ID

VAR-201409-1156

CVE

CVE-2014-6271

TITLE

GNU Bash shell executes commands in exported functions in environment variables

DESCRIPTION

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: bash security update Advisory ID: RHSA-2014:1293-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1293.html Issue date: 2014-09-24 CVE Names: CVE-2014-6271 ===================================================================== 1. Summary: Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1141597 - CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: bash-3.2-33.el5.1.src.rpm i386: bash-3.2-33.el5.1.i386.rpm bash-debuginfo-3.2-33.el5.1.i386.rpm x86_64: bash-3.2-33.el5.1.x86_64.rpm bash-debuginfo-3.2-33.el5.1.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: bash-3.2-33.el5.1.src.rpm i386: bash-3.2-33.el5.1.i386.rpm bash-debuginfo-3.2-33.el5.1.i386.rpm ia64: bash-3.2-33.el5.1.i386.rpm bash-3.2-33.el5.1.ia64.rpm bash-debuginfo-3.2-33.el5.1.i386.rpm bash-debuginfo-3.2-33.el5.1.ia64.rpm ppc: bash-3.2-33.el5.1.ppc.rpm bash-debuginfo-3.2-33.el5.1.ppc.rpm s390x: bash-3.2-33.el5.1.s390x.rpm bash-debuginfo-3.2-33.el5.1.s390x.rpm x86_64: bash-3.2-33.el5.1.x86_64.rpm bash-debuginfo-3.2-33.el5.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: bash-4.1.2-15.el6_5.1.src.rpm i386: bash-4.1.2-15.el6_5.1.i686.rpm bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm x86_64: bash-4.1.2-15.el6_5.1.x86_64.rpm bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: bash-4.1.2-15.el6_5.1.src.rpm i386: bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm bash-doc-4.1.2-15.el6_5.1.i686.rpm x86_64: bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm bash-doc-4.1.2-15.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: bash-4.1.2-15.el6_5.1.src.rpm x86_64: bash-4.1.2-15.el6_5.1.x86_64.rpm bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: bash-4.1.2-15.el6_5.1.src.rpm x86_64: bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm bash-doc-4.1.2-15.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: bash-4.1.2-15.el6_5.1.src.rpm i386: bash-4.1.2-15.el6_5.1.i686.rpm bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm ppc64: bash-4.1.2-15.el6_5.1.ppc64.rpm bash-debuginfo-4.1.2-15.el6_5.1.ppc64.rpm s390x: bash-4.1.2-15.el6_5.1.s390x.rpm bash-debuginfo-4.1.2-15.el6_5.1.s390x.rpm x86_64: bash-4.1.2-15.el6_5.1.x86_64.rpm bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: bash-4.1.2-15.el6_5.1.src.rpm i386: bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm bash-doc-4.1.2-15.el6_5.1.i686.rpm ppc64: bash-debuginfo-4.1.2-15.el6_5.1.ppc64.rpm bash-doc-4.1.2-15.el6_5.1.ppc64.rpm s390x: bash-debuginfo-4.1.2-15.el6_5.1.s390x.rpm bash-doc-4.1.2-15.el6_5.1.s390x.rpm x86_64: bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm bash-doc-4.1.2-15.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: bash-4.1.2-15.el6_5.1.src.rpm i386: bash-4.1.2-15.el6_5.1.i686.rpm bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm x86_64: bash-4.1.2-15.el6_5.1.x86_64.rpm bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: bash-4.1.2-15.el6_5.1.src.rpm i386: bash-debuginfo-4.1.2-15.el6_5.1.i686.rpm bash-doc-4.1.2-15.el6_5.1.i686.rpm x86_64: bash-debuginfo-4.1.2-15.el6_5.1.x86_64.rpm bash-doc-4.1.2-15.el6_5.1.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: bash-4.2.45-5.el7_0.2.src.rpm x86_64: bash-4.2.45-5.el7_0.2.x86_64.rpm bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm bash-doc-4.2.45-5.el7_0.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: bash-4.2.45-5.el7_0.2.src.rpm x86_64: bash-4.2.45-5.el7_0.2.x86_64.rpm bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm bash-doc-4.2.45-5.el7_0.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: bash-4.2.45-5.el7_0.2.src.rpm ppc64: bash-4.2.45-5.el7_0.2.ppc64.rpm bash-debuginfo-4.2.45-5.el7_0.2.ppc64.rpm s390x: bash-4.2.45-5.el7_0.2.s390x.rpm bash-debuginfo-4.2.45-5.el7_0.2.s390x.rpm x86_64: bash-4.2.45-5.el7_0.2.x86_64.rpm bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: bash-debuginfo-4.2.45-5.el7_0.2.ppc64.rpm bash-doc-4.2.45-5.el7_0.2.ppc64.rpm s390x: bash-debuginfo-4.2.45-5.el7_0.2.s390x.rpm bash-doc-4.2.45-5.el7_0.2.s390x.rpm x86_64: bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm bash-doc-4.2.45-5.el7_0.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: bash-4.2.45-5.el7_0.2.src.rpm x86_64: bash-4.2.45-5.el7_0.2.x86_64.rpm bash-debuginfo-4.2.45-5.el7_0.