AW: [security-announce] SUSE-SU-2014:1247-1: important: Security update for bash

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

AW: [security-announce] SUSE-SU-2014:1247-1: important: Security update for bash

hans.paffrath
Hallo,

this security update für bash was also available for SLES10SP4 without LTSS.

After the installation of this patch, it was no longer possible to create at Jobs. Now SuSE fixed this "bug", and I found a new at for SLES11SP3 and SLES10SP4 LTSS from October 15.

Will this patch be available for SLES10SP4 without LTSS too?

Greetings
Hans Paffrath

Stadt Köln - Der Oberbürgermeister
Amt für Informationsverarbeitung
Willy-Brandt-Platz 3
50679 Köln

Telefon: 0221/221-26085
Telefax: 0221/221-22845
E-Mail: [hidden email]
Internet: www.stadt-koeln.de



-----Ursprüngliche Nachricht-----
Von: [hidden email] [mailto:[hidden email]]
Gesendet: Sonntag, 28. September 2014 19:05
An: [hidden email]
Betreff: [security-announce] SUSE-SU-2014:1247-1: important: Security update for bash

   SUSE Security Update: Security update for bash ______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:1247-1
Rating:             important
References:         #898346 #898603 #898604
Cross-References:   CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
                   
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP3
                    SUSE Linux Enterprise Server 11 SP3 for VMware
                    SUSE Linux Enterprise Server 11 SP3
                    SUSE Linux Enterprise Server 11 SP2 LTSS
                    SUSE Linux Enterprise Server 11 SP1 LTSS
                    SUSE Linux Enterprise Server 10 SP4 LTSS
                    SUSE Linux Enterprise Server 10 SP3 LTSS
                    SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:


   The command-line shell 'bash' evaluates environment variables, which
   allows the injection of characters and might be used to access files on
   the system in some circumstances (CVE-2014-7169).

   Please note that this issue is different from a previously fixed
   vulnerability tracked under CVE-2014-6271 and is less serious due to the
   special, non-default system configuration that is needed to create an
   exploitable situation.

   To remove further exploitation potential we now limit the
   function-in-environment variable to variables prefixed with BASH_FUNC_.
   This hardening feature is work in progress and might be improved in later
   updates.

   Additionally, two other security issues have been fixed:

       * CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
       * CVE-2014-7187: Nesting of for loops could lead to a crash of bash.

   Security Issues:

       * CVE-2014-7169
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>
       * CVE-2014-7186
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>
       * CVE-2014-7187
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP3:

      zypper in -t patch sdksp3-bash-9780

   - SUSE Linux Enterprise Server 11 SP3 for VMware:

      zypper in -t patch slessp3-bash-9780

   - SUSE Linux Enterprise Server 11 SP3:

      zypper in -t patch slessp3-bash-9780

   - SUSE Linux Enterprise Server 11 SP2 LTSS:

      zypper in -t patch slessp2-bash-9781

   - SUSE Linux Enterprise Server 11 SP1 LTSS:

      zypper in -t patch slessp1-bash-9782

   - SUSE Linux Enterprise Desktop 11 SP3:

      zypper in -t patch sledsp3-bash-9780

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):

      readline-devel-5.2-147.22.1

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64):

      readline-devel-32bit-5.2-147.22.1

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):

      libreadline5-5.2-147.22.1

   - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64):

      bash-3.2-147.22.1
      bash-doc-3.2-147.22.1
      libreadline5-5.2-147.22.1
      readline-doc-5.2-147.22.1

   - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64):

      libreadline5-32bit-5.2-147.22.1

   - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64):

      bash-3.2-147.22.1
      bash-doc-3.2-147.22.1
      libreadline5-5.2-147.22.1
      readline-doc-5.2-147.22.1

   - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64):

      libreadline5-32bit-5.2-147.22.1

   - SUSE Linux Enterprise Server 11 SP3 (ia64):

      bash-x86-3.2-147.22.1
      libreadline5-x86-5.2-147.22.1

   - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64):

      bash-3.2-147.14.22.1
      bash-doc-3.2-147.14.22.1
      libreadline5-5.2-147.14.22.1
      readline-doc-5.2-147.14.22.1

   - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64):

      libreadline5-32bit-5.2-147.14.22.1

   - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):

      bash-3.2-147.14.22.1
      bash-doc-3.2-147.14.22.1
      libreadline5-5.2-147.14.22.1
      readline-doc-5.2-147.14.22.1

   - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):

      libreadline5-32bit-5.2-147.14.22.1

   - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):

      bash-3.1-24.34.1
      readline-5.1-24.34.1
      readline-devel-5.1-24.34.1

   - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64):

      readline-32bit-5.1-24.34.1
      readline-devel-32bit-5.1-24.34.1

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):

      bash-3.1-24.34.1
      readline-5.1-24.34.1
      readline-devel-5.1-24.34.1

   - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):

      readline-32bit-5.1-24.34.1
      readline-devel-32bit-5.1-24.34.1

   - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64):

      bash-3.2-147.22.1
      bash-doc-3.2-147.22.1
      libreadline5-5.2-147.22.1
      readline-doc-5.2-147.22.1

   - SUSE Linux Enterprise Desktop 11 SP3 (x86_64):

      libreadline5-32bit-5.2-147.22.1


References:

   http://support.novell.com/security/cve/CVE-2014-7169.html
   http://support.novell.com/security/cve/CVE-2014-7186.html
   http://support.novell.com/security/cve/CVE-2014-7187.html
   https://bugzilla.suse.com/show_bug.cgi?id=898346
   https://bugzilla.suse.com/show_bug.cgi?id=898603
   https://bugzilla.suse.com/show_bug.cgi?id=898604
   http://download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e84591918b9e
   http://download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba93df6f
   http://download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7a7f43
   http://download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd7491f09f
   http://download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2ada90

--
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: AW: [security-announce] SUSE-SU-2014:1247-1: important: Security update for bash

Thomas Biege
Hello,

I will take care that the "at" update will also be made available
without LTSS entitlement.

Bye,
Thomas

On 16.10.2014 09:36, [hidden email] wrote:

