecurityUpdate-CVE20146271-CVE20147169-all-4.4-x86.xar Or via softpaq delivery at: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69071.exe HP ThinPro and HP Smart Zero Core (ARM) v4.4.x A component update is currently available through Easy Update as: SecurityUpdate-CVE20146271-CVE20147169-all-4.4-arm.xar . HP Vertica AMI's and Virtual Machines prior to v7.1.1-0. HP has released the following updates to resolve this vulnerability for HP Vertica products. Update to the latest VM image available at: https://my.vertica.com For customers using the AMI version HP Vertica Analytics platform, please install the latest image available at Amazon. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2014 Hewlett-Packard Development Company, L.P. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: bash security update Advisory ID: RHSA-2014:1311-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1311.html Issue date: 2014-09-26 CVE Names: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 ===================================================================== 1. Summary: Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 4 ELS) - i386, ia64, x86_64 Red Hat Enterprise Linux AUS (v. 6.2 server) - x86_64 Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux ES (v. 4 ELS) - i386, x86_64 Red Hat Enterprise Linux EUS (v. 5.9 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.4) - x86_64 Red Hat Enterprise Linux LL (v. 5.6 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.4) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.4) - i386, ppc64, s390x, x86_64 3. Description: The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create Bash functions as environment variables need to be made aware of the changes to the way names are handled by this update. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use "yum update" within their containers, and to commit the resulting changes. For additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux AS (v. 4 ELS): Source: bash-3.0-27.el4.4.src.rpm i386: bash-3.0-27.el4.4.i386.rpm bash-debuginfo-3.0-27.el4.4.i386.rpm ia64: bash-3.0-27.el4.4.i386.rpm bash-3.0-27.el4.4.ia64.rpm bash-debuginfo-3.0-27.el4.4.i386.rpm bash-debuginfo-3.0-27.el4.4.ia64.rpm x86_64: bash-3.0-27.el4.4.x86_64.rpm bash-debuginfo-3.0-27.el4.4.x86_64.rpm Red Hat Enterprise Linux ES (v. 4 ELS): Source: bash-3.0-27.el4.4.src.rpm i386: bash-3.0-27.el4.4.i386.rpm bash-debuginfo-3.0-27.el4.4.i386.rpm x86_64: bash-3.0-27.el4.4.x86_64.rpm bash-debuginfo-3.0-27.el4.4.x86_64.rpm Red Hat Enterprise Linux LL (v. 5.6 server): Source: bash-3.2-24.el5_6.2.src.rpm i386: bash-3.2-24.el5_6.2.i386.rpm bash-debuginfo-3.2-24.el5_6.2.i386.rpm ia64: bash-3.2-24.el5_6.2.i386.rpm bash-3.2-24.el5_6.2.ia64.rpm bash-debuginfo-3.2-24.el5_6.2.i386.rpm bash-debuginfo-3.2-24.el5_6.2.ia64.rpm x86_64: bash-3.2-24.el5_6.2.x86_64.rpm bash-debuginfo-3.2-24.el5_6.2.x86_64.rpm Red Hat Enterprise Linux EUS (v. 5.9 server): Source: bash-3.2-32.el5_9.3.src.rpm i386: bash-3.2-32.el5_9.3.i386.rpm bash-debuginfo-3.2-32.el5_9.3.i386.rpm ia64: bash-3.2-32.el5_9.3.i386.rpm bash-3.2-32.el5_9.3.ia64.rpm bash-debuginfo-3.2-32.el5_9.3.i386.rpm bash-debuginfo-3.2-32.el5_9.3.ia64.rpm ppc: bash-3.2-32.el5_9.3.ppc.rpm bash-debuginfo-3.2-32.el5_9.3.ppc.rpm s390x: bash-3.2-32.el5_9.3.s390x.rpm bash-debuginfo-3.2-32.el5_9.3.s390x.rpm x86_64: bash-3.2-32.el5_9.3.x86_64.rpm bash-debuginfo-3.2-32.el5_9.3.x86_64.rpm Red Hat Enterprise Linux HPC Node EUS (v. 6.4): Source: bash-4.1.2-15.el6_4.2.src.rpm x86_64: bash-4.1.2-15.el6_4.2.x86_64.rpm bash-debuginfo-4.1.2-15.el6_4.2.x86_64.rpm Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.4): Source: bash-4.1.2-15.el6_4.2.src.rpm x86_64: bash-debuginfo-4.1.2-15.el6_4.2.x86_64.rpm bash-doc-4.1.2-15.el6_4.2.x86_64.rpm Red Hat Enterprise Linux AUS (v. 6.2 server): Source: bash-4.1.2-9.el6_2.2.src.rpm x86_64: bash-4.1.2-9.el6_2.2.x86_64.rpm bash-debuginfo-4.1.2-9.el6_2.2.x86_64.rpm Red Hat Enterprise Linux Server EUS (v. 6.4): Source: bash-4.1.2-15.el6_4.2.src.rpm i386: bash-4.1.2-15.el6_4.2.i686.rpm bash-debuginfo-4.1.2-15.el6_4.2.i686.rpm ppc64: bash-4.1.2-15.el6_4.2.ppc64.rpm bash-debuginfo-4.1.2-15.el6_4.2.ppc64.rpm s390x: bash-4.1.2-15.el6_4.2.s390x.rpm bash-debuginfo-4.1.2-15.el6_4.2.s390x.rpm x86_64: bash-4.1.2-15.el6_4.2.x86_64.rpm bash-debuginfo-4.1.2-15.el6_4.2.