[OpenIndiana-discuss] Bash bug issue
Bayard Bell
buffer.g.overflow at gmail.com
Tue Oct 7 11:07:13 UTC 2014
No new CVE. This looks to be a proper fix for CVE-2014-6278, where the
assessment is that the parser bugs that make this exploitable were already
addressed either by the Red Hat patches or upstream patch 027. That's what
I gather between these sources:
https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00032.html
http://lcamtuf.blogspot.co.uk/2014/09/bash-bug-apply-unofficial-patch-now.html
http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html
Note that patch 030 for bash 4.3 is attributed to lcamtuf. I've not found
any security responders who shipped previously available fixes telling
people that they need to ship these further changes as an urgent response
or even that they have to have them. Red Hat explicitly references
lcamtuf's blog post as independent confirmation of their analysis and fixes.
Cheers,
Bayard
On 7 October 2014 04:19, Richard L. Hamilton <rlhamil at smart.net> wrote:
> Which CVE is that, or is it something else?
>
> On Oct 6, 2014, at 9:35 PM, Bob Friesenhahn <bfriesen at simple.dallas.tx.us>
> wrote:
>
> > The gift keeps on giving. There is yet another related security patch
> for bash. Here is the one for bash 4.3:
> >
> > http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html
> >
> > Bob
> > --
> > Bob Friesenhahn
> > bfriesen at simple.dallas.tx.us,
> http://www.simplesystems.org/users/bfriesen/
> > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
> >
> > _______________________________________________
> > openindiana-discuss mailing list
> > openindiana-discuss at openindiana.org
> > http://openindiana.org/mailman/listinfo/openindiana-discuss
> >
>
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
More information about the openindiana-discuss
mailing list