From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Serious Bash security vulnerabilities Date: Thu, 25 Sep 2014 15:14:18 +0200 Message-ID: <87wq8rj105.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39457) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XX8sS-000794-Bv for guix-devel@gnu.org; Thu, 25 Sep 2014 09:14:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XX8sN-0000uJ-Bo for guix-devel@gnu.org; Thu, 25 Sep 2014 09:14:32 -0400 Received: from hera.aquilenet.fr ([2a01:474::1]:35839) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XX8sN-0000sW-01 for guix-devel@gnu.org; Thu, 25 Sep 2014 09:14:27 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 55CC112EF for ; Thu, 25 Sep 2014 15:14:20 +0200 (CEST) Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQbTEqrywmdt for ; Thu, 25 Sep 2014 15:14:20 +0200 (CEST) Received: from pluto (pluto.bordeaux.inria.fr [193.50.110.57]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 2021810DE for ; Thu, 25 Sep 2014 15:14:20 +0200 (CEST) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Yesterday a serious Bash vulnerability was disclosed, which led to the creation of the bash-cve-2014-6271 branch which is now half built: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2014-6271 http://seclists.org/oss-sec/2014/q3/650 http://hydra.gnu.org/jobset/gnu/bash-cve-2014-6271 However, a few hours later, the fix was found to be incomplete: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2014-7169 Currently a patch has been posted by the Bash maintainer, but there have been no reactions yet, and it=E2=80=99s not on ftp.gnu.org yet: http://seclists.org/oss-sec/2014/q3/690 We=E2=80=99ll apply it when as soon as there=E2=80=99s some confirmation th= at it does solve the problem, and get Hydra to rebuild the whole thing. We=E2=80=99ll merge the branch as soon as a reasonable subset has been built. Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUJBUuAAoJEAkLEZk9muu1MgoP/0smy5TteHd4yy2L98Zoef+d gh5CZUAfOPSSWXK5dnA50EwUoijguzoLRrdbM+k6RIgpjmDZjB8on6J4+05Fzmon 6/7lUtMdNfuzn5vfsdxCsT5+cU48jJqQyz5uRN9WpWZUkpIFf1DNHPY0Kj/YsrOg 6NhAXxUV6BbIvNAx4UJWdPpFMZUZYFRjqNQcldOhtjoqE+/WZcaYr/4Ii0PpyhV1 gXvIah1/WbmkTgQ/2nB1q8YN82+fKCGboDTiisOHdfTM00W/+NF9Fp1zKGRT5Ju1 bG9SurPqO4Kz3gNpHG4BbE1RL8nw8E583o/+QOSdJV32xuvYDEk5rLjjQLj1vS5E FISEa5zYKhcJRRXAVCI4BZAMWY5toSWhXQnKQEj+4hnTH1oWViecjXhTqYqkTs71 zLSo+mBWOPfw/7dEJOQSGEpN0oFX6e4kWKcjuWBdb6yccRiaiA1kM4pmIiT8ZPZP +MSv2MN17vuy7Jk0eXGt4aabP6qxE1WbgKSaaYjCTIs56atIJEATVod++dIl0d3U O3QBHv8rGkh2bWL3wGAiwsqPZsutsL97TK2Qjacip/RKhmoJD248/V6wNF0c3/Gr YkkZoYmy9/yIw7eu9Z8N1YwlVKzME+AelYX1OGPzPBeAeSk9typla2PY8WHN9xfU zMJLUf26VH8t4/pM0MS5 =azj5 -----END PGP SIGNATURE----- --=-=-=--