From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Serious Bash security vulnerabilities Date: Sat, 27 Sep 2014 00:05:05 +0200 Message-ID: <87h9zu11im.fsf@gnu.org> References: <87wq8rj105.fsf@gnu.org> <8761gag6jt.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36759) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XXdms-0000g6-Q3 for guix-devel@gnu.org; Fri, 26 Sep 2014 18:14:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XXdmo-0004ED-6A for guix-devel@gnu.org; Fri, 26 Sep 2014 18:14:50 -0400 Received: from hera.aquilenet.fr ([2a01:474::1]:38115) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XXdmn-0004Dr-Ui for guix-devel@gnu.org; Fri, 26 Sep 2014 18:14:46 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id CA59539A1 for ; Sat, 27 Sep 2014 00:05:07 +0200 (CEST) Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xppe5xw8Vl3c for ; Sat, 27 Sep 2014 00:05:07 +0200 (CEST) Received: from pluto (reverse-83.fdn.fr [80.67.176.83]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 7C50278 for ; Sat, 27 Sep 2014 00:05:07 +0200 (CEST) In-Reply-To: <8761gag6jt.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Fri, 26 Sep 2014 09:55:02 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > the other three patches I'm aware of are: > http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch > (from Chet), > http://seclists.org/oss-sec/2014/q3/att-712/parse-oob-4_2.patch > (seems non-controversial), and > http://seclists.org/oss-sec/2014/q3/att-712/variables-affix-4_2.pa= tch > (more radical hardening, not fully compatible, but maybe still a > good idea) [09:40] The =E2=80=98bash-cve-next=E2=80=99 branch applies the first two patches an= d is now being built: http://hydra.gnu.org/jobset/gnu/bash-cve-next Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUJeMVAAoJEAkLEZk9muu1FMEQAIu9JqQ/VfzT0cr9uS7odJbM sTOoha3rIa81HDZOLrfBjG5pIX1YLFoTGu6TNTV1QUBbzSDW40Ohf4CPjY960r6s VEOu/vqw/xOn+TsZGf2cTvGsCOA5RcDTOuCuqdDPOT1BidPFqgrTtIqzKQA158fT Wi4UvppyMeMCib2APceO9yxg7XOq2LDX1lTaZMPVyBbjbwMfrYvpUFG1JzF4GgLr wvS0OYeSOpAeedd1772J7kvuPhEVmgPYZ3+1TKkCnxdcZVmdyqjP8U1PreNXun25 80xJor3hsCOa1EgiIPIPhop8tuGtEe+oYVd8A9y+/5QX5rUTm2nVtFpo3y97ZATf QG9IzNzja9X+yuyedBlgQLscZwQEBtkL4yAfCvruFwA4ETIzD45E31vQfsGsJdSk NkbLqH1jbGrTaoo//U/fwbizw93REpWGBeXtCv4NxpaTAEE3xBeqrZl4Mm9q2tLK 14/zJzUihbTwEXDs6s5dt838tXPhInwCQMShMrRcDMjotzNeq5WXRKjEDEwHoyn3 t6tAn4MaOtMLJmdTMHMsPeqe8LQTrd7+ywiZ/ZS4hMe1RKuJ0OacN+VcYxKc1HsB ls9KvAm6ODwqELE739AUZBlU12UgkmVEQ02TfWgCQDm3mTxbCL1adFcEAwQfEINB JkNVc1PFASVjo+L+ykvz =79rI -----END PGP SIGNATURE----- --=-=-=--