* Serious Bash security vulnerabilities
@ 2014-09-25 13:14 Ludovic Courtès
2014-09-26 7:55 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2014-09-25 13:14 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 839 bytes --]
Yesterday a serious Bash vulnerability was disclosed, which led to the
creation of the bash-cve-2014-6271 branch which is now half built:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://seclists.org/oss-sec/2014/q3/650
http://hydra.gnu.org/jobset/gnu/bash-cve-2014-6271
However, a few hours later, the fix was found to be incomplete:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
Currently a patch has been posted by the Bash maintainer, but there have
been no reactions yet, and it’s not on ftp.gnu.org yet:
http://seclists.org/oss-sec/2014/q3/690
We’ll apply it when as soon as there’s some confirmation that it does
solve the problem, and get Hydra to rebuild the whole thing. We’ll
merge the branch as soon as a reasonable subset has been built.
Ludo’.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Serious Bash security vulnerabilities
2014-09-25 13:14 Serious Bash security vulnerabilities Ludovic Courtès
@ 2014-09-26 7:55 ` Ludovic Courtès
2014-09-26 22:05 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2014-09-26 7:55 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]
We’ve decided to merge the ‘bash-cve-2014-6271’ branch: it’s an
incomplete fix, but it’s already an improvement, and it’s completely
built on Hydra for x86.
As for what’s next, quoting Mark on IRC:
<mark_weaver> the other three patches I'm aware of are:
http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch
(from Chet),
http://seclists.org/oss-sec/2014/q3/att-712/parse-oob-4_2.patch
(seems non-controversial), and
http://seclists.org/oss-sec/2014/q3/att-712/variables-affix-4_2.patch
(more radical hardening, not fully compatible, but maybe still a
good idea) [09:40]
[...]
<mark_weaver> FYI, this following message assigns two CVEs (CVE-2014-7186 and
CVE-2014-7187) to the two flaws fixed by the parse-oob patch:
http://seclists.org/oss-sec/2014/q3/735 [09:45]
<mark_weaver> my feeling is that we should create another branch with at least
the eol-pushback and parse-oob patches applied, and start hydra
building it
Ludo’.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Serious Bash security vulnerabilities
2014-09-26 7:55 ` Ludovic Courtès
@ 2014-09-26 22:05 ` Ludovic Courtès
0 siblings, 0 replies; 3+ messages in thread
From: Ludovic Courtès @ 2014-09-26 22:05 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 651 bytes --]
ludo@gnu.org (Ludovic Courtès) skribis:
> <mark_weaver> the other three patches I'm aware of are:
> http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch
> (from Chet),
> http://seclists.org/oss-sec/2014/q3/att-712/parse-oob-4_2.patch
> (seems non-controversial), and
> http://seclists.org/oss-sec/2014/q3/att-712/variables-affix-4_2.patch
> (more radical hardening, not fully compatible, but maybe still a
> good idea) [09:40]
The ‘bash-cve-next’ branch applies the first two patches and is now
being built:
http://hydra.gnu.org/jobset/gnu/bash-cve-next
Ludo’.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-09-26 22:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-25 13:14 Serious Bash security vulnerabilities Ludovic Courtès
2014-09-26 7:55 ` Ludovic Courtès
2014-09-26 22:05 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).