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-6271.html https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/articles/1200223 8. These vulnerabilities ("Padding Oracle on Downgraded Legacy Encryption" or "POODLE", Heartbleed, and Shellshock) could be exploited remotely to create a Denial of Service (DoS), allow unauthorized access, or disclose information. ============================================================================ Ubuntu Security Notice USN-2362-1 September 24, 2014 bash vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Bash allowed bypassing environment restrictions in certain environments. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.1 Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.2 Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.1 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- CA20141001-01: Security Notice for Bash Shellshock Vulnerability Issued: October 01, 2014 Updated: October 03, 2014 CA Technologies is investigating multiple GNU Bash vulnerabilities, referred to as the "Shellshock" vulnerabilities, which were publicly disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 have been assigned to these vulnerabilities. The CA Technologies Enterprise Information Security team has led a global effort to identify and remediate systems and products discovered with these vulnerabilities. We continue to patch our systems as fixes become available, and we are providing fixes for affected CA Technologies products. CA Technologies continues to aggressively scan our environments (including servers, networks, external facing applications, and SaaS environments) to proactively monitor, identify, and remediate any vulnerability when necessary. Risk Rating High Platform AIX Android (not vulnerable, unless rooted) Apple iOS (not vulnerable unless jailbroken) Linux Mac OS X Solaris Windows (not vulnerable unless Cygwin or similar ported Linux tools with Bash shell are installed) Other UNIX/BSD based systems if Bash is installed Any other OS or JeOS that utilizes Bash Affected Products The following products have been identified as potentially vulnerable, and we have made fixes available for all of these products. CA API Management (Linux appliance only) CA Application Performance Management (TIM is the only affected APM component) CA Application Performance Management Cloud Monitor CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM) CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management Portal) CA User Activity Reporting Module (Enterprise Log Manager) Note: This security notice will be updated if other CA Technologies products are determined to be vulnerable. In most cases, the Bash vulnerabilities will need to be patched by OS vendors. Exceptions may include CA Technologies appliances, and software products that include Linux, UNIX or Mac OS X based operating systems (that include Bash). Affected Components CentOS Cygwin GNU Bash Red Hat Enterprise Linux SUSE Linux Non-Affected Products IMPORTANT NOTE: This listing includes only a small subset of the unaffected CA Technologies products. We're including unaffected products that customers have already inquired about. While the following CA Technologies products are not directly affected by the Bash vulnerabilities, the underlying operating systems that CA Technologies software is installed on may be vulnerable. We strongly encourage our customers to follow the recommendations provided by their vendors for all operating systems they utilize. All CA SaaS / On Demand products were either not vulnerable or have already been patched. CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does not execute CGI scripts, or spawn or execute shell commands from within the app. AHS infrastructure already patched. CA Asset Portfolio Management CA AuthMinder (Arcot WebFort) CA AuthMinder for Business Users CA AuthMinder for Consumers CA AutoSys products - We use the bash shell that comes with the operating system and the customer is responsible for patching their OS. Additionally, the agents themselves do not distribute any scripts that use bash. CA Clarity On Demand CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or use it, but because we are deployed on RHEL, customers may be indirectly affected. Customers using RHEL should apply patches provided by Red Hat. CA Console Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA ControlMinder CA DataMinder (formerly DLP) products – Software and appliance confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH or Web apps are used in these agents. Customers should patch bash shell on any Linux server with DataMinder agents. DataMinder agents should continue to function normally. CA Digital Payments SaaS (previously patched) CA Directory CA eCommerce SaaS / On