RE: [security-announce] SUSE-SU-2014:1259-1: important: bash

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: [security-announce] SUSE-SU-2014:1259-1: important: bash

Wendy Palm
How can we access these rpms without using YaST online_update - where is the repository?  

> -----Original Message-----
> From: [hidden email] [mailto:opensuse-
> [hidden email]]
> Sent: Tuesday, September 30, 2014 10:05 AM
> To: [hidden email]
> Subject: [security-announce] SUSE-SU-2014:1259-1: important: bash
>
>    SUSE Security Update: bash
> __________________________________________________________
> ____________________
>
> Announcement ID:    SUSE-SU-2014:1259-1
> Rating:             important
> References:         #898346 #898603 #898604
> Cross-References:   CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
>
> Affected Products:
>                     SUSE Linux Enterprise Software Development Kit 12
>                     SUSE Linux Enterprise Server 12
>                     SUSE Linux Enterprise Desktop 12
>                      12
> __________________________________________________________
> ____________________
>
>    An update that fixes three vulnerabilities is now available.
>
> Description:
>
>
>    The command-line shell 'bash' evaluates environment variables, which
>    allows the injection of characters and might be used to access files on
>    the system in some circumstances (CVE-2014-7169).
>
>    Please note that this issue is different from a previously fixed
>    vulnerability tracked under CVE-2014-6271 and it is less serious due to
>    the special, non-default system configuration that is needed to create an
>    exploitable situation.
>
>    To remove further exploitation potential we now limit the
>    function-in-environment variable to variables prefixed with BASH_FUNC_ .
>    This hardening feature is work in progress and might be improved in later
>    updates.
>
>    Additionaly two more security issues were fixed in bash: CVE-2014-7186:
>    Nested HERE documents could lead to a crash of bash.
>
>    CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
>
>
> Patch Instructions:
>
>    To install this SUSE Security Update use YaST online_update.
>    Alternatively you can run the command listed for your product:
>
>    - SUSE Linux Enterprise Software Development Kit 12:
>
>       zypper in -t patch SUSE-SLE-SDK-12-2014-63
>
>    - SUSE Linux Enterprise Server 12:
>
>       zypper in -t patch SUSE-SLE-SERVER-12-2014-63
>
>    - SUSE Linux Enterprise Desktop 12:
>
>       zypper in -t patch SUSE-SLE-DESKTOP-12-2014-63
>
>    -  12:
>
>       zypper in -t patch SUSE-SLE-WE-12-2014-63
>
>    To bring your system up-to-date, use "zypper patch".
>
>
> Package List:
>
>    - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x
> x86_64):
>
>       bash-debuginfo-4.2-81.1
>       bash-debugsource-4.2-81.1
>       bash-devel-4.2-81.1
>       readline-devel-6.2-81.1
>
>    - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
>
>       bash-4.2-81.1
>       bash-debuginfo-4.2-81.1
>       bash-debugsource-4.2-81.1
>       libreadline6-6.2-81.1
>       libreadline6-debuginfo-6.2-81.1
>
>    - SUSE Linux Enterprise Server 12 (noarch):
>
>       bash-doc-4.2-81.1
>       readline-doc-6.2-81.1
>
>    - SUSE Linux Enterprise Desktop 12 (x86_64):
>
>       bash-4.2-81.1
>       bash-debuginfo-4.2-81.1
>       bash-debugsource-4.2-81.1
>       libreadline6-6.2-81.1
>       libreadline6-debuginfo-6.2-81.1
>
>    - SUSE Linux Enterprise Desktop 12 (noarch):
>
>       bash-doc-4.2-81.1
>       bash-lang-4.2-81.1
>       readline-doc-6.2-81.1
>
>    -  12 (noarch):
>
>       bash-lang-4.2-81.1
>
>
> References:
>
>    http://support.novell.com/security/cve/CVE-2014-7169.html
>    http://support.novell.com/security/cve/CVE-2014-7186.html
>    http://support.novell.com/security/cve/CVE-2014-7187.html
>    https://bugzilla.suse.com/show_bug.cgi?id=898346
>    https://bugzilla.suse.com/show_bug.cgi?id=898603
>    https://bugzilla.suse.com/show_bug.cgi?id=898604
>
> --
> To unsubscribe, e-mail: opensuse-security-
> [hidden email]
> For additional commands, e-mail: opensuse-security-
> [hidden email]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [security-announce] SUSE-SU-2014:1259-1: important: bash

Marcus Meissner
Hi,

For SLE12 (currently still in RC phase) this is currently only possible with zypper or yast2 online update.