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 6.2): Source: bash-4.1.2-9.el6_2.2.src.rpm x86_64: bash-debuginfo-4.1.2-9.el6_2.2.x86_64.rpm bash-doc-4.1.2-9.el6_2.2.x86_64.rpm Red Hat Enterprise Linux Server Optional EUS (v. 6.4): Source: bash-4.1.2-15.el6_4.2.src.rpm i386: bash-debuginfo-4.1.2-15.el6_4.2.i686.rpm bash-doc-4.1.2-15.el6_4.2.i686.rpm ppc64: bash-debuginfo-4.1.2-15.el6_4.2.ppc64.rpm bash-doc-4.1.2-15.el6_4.2.ppc64.rpm s390x: bash-debuginfo-4.1.2-15.el6_4.2.s390x.rpm bash-doc-4.1.2-15.el6_4.2.s390x.rpm x86_64: bash-debuginfo-4.1.2-15.el6_4.2.x86_64.rpm bash-doc-4.1.2-15.el6_4.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-7169.html https://www.redhat.com/security/data/cve/CVE-2014-7186.html https://www.redhat.com/security/data/cve/CVE-2014-7187.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/1200223 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUJau9XlSAg2UNWIIRAhKkAKC931kAxA4S4exwT4uGhDr7uDFIKQCglKKS N0AJiOto/RXwBqHtbfr1wkM= =SeAK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Open the PXE Configuration Utility on the HP Insight Control server deployment window Select Linux Managed from the Boot Menu options Click the Edit button. Clicking the Edit button displays the Edit Shared Menu Option window Uncheck the x86 option in Operating System and Processor Options and click OK. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04558068 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04558068 Version: 1 HPSBMU03246 rev.1 - HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-02-02 Last Updated: 2015-02-02 Potential Security Impact: Multiple vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Insight Control for Linux Central Management Server Pre-boot Execution Environment that could be exploited remotely resulting in Denial of Service (DoS), disclosure of information, and other vulnerabilities. References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-7196 SSRT101742 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7196 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following instructions to resolve these vulnerabilities. Follow these steps to update the HP Insight Control for Linux Central Management Server Pre-boot Execution Environment: NOTE: The following procedure updates the bash shell on the Linux Pre-boot Execution Environment. Please update the Bash shell version on the HP Insight Control for Linux Central Management Server also. On the Production RHEL 6.2 OS: a. Prepare temporary directory for Bash update software: # mkdir -p $HOME/tmp/bash # cd $HOME/tmp/bash # pwd <home directory>/tmp/bash b. c. Extract the Bash update software package. # rpm2cpio bash-4.1.2-15.el6_4.2.i686.rpm| cpio -idmv d. Verify the version of the Bash update software: # ./bin/bash --version GNU bash, version 4.1.2(1)-release (i686-redhat-linux-gnu) e. Verify version dependencies: # ldd ./bin/bash linux-gate.so.1 => (0x008a7000) libtinfo.so.5 => /lib/libtinfo.so.5 (0x00459000) libdl.so.2 => /lib/libdl.so.2 (0x002c0000) libc.so.6 => /lib/libc.so.6 (0x0012e000) /lib/ld-linux.so.2 (0x00108000) f. Create archive file from '/lib' to copy and install on the Insight Control for Linux Central Management Server Pre-boot Execution Environment system: # mkdir $HOME/tmp/lib # cd /lib # cp * $HOME/tmp/lib # cd $HOME/tmp # pwd <home directory>/tmp # tar cvf bash_lib.tar * 2. Download the new archive file '$HOME/tmp/bash_lib.tar' from the Production RHEL 6.2 OS system to the Insight Control for Linux Central Management Server Pre-boot Execution Environment system. On the HP Insight Control for Linux Central Managment Server Pre-boot Execution Environment system: a. Create a temporary folder for the