> Hallo,
>
> this security update für bash was also available for SLES10SP4 without LTSS.
>
> After the installation of this patch, it was no longer possible to create at Jobs. Now SuSE fixed this "bug", and I found a new at for SLES11SP3 and SLES10SP4 LTSS from October 15.
>
> Will this patch be available for SLES10SP4 without LTSS too?
>
> Greetings
> Hans Paffrath
>
> Stadt Köln - Der Oberbürgermeister
> Amt für Informationsverarbeitung
> Willy-Brandt-Platz 3
> 50679 Köln
>
> Telefon: 0221/221-26085
> Telefax: 0221/221-22845
> E-Mail: [hidden email]
> Internet: www.stadt-koeln.de
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: [hidden email] [mailto:[hidden email]]
> Gesendet: Sonntag, 28. September 2014 19:05
> An: [hidden email]
> Betreff: [security-announce] SUSE-SU-2014:1247-1: important: Security update for bash
>
>    SUSE Security Update: Security update for bash ______________________________________________________________________________
>
> Announcement ID:    SUSE-SU-2014:1247-1
> Rating:             important
> References:         #898346 #898603 #898604
> Cross-References:   CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
>                    
> Affected Products:
>                     SUSE Linux Enterprise Software Development Kit 11 SP3
>                     SUSE Linux Enterprise Server 11 SP3 for VMware
>                     SUSE Linux Enterprise Server 11 SP3
>                     SUSE Linux Enterprise Server 11 SP2 LTSS
>                     SUSE Linux Enterprise Server 11 SP1 LTSS
>                     SUSE Linux Enterprise Server 10 SP4 LTSS
>                     SUSE Linux Enterprise Server 10 SP3 LTSS
>                     SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________
>
>    An update that fixes three vulnerabilities is now available.
>
> Description:
>
>
>    The command-line shell 'bash' evaluates environment variables, which
>    allows the injection of characters and might be used to access files on
>    the system in some circumstances (CVE-2014-7169).
>
>    Please note that this issue is different from a previously fixed
>    vulnerability tracked under CVE-2014-6271 and is less serious due to the
>    special, non-default system configuration that is needed to create an
>    exploitable situation.
>
>    To remove further exploitation potential we now limit the
>    function-in-environment variable to variables prefixed with BASH_FUNC_.
>    This hardening feature is work in progress and might be improved in later
>    updates.
>
>    Additionally, two other security issues have been fixed:
>
>        * CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
>        * CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
>
>    Security Issues:
>
>        * CVE-2014-7169
>          <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>
>        * CVE-2014-7186
>          <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>
>        * CVE-2014-7187
>          <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>
>
>
> Patch Instructions:
>
>    To install this SUSE Security Update use YaST online_update.
>    Alternatively you can run the command listed for your product:
>
>    - SUSE Linux Enterprise Software Development Kit 11 SP3:
>
>       zypper in -t patch sdksp3-bash-9780
>
>    - SUSE Linux Enterprise Server 11 SP3 for VMware:
>
>       zypper in -t patch slessp3-bash-9780
>
>    - SUSE Linux Enterprise Server 11 SP3:
>
>       zypper in -t patch slessp3-bash-9780
>
>    - SUSE Linux Enterprise Server 11 SP2 LTSS:
>
>       zypper in -t patch slessp2-bash-9781
>
>    - SUSE Linux Enterprise Server 11 SP1 LTSS:
>
>       zypper in -t patch slessp1-bash-9782
>
>    - SUSE Linux Enterprise Desktop 11 SP3:
>
>       zypper in -t patch sledsp3-bash-9780
>
>    To bring your system up-to-date, use "zypper patch".
>
>
> Package List:
>
>    - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):
>
>       readline-devel-5.2-147.22.1
>
>    - SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x x86_64):
>
>       readline-devel-32bit-5.2-147.22.1
>
>    - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):
>
>       libreadline5-5.2-147.22.1
>
>    - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64):
>
>       bash-3.2-147.22.1
>       bash-doc-3.2-147.22.1
>       libreadline5-5.2-147.22.1
>       readline-doc-5.2-147.22.1
>
>    - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64):
>
>       libreadline5-32bit-5.2-147.22.1
>
>    - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64):
>
>       bash-3.2-147.22.1
>       bash-doc-3.2-147.22.1
>       libreadline5-5.2-147.22.1
>       readline-doc-5.2-147.22.1
>
>    - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64):
>
>       libreadline5-32bit-5.2-147.22.1
>
>    - SUSE Linux Enterprise Server 11 SP3 (ia64):
>
>       bash-x86-3.2-147.22.1
>       libreadline5-x86-5.2-147.22.1
>
>    - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64):
>
>       bash-3.2-147.14.22.1
>       bash-doc-3.2-147.14.22.1
>       libreadline5-5.2-147.14.22.1
>       readline-doc-5.2-147.14.22.1
>
>    - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64):
>
>       libreadline5-32bit-5.2-147.14.22.1
>
>    - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):
>
>       bash-3.2-147.14.22.1
>       bash-doc-3.2-147.14.22.1
>       libreadline5-5.2-147.14.22.1
>       readline-doc-5.2-147.14.22.1
>
>    - SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):
>
>       libreadline5-32bit-5.2-147.14.22.1
>
>    - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):
>
>       bash-3.1-24.34.1
>       readline-5.1-24.34.1
>       readline-devel-5.1-24.34.1
>
>    - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64):
>
>       readline-32bit-5.1-24.34.1
>       readline-devel-32bit-5.1-24.34.1
>
>    - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
>
>       bash-3.1-24.34.1
>       readline-5.1-24.34.1
>       readline-devel-5.1-24.34.1
>
>    - SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):
>
>       readline-32bit-5.1-24.34.1
>       readline-devel-32bit-5.1-24.34.1
>
>    - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64):
>
>       bash-3.2-147.22.1
>       bash-doc-3.2-147.22.1
>       libreadline5-5.2-147.22.1
>       readline-doc-5.2-147.22.1
>
>    - SUSE Linux Enterprise Desktop 11 SP3 (x86_64):
>
>       libreadline5-32bit-5.2-147.22.1
>
>
> References:
>
>    http://support.novell.com/security/cve/CVE-2014-7169.html
>    http://support.novell.com/security/cve/CVE-2014-7186.html
>    http://support.novell.com/security/cve/CVE-2014-7187.html
>    https://bugzilla.suse.com/show_bug.cgi?id=898346
>    https://bugzilla.suse.com/show_bug.cgi?id=898603
>    https://bugzilla.suse.com/show_bug.cgi?id=898604
>    http://download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e84591918b9e
>    http://download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba93df6f
>    http://download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7a7f43
>    http://download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd7491f09f
>    http://download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2ada90
>
> --
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

--
Thomas Biege <[hidden email]>, Team Leader MaintenanceSecurity, CSSLP
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
HRB 21284 (AG Nürnberg)
--
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach


signature.asc (567 bytes) Download Attachment