Ciao, Marcus
On Tue, Sep 30, 2014 at 03:22:28PM +0000, Wendy Palm wrote:

> How can we access these rpms without using YaST online_update - where is the repository?  
>
> > -----Original Message-----
> > From: [hidden email] [mailto:opensuse-
> > [hidden email]]
> > Sent: Tuesday, September 30, 2014 10:05 AM
> > To: [hidden email]
> > Subject: [security-announce] SUSE-SU-2014:1259-1: important: bash
> >
> >    SUSE Security Update: bash
> > __________________________________________________________
> > ____________________
> >
> > Announcement ID:    SUSE-SU-2014:1259-1
> > Rating:             important
> > References:         #898346 #898603 #898604
> > Cross-References:   CVE-2014-7169 CVE-2014-7186 CVE-2014-7187
> >
> > Affected Products:
> >                     SUSE Linux Enterprise Software Development Kit 12
> >                     SUSE Linux Enterprise Server 12
> >                     SUSE Linux Enterprise Desktop 12
> >                      12

This should have read "SUSE Linux Enterprise Workstation Extension 12".

> > __________________________________________________________
> > ____________________
> >
> >    An update that fixes three vulnerabilities is now available.
> >
> > Description:
> >
> >
> >    The command-line shell 'bash' evaluates environment variables, which
> >    allows the injection of characters and might be used to access files on
> >    the system in some circumstances (CVE-2014-7169).
> >
> >    Please note that this issue is different from a previously fixed
> >    vulnerability tracked under CVE-2014-6271 and it is less serious due to
> >    the special, non-default system configuration that is needed to create an
> >    exploitable situation.
> >
> >    To remove further exploitation potential we now limit the
> >    function-in-environment variable to variables prefixed with BASH_FUNC_ .
> >    This hardening feature is work in progress and might be improved in later
> >    updates.
> >
> >    Additionaly two more security issues were fixed in bash: CVE-2014-7186:
> >    Nested HERE documents could lead to a crash of bash.
> >
> >    CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
> >
> >
> > Patch Instructions:
> >
> >    To install this SUSE Security Update use YaST online_update.
> >    Alternatively you can run the command listed for your product:
> >
> >    - SUSE Linux Enterprise Software Development Kit 12:
> >
> >       zypper in -t patch SUSE-SLE-SDK-12-2014-63
> >
> >    - SUSE Linux Enterprise Server 12:
> >
> >       zypper in -t patch SUSE-SLE-SERVER-12-2014-63
> >
> >    - SUSE Linux Enterprise Desktop 12:
> >
> >       zypper in -t patch SUSE-SLE-DESKTOP-12-2014-63
> >
> >    -  12:
> >
> >       zypper in -t patch SUSE-SLE-WE-12-2014-63
> >
> >    To bring your system up-to-date, use "zypper patch".
> >
> >
> > Package List:
> >
> >    - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x
> > x86_64):
> >
> >       bash-debuginfo-4.2-81.1
> >       bash-debugsource-4.2-81.1
> >       bash-devel-4.2-81.1
> >       readline-devel-6.2-81.1
> >
> >    - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
> >
> >       bash-4.2-81.1
> >       bash-debuginfo-4.2-81.1
> >       bash-debugsource-4.2-81.1
> >       libreadline6-6.2-81.1
> >       libreadline6-debuginfo-6.2-81.1
> >
> >    - SUSE Linux Enterprise Server 12 (noarch):
> >
> >       bash-doc-4.2-81.1
> >       readline-doc-6.2-81.1
> >
> >    - SUSE Linux Enterprise Desktop 12 (x86_64):
> >
> >       bash-4.2-81.1
> >       bash-debuginfo-4.2-81.1
> >       bash-debugsource-4.2-81.1
> >       libreadline6-6.2-81.1
> >       libreadline6-debuginfo-6.2-81.1
> >
> >    - SUSE Linux Enterprise Desktop 12 (noarch):
> >
> >       bash-doc-4.2-81.1
> >       bash-lang-4.2-81.1
> >       readline-doc-6.2-81.1
> >
> >    -  12 (noarch):
> >
> >       bash-lang-4.2-81.1
> >
> >
> > References:
> >
> >    http://support.novell.com/security/cve/CVE-2014-7169.html
> >    http://support.novell.com/security/cve/CVE-2014-7186.html
> >    http://support.novell.com/security/cve/CVE-2014-7187.html
> >    https://bugzilla.suse.com/show_bug.cgi?id=898346
> >    https://bugzilla.suse.com/show_bug.cgi?id=898603
> >    https://bugzilla.suse.com/show_bug.cgi?id=898604
> >
> > --
> > To unsubscribe, e-mail: opensuse-security-
> > [hidden email]
> > For additional commands, e-mail: opensuse-security-
> > [hidden email]
>
> --
> To unsubscribe, e-mail: [hidden email]
> To contact the owner, e-mail: [hidden email]
>
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]