bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2014-7169 vs CVE-2014-6271


From: Alan Wild
Subject: CVE-2014-7169 vs CVE-2014-6271
Date: Fri, 26 Sep 2014 11:58:35 -0500

I've been searching for some clarification on these two "fixes" and I'm
utterly confused.  I've been lead to believe RedHat's first patch (6271) is
based on code from Chet that just causes bash to reject functions where
code appears outside of the function body.

However, this patch was labeled as "insufficient" and 7169 now appears to
completely remove the ability to receive function definitions from the
environment.

I have production code that requires function exporting that's going to be
broken by 7169.  Is this some knee-jerk reaction by just RedHat or is this
a revised patch from Chet marking a change in bash functionality?

My company's cybersecurity folks are pushing to install 7169 as soon as
possible and while I'm trying to push back I need to know if this a
strategic change in direction for bash, RHEL, or what, exactly.  (Because I
need to know how extensively I need to reachitect my application).

-Alan

-- 
alan@madllama.net http://humbleville.blogspot.com


reply via email to

[Prev in Thread] Current Thread [Next in Thread]