toolkit and copy the toolkit there : # mkdir -p $HOME/tmp/temp-toolkit # cp /usr/share/systemimager/boot/i386/standard/toolkit.tar.gz $HOME/tmp/temp-toolkit b. Extract the file 'toolkit.tar.gz' into the temporary folder: # cd $HOME/tmp/temp-toolkit # tar zxvf toolkit.tar.gz # mv $HOME/tmp/temp-toolkit/toolkit.tar.gz /tmp c. Verify the version of the toolkit Bash: # $HOME/tmp/temp-toolkit/bin/bash --version GNU bash, version 3.2.0(1)-release (i386-pc-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. d. Verify dependencies versions: # ldd $HOME/tmp/temp-toolkit/bin/bash linux-gate.so.1 => (0xffffe000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xf7f8c000) libdl.so.2 => /lib/libdl.so.2 (0x008bf000) libc.so.6 => /lib/libc.so.6 (0x00777000) /lib/ld-linux.so.2 (0x00755000) e. Extract the archive 'bash_lib.tar' to directory '$HOME/tmp/bash_lib' . Then copy the bash binary and the library files to their respective locations: # tar xvf $HOME/tmp/bash_lib # cp $HOME/tmp/bash_lib/bash/bash $HOME/tmp/temp-toolkit/bin # cp $HOME/tmp/bash_lib/lib/* $HOME/tmp/temp-toolkit/lib f. Create the updated toolkit gzipped archive file and place in /usr/share/systemimager/boot/i386/standard # tar czvf toolkit.tar.gz * # cp toolkit.tar.gz /usr/share/systemimager/boot/i386/standard HISTORY Version:1 (rev.1) - 2 February 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. HP StoreEver ESL E-series Tape Library - Disable DHCP and only use static IP addressing. HP Virtual Library System (VLS) - Disable DHCP and only use static IP addressing. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bash-4.2.048-i486-2_slack14.1.txz: Rebuilt. Patched an additional trailing string processing vulnerability discovered by Tavis Ormandy. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.018-i486-2_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.018-x86_64-2_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.012-i486-2_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.012-x86_64-2_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.012-i486-2_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.012-x86_64-2_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.048-i486-2_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.048-x86_64-2_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.048-i486-2_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-2_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.025-i486-2.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.025-x86_64-2.txz MD5 signatures: +-------------+ Slackware 13.0 package: 93780575208505d17b5305b202294e16 bash-3.1.018-i486-2_slack13.0.txz Slackware x86_64 13.0 package: 6ec269c8e958cd6265821b480af8e5d7 bash-3.1.018-x86_64-2_slack13.0.txz Slackware 13.1 package: 21235413470903bb8eec907acb5b3248 bash-4.1.012-i486-2_slack13.1.txz Slackware x86_64 13.1 package: e69bacaf484e8f924c09eacd91c8c737 bash-4.1.012-x86_64-2_slack13.1.txz Slackware 13.37 package: fa05abe5c8d6557ec1cef124e5d877ce bash-4.1.012-i486-2_slack13.37.txz Slackware x86_64 13.37 package: 97a0005c1e0701c8912dc30f8a6f2908 bash-4.1.012-x86_64-2_slack13.37.txz Slackware 14.0 package: d319186a0ab7e85562684669afc878c3 bash-4.2.048-i486-2_slack14.0.txz Slackware x86_64 14.0 package: 8835dc729d6029fc20b6b1b1df72ce13 bash-4.2.048-x86_64-2_slack14.0.txz Slackware 14.1 package: fbb4b906de3a8f9bf5209fcc80e2a413 bash-4.2.048-i486-2_slack14.1.txz Slackware x86_64 14.1 package: a786b69705d1ebb67fbf31df9d032699 bash-4.2.048-x86_64-2_slack14.1.txz Slackware -current package: bba7e4260df8c4d91d99dbf13d44ec79 a/bash-4.3.025-i486-2.txz Slackware x86_64 -current package: 7c9a285415bd636469da0cf405bb5692 a/bash-4.3.025-x86_64-2.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg bash-4.2.048-i486-2_slack14.1.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Relevant releases/architectures: SJIS (v. Shift_JIS, also known as "SJIS", is a character encoding for the Japanese language. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted

AFFECTED PRODUCTS