Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Mon, 29 Sep 2014 19:03:57 +0200
Type : VULN
Sujet : CERT-Renater : 2014/VULN208 (SUSE : new openSUSE and SUSE bash Security Updates CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187)
====================================================================
                           CERT-Renater

               Note d'Information No. 2014/VULN208
_____________________________________________________________________

DATE                : 29/09/2014

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  openSUSE version 13.2, 12.3, 13.1,
                      SUSE Linux Enterprise Server version 10, 11,
         SUSE Linux Enterprise Software Development Kit version 11 SP3,
                      openSUSE Evergreen version 11.4.

======================================================================
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00043.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00038.html
______________________________________________________________________

   openSUSE Security Update: bash
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2014:1254-1
Rating:             critical
References:         #895475 #896776
Cross-References:   CVE-2014-6271 CVE-2014-7169 CVE-2014-7186
                    CVE-2014-7187
Affected Products:
                    openSUSE 13.2
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.

Description:


   bash was updated to fix command injection via environment variables.
   (CVE-2014-6271,CVE-2014-7169)

   Also a hardening patch was applied that only imports functions over
   BASH_FUNC_ prefixed environment variables.

   Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE
   documents and for loop issue


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.2:

      zypper in -t patch openSUSE-2014-567

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 13.2 (i586 x86_64):

      bash-4.2-75.4.1
      bash-debuginfo-4.2-75.4.1
      bash-debugsource-4.2-75.4.1
      bash-devel-4.2-75.4.1
      bash-loadables-4.2-75.4.1
      bash-loadables-debuginfo-4.2-75.4.1
      libreadline6-6.2-75.4.1
      libreadline6-debuginfo-6.2-75.4.1
      readline-devel-6.2-75.4.1

   - openSUSE 13.2 (x86_64):

      bash-debuginfo-32bit-4.2-75.4.1
      libreadline6-32bit-6.2-75.4.1
      libreadline6-debuginfo-32bit-6.2-75.4.1
      readline-devel-32bit-6.2-75.4.1

   - openSUSE 13.2 (noarch):

      bash-doc-4.2-75.4.1
      bash-lang-4.2-75.4.1
      readline-doc-6.2-75.4.1


References:

   http://support.novell.com/security/cve/CVE-2014-6271.html
   http://support.novell.com/security/cve/CVE-2014-7169.html
   http://support.novell.com/security/cve/CVE-2014-7186.html
   http://support.novell.com/security/cve/CVE-2014-7187.html
   https://bugzilla.suse.com/show_bug.cgi?id‰5475
   https://bugzilla.suse.com/show_bug.cgi?id‰6776

______________________________________________________________________

openSUSE Security Update: update for bash
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:1248-1
Rating: important
References: #896776
Affected Products:
openSUSE Evergreen 11.4
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for bash completely disables the importing of shell functions
from the environment and thereby remove the exposure of the parser from
untrusted/harmful environment.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Evergreen 11.4:

zypper in -t patch 2014-90

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Evergreen 11.4 (i586 x86_64):

bash-4.1-20.35.1
bash-debuginfo-4.1-20.35.1
bash-debugsource-4.1-20.35.1
bash-devel-4.1-18.35.1
bash-loadables-4.1-18.35.1
bash-loadables-debuginfo-4.1-18.35.1
libreadline6-6.1-18.35.1
libreadline6-debuginfo-6.1-18.35.1
readline-devel-6.1-18.35.1

- openSUSE Evergreen 11.4 (x86_64):

bash-debuginfo-32bit-4.1-20.35.1
libreadline6-32bit-6.1-18.35.1
libreadline6-debuginfo-32bit-6.1-18.35.1
readline-devel-32bit-6.1-18.35.1

- openSUSE Evergreen 11.4 (noarch):

bash-doc-4.1-18.35.1
bash-lang-4.1-20.35.1
readline-doc-6.1-18.35.1

- openSUSE Evergreen 11.4 (ia64):

bash-debuginfo-x86-4.1-20.35.1
bash-x86-4.1-20.35.1
libreadline6-debuginfo-x86-6.1-18.35.1
libreadline6-x86-6.1-18.35.1


References:

https://bugzilla.suse.com/show_bug.cgi?id‰6776

-- 
______________________________________________________________________



SUSE Security Update: Security update for bash
______________________________________________________________________________

Announcement ID: SUSE-SU-2014:1247-1
Rating: important
References: #898346 #898603 #898604
Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187

Affected Products:
SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP2 LTSS
SUSE Linux Enterprise Server 11 SP1 LTSS
SUSE Linux Enterprise Server 10 SP4 LTSS
SUSE Linux Enterprise Server 10 SP3 LTSS
SUSE Linux Enterprise Desktop 11 SP3

______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:


The command-line shell 'bash' evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).

Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and is less serious due to the
special, non-default system configuration that is needed to create an
exploitable situation.

To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_.
This hardening feature is work in progress and might be improved in later
updates.

Additionally, two other security issues have been fixed:

* CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
* CVE-2014-7187: Nesting of for loops could lead to a crash of bash.

Security Issues:

* CVE-2014-7169

* CVE-2014-7186

* CVE-2014-7187



Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Software Development Kit 11 SP3:

zypper in -t patch sdksp3-bash-9780

- SUSE Linux Enterprise Server 11 SP3 for VMware:

zypper in -t patch slessp3-bash-9780

- SUSE Linux Enterprise Server 11 SP3:

zypper in -t patch slessp3-bash-9780

- SUSE Linux Enterprise Server 11 SP2 LTSS:

zypper in -t patch slessp2-bash-9781

- SUSE Linux Enterprise Server 11 SP1 LTSS:

zypper in -t patch slessp1-bash-9782

- SUSE Linux Enterprise Desktop 11 SP3:

zypper in -t patch sledsp3-bash-9780

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64
s390x x86_64):

readline-devel-5.2-147.22.1

- SUSE Linux Enterprise Software Development Kit 11 SP3 (ppc64 s390x
x86_64):

readline-devel-32bit-5.2-147.22.1

- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):

libreadline5-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64):

bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64):

libreadline5-32bit-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64):

bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64):

libreadline5-32bit-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP3 (ia64):

bash-x86-3.2-147.22.1
libreadline5-x86-5.2-147.22.1

- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64):

bash-3.2-147.14.22.1
bash-doc-3.2-147.14.22.1
libreadline5-5.2-147.14.22.1
readline-doc-5.2-147.14.22.1

- SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64):

libreadline5-32bit-5.2-147.14.22.1

- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):

bash-3.2-147.14.22.1
bash-doc-3.2-147.14.22.1
libreadline5-5.2-147.14.22.1
readline-doc-5.2-147.14.22.1

- SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64):

libreadline5-32bit-5.2-147.14.22.1

- SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):

bash-3.1-24.34.1
readline-5.1-24.34.1
readline-devel-5.1-24.34.1

- SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64):

readline-32bit-5.1-24.34.1
readline-devel-32bit-5.1-24.34.1

- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):

bash-3.1-24.34.1
readline-5.1-24.34.1
readline-devel-5.1-24.34.1

- SUSE Linux Enterprise Server 10 SP3 LTSS (s390x x86_64):

readline-32bit-5.1-24.34.1
readline-devel-32bit-5.1-24.34.1

- SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64):

bash-3.2-147.22.1
bash-doc-3.2-147.22.1
libreadline5-5.2-147.22.1
readline-doc-5.2-147.22.1

- SUSE Linux Enterprise Desktop 11 SP3 (x86_64):

libreadline5-32bit-5.2-147.22.1


References:

http://support.novell.com/security/cve/CVE-2014-7169.html
http://support.novell.com/security/cve/CVE-2014-7186.html
http://support.novell.com/security/cve/CVE-2014-7187.html
https://bugzilla.suse.com/show_bug.cgi?id‰8346
https://bugzilla.suse.com/show_bug.cgi?id‰8603
https://bugzilla.suse.com/show_bug.cgi?id‰8604

http://download.suse.com/patch/finder/?keywordsd7685e480d31be1641e84591918b9e

http://download.suse.com/patch/finder/?keywords43502d673561f6e5895393ba93df6f

http://download.suse.com/patch/finder/?keywords|3a2e9a2aa61a2702de17e1ed7a7f43

http://download.suse.com/patch/finder/?keywords¶868a6fc575e34338a7d5fd7491f09f

http://download.suse.com/patch/finder/?keywordsÖf3fbe6b7cd7f9bd580be31dd2ada90

-- 

______________________________________________________________________

openSUSE Security Update: bash
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:1229-1
Rating: important
References: #898346 #898603 #898604
Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187

Affected Products:
openSUSE 12.3
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:


The command-line shell 'bash' evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).

Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and it is less serious due to
the special, non-default system configuration that is needed to create an
exploitable situation.

To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_ .
This hardening feature is work in progress and might be improved in later
updates.

Additionaly two more security issues were fixed in bash: CVE-2014-7186:
Nested HERE documents could lead to a crash of bash.

CVE-2014-7187: Nesting of for loops could lead to a crash of bash.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-563

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.3 (i586 x86_64):

bash-4.2-61.15.1
bash-debuginfo-4.2-61.15.1
bash-debugsource-4.2-61.15.1
bash-devel-4.2-61.15.1
bash-loadables-4.2-61.15.1
bash-loadables-debuginfo-4.2-61.15.1
libreadline6-6.2-61.15.1
libreadline6-debuginfo-6.2-61.15.1
readline-devel-6.2-61.15.1

- openSUSE 12.3 (x86_64):

bash-debuginfo-32bit-4.2-61.15.1
libreadline6-32bit-6.2-61.15.1
libreadline6-debuginfo-32bit-6.2-61.15.1
readline-devel-32bit-6.2-61.15.1

- openSUSE 12.3 (noarch):

bash-doc-4.2-61.15.1
bash-lang-4.2-61.15.1
readline-doc-6.2-61.15.1


References:

http://support.novell.com/security/cve/CVE-2014-7169.html
http://support.novell.com/security/cve/CVE-2014-7186.html
http://support.novell.com/security/cve/CVE-2014-7187.html
https://bugzilla.suse.com/show_bug.cgi?id‰8346
https://bugzilla.suse.com/show_bug.cgi?id‰8603
https://bugzilla.suse.com/show_bug.cgi?id‰8604

-- 
______________________________________________________________________


openSUSE Security Update: bash
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:1242-1
Rating: important
References: #898346 #898603 #898604
Cross-References: CVE-2014-7169 CVE-2014-7186 CVE-2014-7187

Affected Products:
openSUSE 13.1
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:


The command-line shell 'bash' evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).

Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and it is less serious due to
the special, non-default system configuration that is needed to create an
exploitable situation.

To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_ .
This hardening feature is work in progress and might be improved in later
updates.

Additionaly two more security issues were fixed in bash: CVE-2014-7186:
Nested HERE documents could lead to a crash of bash.

CVE-2014-7187: Nesting of for loops could lead to a crash of bash.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-564

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (i586 x86_64):

bash-4.2-68.8.1
bash-debuginfo-4.2-68.8.1
bash-debugsource-4.2-68.8.1
bash-devel-4.2-68.8.1
bash-loadables-4.2-68.8.1
bash-loadables-debuginfo-4.2-68.8.1
libreadline6-6.2-68.8.1
libreadline6-debuginfo-6.2-68.8.1
readline-devel-6.2-68.8.1

- openSUSE 13.1 (x86_64):

bash-debuginfo-32bit-4.2-68.8.1
libreadline6-32bit-6.2-68.8.1
libreadline6-debuginfo-32bit-6.2-68.8.1
readline-devel-32bit-6.2-68.8.1

- openSUSE 13.1 (noarch):

bash-doc-4.2-68.8.1
bash-lang-4.2-68.8.1
readline-doc-6.2-68.8.1


References:

http://support.novell.com/security/cve/CVE-2014-7169.html
http://support.novell.com/security/cve/CVE-2014-7186.html
http://support.novell.com/security/cve/CVE-2014-7187.html
https://bugzilla.suse.com/show_bug.cgi?id‰8346
https://bugzilla.suse.com/show_bug.cgi?id‰8603
https://bugzilla.suse.com/show_bug.cgi?id‰8604

-- 

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================

[An attachment of type application/pkcs7-signature was included here]