From: Mark Hatle <mark.hatle@windriver.com>
To: <yocto@yoctoproject.org>
Subject: Re: [OE-core] [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)
Date: Fri, 26 Sep 2014 09:03:08 -0500 [thread overview]
Message-ID: <5425721C.4000008@windriver.com> (raw)
In-Reply-To: <CALNVO6bKcz5f_nhK_vYqC83z4_cw4W=L3FYVL7oOenY6PhCQog@mail.gmail.com>
On 9/25/14, 10:00 PM, Francesco Del Degan wrote:
> Yes, patch 026 that fixes CVE-2014-7169 is underway, should be pushed out today:
>
> http://www.openwall.com/lists/oss-security/2014/09/26/1
>
> bash-4.2 (as in dora) got patch048 for CVE-2014-6179 and should receive patch049
> as well.
>
> I'm going to send bash 3.2 and 4.2 patches in oe core ml.
There are two additional issues as well.
CVE-2014-7186 - bash: parser can allow out-of-bounds memory access while
handling redir_stack
CVE-2014-7187 - bash: off-by-one error in deeply nested flow control constructs
(The above two are so new they are not yet published on the CVE web sites.)
A patch for these has been posted to the oss-security list, but has not yet been
validated by the bash maintainer.
We'll need to watch for this as well.
--Mark
>
> On Fri, Sep 26, 2014 at 1:15 AM, Burton, Ross <ross.burton@intel.com
> <mailto:ross.burton@intel.com>> wrote:
>
> On 25 September 2014 23:48, Mark Hatle <mark.hatle@windriver.com
> <mailto:mark.hatle@windriver.com>> wrote:
> > So I would recommend that someone get the 025 patch (don't forget to patch
> > bash 3.2 as well) in.. and we should wait until their is an official one for
> > 7169.
>
> Agreed, and patches sent.
>
> Ross
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org <mailto:yocto@yoctoproject.org>
> https://lists.yoctoproject.org/listinfo/yocto
>
>
>
>
> --
> --
> :: e n d i a n
> :: security with passion
>
> :: Francesco Del Degan
> :: software engineer
> :: http://www.endian.com <http://www.endian.com/> :: f.deldegan (AT) endian.com
> <http://endian.com/>
>
>
next prev parent reply other threads:[~2014-09-26 14:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-25 10:35 [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271) Francesco Del Degan
2014-09-25 22:40 ` Burton, Ross
2014-09-25 22:48 ` [yocto] " Mark Hatle
2014-09-25 22:48 ` Mark Hatle
2014-09-25 23:15 ` [yocto] " Burton, Ross
2014-09-25 23:15 ` [OE-core] " Burton, Ross
2014-09-26 3:00 ` Francesco Del Degan
2014-09-26 14:03 ` Mark Hatle [this message]
2014-09-26 3:10 ` Francesco Del Degan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5425721C.4000008@windriver.com \
--to=mark.hatle@windriver.com \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.