Demand (previously patched) CA Endevor Software Change Manager CA Federation (formerly SiteMinder Federation) CA GovernanceMinder CA IdentityMinder CA Infrastructure Management CA JCLCheck CA Job Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA NetQoS GigaStor Observer Expert CA Network Flow Analysis CA Performance Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA RiskMinder CA Service Desk Manager CA Service Operations Insight (SOI) CA SiteMinder CA SOLVE:Access CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes from your underlying operating system vendor. CA Strong Authentication CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA Top Secret CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA Virtual Assurance for Infrastructure Managers (VAIM) Solution CA Technologies has issued the following fixes to address the vulnerabilities. CA API Management: Patches for Linux appliance are available through CA Support to customers of Gateway (applicable for all versions – 6.1.5, 6.2, 7.0, 7.1, 8.0, 8.1, 8.1.1, 8.1.02). CA Application Performance Management: KB article for APM TIM has been published. APM TIM is the only part of APM that was affected. Refer to TEC618037. CA Application Performance Management Cloud Monitor: New images are available for subscribers. Download the latest OPMS version 8.2.1.5. For assistance, contact CA Support. CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM): Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do not use Bash at all for the CEM operating system that we have shipped in the past. This means that customers who patch the OS will not impact the ability of the CEM TIMsoft from operating. However prior to version 9.6, the TIM installation script does use the bash shell. See new KB article TEC618037 for additional information. CA Layer 7 (API Gateway, Mobile Access Gateway, API Management Portal): Fixes for all Bash vulnerabilities and a security bulletin are available on the Layer 7 Support website. CA User Activity Reporting Module (Enterprise Log Manager): All 12.5 and 12.6 GA versions are potentially affected. Patches provided on 2014-09-30. To get the patch, use the OS update functionality to get the latest R12.6 SP1 subscription update. Note that you can update R12.5 SPx with the R12.6 SP1 OS update. For assistance, contact CA Support. Workaround None To help mitigate the risk, we do strongly encourage all customers to follow patch management best practices, and in particular for operating systems affected by the Bash Shellshock vulnerabilities. References CVE-2014-6271 - Bash environment variable command injection CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271 CVE-2014-7186 - Bash parser redir_stack memory corruption CVE-2014-7187 - Bash nested flow control constructs off-by-one CVE-2014-6277 - Bash untrusted pointer use uninitialized memory CVE-2014-6278 - Bash environment variable command injection CA20141001-01: Security Notice for Bash Shellshock Vulnerability https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Change History v1.0: 2014-10-01, Initial Release v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM, Clarity OD, All SaaS/OD products to list of Non-Affected Products. v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated UARM solution info. If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com. PGP key: support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Ken Williams Director, Product Vulnerability Response Team CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com Ken.Williams@ca.com | vuln@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsBVAwUBVDK+PZI1FvIeMomJAQFl/Af/TqrSE/h4r3gs9PwrWKdt21PCRI3za9Lx M5ZyTdVDIQ9ybgPkLqsovNRPgVqd7zwDHsx0rzvF5Y82uO+vQ63BuEV2GnczAax/ EiAW4WVxUgWG+lAowGV55Of8ruv/gOiAWTjFhkqpsyVg96ZMw2HLG62IwZL1j0qa oLCu0y3VrGvqH0g2hi75QwHAjNCdlEsD4onUqTCc9cRTdLwFCZrUQ8KTrqIL7LK5 Uo5T9C1UeAyNTo3KiJ/zw3BCOTkpl99dmg3NW0onU/1r1CXdlyS7opLB+GJ+xGwP xRQdUsOIhzfRzx7bsao2D43IhDnzJBBFJHdeMPo18WBTfJ7aUgBwGQ== =B62b -----END PGP SIGNATURE----- . No other firmware stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below for the MDS products. HP has released and posted the Cisco switch software version NX-OS 6.2(9a) on HP Support Center (HPSC). This software versions 6.2(9a) has included the fixes for the vulnerability in HP StoreFabric C-series MDS switches which currently supporting NX-OS 6.X releases. HP has released and posted the Cisco switch software version NX-OS 5.2(8e) on HP Support Center (HPSC). This software version 5.2(8e) has included the fix for the vulnerability in HP C-series MDS switches which currently supporting NX-OS 5.X releases. All MDS and Nexus 5K switches can function in this configuration. Access is available through the console port. