-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3035-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso September 25, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bash CVE ID : CVE-2014-7169 Debian Bug : 762760 762761 Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure. Additionally two out-of-bounds array accesses in the bash parser are fixed which were revealed in Red Hat's internal analysis for these issues and also independently reported by Todd Sabin. For the stable distribution (wheezy), these problems have been fixed in version 4.2+dfsg-0.1+deb7u3. We recommend that you upgrade your bash packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUJIZRAAoJEAVMuPMTQ89EBjMP/3QWVLlaIlKEiZ84LAwsyf5h DZXP9mTEnXOyPlwbsydG4qJNuv0QQvkDmy0nQm8J8U9tWtRuAPqfdE1O6qHnNQHY 9xFAMk+sro+F4gVuesiRshACy6qII2Ie20ypUT0uyj53Yd0FQwecKtHIMbbOW7AM xDNiMGlv4hzaVOTV3i9z+USsbbaqpTR1QSQMSzP0MPBnc+9idCIyg/LPU0ZJTirL Hdx9AMGk9tlD5BzU9CCA83xigOQ2c3DrAqxT2zidhGsHUVIE4+L2Q0jXwfIXi9B5 wp5DEbGdmfPO0ZuGP40m9T5todlCCPX2/sANePROLkYZjaBKFkptK1l2Kutk7pbE rPevXBUpLzwCN+nS0RRTDaqPyeAA9SIgaKHKeJ03cqs15LXJLbChJLVIwtw1TY35 /ZJaTthGxMwEfLzCvM/O/mwooFl5C7rhEMiDsE3dqVJer5UmbS2uUa0O6s5jFlbS azeEaat25RLQB96Q44gGM0BUvOWtyImApACEa4AW7EA4ElcjlqOlFszVqWL+8mXe uucRq2v14CUgSdo2WRC5WWIaYTtdgDcPqfzrL1ZwzO1QBggCOOgfTscUzvXQzcR3 oB30GhH3Wt8WcyjpMRsJsoU2gtA2QKMHKF252hNmuUsdYlYDxOQBr4Qdf0/t+dOg 2HiapmyVDkvxwSj70zlk =hYD1 -----END PGP SIGNATURE-----