Mageia alert MGASA-2014-0388 (bash)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2014-0388: Updated bash packages fix CVE-2014-6271 
Date:
    	     
 
Wed, 24 Sep 2014 20:42:22 +0200
Message-ID:
    	     
 
<20140924184222.4585F431EF@valstar.mageia.org>
MGASA-2014-0388 - Updated bash packages fix CVE-2014-6271

Publication date: 24 Sep 2014
URL: http://advisories.mageia.org/MGASA-2014-0388.html
Type: security
Affected Mageia releases: 3, 4
CVE: CVE-2014-6271

Description:
Updated bash packages fix security vulnerability:

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-6271).

Bash has been updated version 4.2 patch level 37 to patch level 48 to fix
this issue, as well as several other bugs.  See the upstream patches for
details on the other bugs.

This vulnerability can be exposed and exploited through several other
pieces of software and should be considered highly critical.  Please refer
to the RedHat Knowledge Base article and blog post for more information.

All users and sysadmins are advised to update their bash package immediately.

References:
- https://bugs.mageia.org/show_bug.cgi?id=14167
- https://rhn.redhat.com/errata/RHSA-2014-1293.html
- https://access.redhat.com/articles/1200223
-
https://securityblog.redhat.com/2014/09/24/bash-specially...
- ftp://ftp.cwru.edu/pub/bash/bash-4.2-patches/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

SRPMS:
- 4/core/bash-4.2-48.1.mga4
- 3/core/bash-4.2-48.1.mga3