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bash-4.2.048-i486-1_slack14.1.txz: Upgraded. In many common configurations (such as the use of CGI scripts), this vulnerability is exploitable over the network. Thanks to Stephane Chazelas for discovering this issue. For more information, see: http://seclists.org/oss-sec/2014/q3/650 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.018-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.018-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.012-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.012-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.012-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.012-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.048-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.048-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.048-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.025-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.025-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 package: 0f1b811376d3d2c5361f3454622a362e bash-3.1.018-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 9d727bed3e447a3b12055101982f7fc7 bash-3.1.018-x86_64-1_slack13.0.txz Slackware 13.1 package: f9da6c83129abec534a8e0425f0bbdde bash-4.1.012-i486-1_slack13.1.txz Slackware x86_64 13.1 package: f1bbea2829c3b800dc401ba911d47b61 bash-4.1.012-x86_64-1_slack13.1.txz Slackware 13.37 package: d8eb30ddaa6c5c227a9263702fd81eae bash-4.1.012-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 3854601f9152bc780730c48dd686ef27 bash-4.1.012-x86_64-1_slack13.37.txz Slackware 14.0 package: d01b294288a5f8ead15f0cf160bb38bd bash-4.2.048-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 324cc2cdedff1b8d6a355e013c42d5b1 bash-4.2.048-x86_64-1_slack14.0.txz Slackware 14.1 package: f7f18cd323b727fac2e6bbf9cab8213b bash-4.2.048-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 0dee161f7eede16fe5d9394bd231bfd7 bash-4.2.048-x86_64-1_slack14.1.txz Slackware -current package: d9bcc4828e311bc901b47f3460421f75 a/bash-4.3.025-i486-1.txz Slackware x86_64 -current package: c7bc5ec4b3e9ac3022ad6a718ae19d7b a/bash-4.3.025-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg bash-4.2.048-i486-1_slack14.1.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Open the PXE Configuration Utility on the HP Insight Control server deployment window Select Linux Managed from the Boot Menu options Click the Edit button. Clicking the Edit button displays the Edit Shared Menu Option window Uncheck the x86 option in Operating System and Processor Options and click OK. Release Date: 2014-11-11 Last Updated: 2014-11-11 Potential Security Impact: Remote code execution Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP StoreFabric H-series switches running Bash Shell. References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 SSRT101747 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. All HP StoreFabric H-series switches BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP is actively working on a firmware update to resolve the vulnerability in HP StoreFabric H-series switches. MITIGATION INFORMATION HP recommends the following steps to reduce the risk of this vulnerability: - Place the HP StoreFabric H-series switch and other data center critical infrastructure behind a firewall to disallow access from the Internet. - Change all HP StoreFabric switch default account passwords, including the root passwords, from the default factory passwords. - Examine the list of accounts, including ones on the switch and those existing on remote authentication servers such as RADIUS, LDAP, and TACAS+, to ensure only necessary personnel can gain access to HP StoreFabric H-series switches. Delete guest accounts and temporary accounts created for one-time usage needs. - To avoid possible exploit through the embedded web GUI, QuickTools, disable the web server with the following procedure: NOTE: After completing this procedure, the user will not be able to manage the switch using QuickTools. Login to the Command Line Interface (CLI). Execute the "admin start" command to enter into an admin session. Execute the "set setup services" command and change setting for EmbeddedGUIEnabled to "False". HISTORY Version:1 (rev.1) - 11 November 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. For the stable distribution (wheezy), this problem has been fixed in version 4.2+dfsg-0.1+deb7u1

AFFECTED PRODUCTS