Re: Bash-4.3 Official Patch 26

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash-4.3 Official Patch 26

From:	Eric Blake
Subject:	Re: Bash-4.3 Official Patch 26
Date:	Sat, 27 Sep 2014 00:21:13 -0600
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0

On 09/26/2014 06:58 PM, Nathan McGarvey wrote:
>     Pardon my catching up. This (and all the other related patches for
> other past versions) is to remedy CVE-2014-7169 and CVE-2014-6271 was
> remedied by the previous Patch 25 (and related set for all other
> versions.) Is this correct? Or are there still outstanding issues?

If _all_ you apply is patch 25 and 26, then you are STILL vulnerable to
ShellShock (we know of at least CVE-2014-7186 and CVE-2014-7187 that are
also ShellShock attack points, and there are probably more).  For a more
comprehensive read, see:
https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00238.html

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Bash-4.3 Official Patch 26, Chet Ramey, 2014/09/26
- Re: Bash-4.3 Official Patch 26, Nathan McGarvey, 2014/09/27
  - Re: Bash-4.3 Official Patch 26, Eric Blake <=
  - Re: Bash-4.3 Official Patch 26, Chet Ramey, 2014/09/29

Prev by Date: Re: Issues with exported functions
Next by Date: Re: Bash-4.2 Official Patch 49
Previous by thread: Re: Bash-4.3 Official Patch 26
Next by thread: Re: Bash-4.3 Official Patch 26
Index(es):
- Date
- Thread