Debian Bug report logs -
#762760
bash: CVE-2014-7169: Incomplete fix for CVE-2014-6271
Reported by: "brian m. carlson" <sandals@crustytoothpaste.net>
Date: Wed, 24 Sep 2014 23:45:02 UTC
Severity: grave
Tags: patch, security
Merged with 762761
Found in versions bash/4.2+dfsg-0.1+deb7u1, bash/4.3-9.1, bash/4.1-3+deb6u1
Fixed in versions bash/4.1-3+deb6u2, bash/4.2+dfsg-0.1+deb7u3, bash/4.3-9.2, bash/4.2+dfsg-0.1+deb7u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>:
Bug#762760; Package bash.
(Wed, 24 Sep 2014 23:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "brian m. carlson" <sandals@crustytoothpaste.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Matthias Klose <doko@debian.org>.
(Wed, 24 Sep 2014 23:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: bash
Version: 4.2+dfsg-0.1+deb7u1
Severity: critical
Tags: security
As Tavis Ormandy has tweeted[0], the existing patch is not sufficient to
solve the problem:
vauxhall ok % dpkg -l bash | grep ^ii; rm -f echo; env X='() { (a)=>\' bash -c "echo date"; cat echo
ii bash 4.2+dfsg-0.1+deb7u1 amd64 GNU Bourne Again SHell
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Wed Sep 24 23:32:32 UTC 2014
This means all Debian systems are still vulnerable, as bash is an
essential package.
[0] https://twitter.com/taviso/status/514887394294652929
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages bash depends on:
ii base-files 7.5
ii dash 0.5.7-4
ii debianutils 4.4
ii libc6 2.19-11
ii libtinfo5 5.9+20140913-1
Versions of packages bash recommends:
pn bash-completion <none>
Versions of packages bash suggests:
pn bash-doc <none>
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]
Severity set to 'grave' from 'critical'
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 00:27:04 GMT) (full text, mbox, link).
Merged 762760 762761
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 00:27:05 GMT) (full text, mbox, link).
Marked as found in versions bash/4.3-9.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 07:03:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#762760; Package bash.
(Thu, 25 Sep 2014 09:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Teddy Hogeborn <teddy@recompile.se>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Thu, 25 Sep 2014 09:33:04 GMT) (full text, mbox, link).
Message #16 received at 762760@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 762760 +patch
stop
Chet Ramey has posted a patch for this (also attached):
http://www.openwall.com/lists/oss-security/2014/09/25/10
/Teddy Hogeborn
[eol-pushback.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Teddy Hogeborn <teddy@recompile.se>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 09:33:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#762760; Package bash.
(Thu, 25 Sep 2014 20:45:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Thu, 25 Sep 2014 20:45:09 GMT) (full text, mbox, link).
Message #23 received at 762760@bugs.debian.org (full text, mbox, reply):
Hi,
The security team is working on an update which includes amongst others
the patch referenced in this bug.
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#762760; Package bash.
(Thu, 25 Sep 2014 20:51:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Thu, 25 Sep 2014 20:51:10 GMT) (full text, mbox, link).
Message #28 received at 762760@bugs.debian.org (full text, mbox, reply):
# adding CVE number; see
# http://www.openwall.com/lists/oss-security/2014/09/25/5
retitle 762760 Re: Bug#762760: bash: CVE-2014-7169 due to incomplete fix
# this issue was present before and after the fix for CVE-2014-6271
found 762760 4.3-9
found 762760 bash/4.2+dfsg-0.1
found 762760 bash/4.1-3
thanks
Changed Bug title to 'Re: Bug#762760: bash: CVE-2014-7169 due to incomplete fix' from 'bash: still vulnerable to environment exploits'
Request was from Steven Chamberlain <steven@pyro.eu.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 20:51:17 GMT) (full text, mbox, link).
Marked as found in versions bash/4.3-9.
Request was from Steven Chamberlain <steven@pyro.eu.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 20:51:18 GMT) (full text, mbox, link).
Marked as found in versions bash/4.2+dfsg-0.1.
Request was from Steven Chamberlain <steven@pyro.eu.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 20:51:20 GMT) (full text, mbox, link).
Marked as found in versions bash/4.1-3.
Request was from Steven Chamberlain <steven@pyro.eu.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 20:51:22 GMT) (full text, mbox, link).
Marked as fixed in versions 4.1-3+deb6u2.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 22:39:08 GMT) (full text, mbox, link).
Marked as fixed in versions bash/4.2+dfsg-0.1+deb7u3.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 22:39:10 GMT) (full text, mbox, link).
Marked as fixed in versions bash/4.3-9.2.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 22:39:12 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Thu, 25 Sep 2014 22:39:13 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.net>:
Bug acknowledged by developer.
(Thu, 25 Sep 2014 22:39:14 GMT) (full text, mbox, link).
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Thu, 25 Sep 2014 22:51:08 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.net>:
Bug acknowledged by developer.
(Thu, 25 Sep 2014 22:51:08 GMT) (full text, mbox, link).
Message #51 received at 762760-close@bugs.debian.org (full text, mbox, reply):
Source: bash
Source-Version: 4.1-3+deb6u2
We believe that the bug you reported is fixed in the latest version of
bash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 762760@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated bash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 26 Sep 2014 00:10:13 +0200
Source: bash
Binary: bash bash-static bash-builtins bash-doc bashdb
Architecture: source all amd64
Version: 4.1-3+deb6u2
Distribution: squeeze-lts
Urgency: high
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
bash - The GNU Bourne Again SHell
bash-builtins - Bash loadable builtins - headers & examples
bash-doc - Documentation and examples for the The GNU Bourne Again SHell
bash-static - The GNU Bourne Again SHell (static version)
bashdb - The GNU Bourne Again SHell Debugger
Closes: 762760 762761
Changes:
bash (4.1-3+deb6u2) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add variables-affix.patch patch.
Apply patch from Florian Weimer to add prefix and suffix for environment
variable names which contain shell functions.
* Add parser-oob.patch patch.
Fixes two out-of-bound array accesses in the bash parser.
* Add CVE-2014-7169.diff diff.
CVE-2014-7169: Incomplete fix for CVE-2014-6271. (Closes: #762760, #762761)
Checksums-Sha1:
184bc50031cb14c7c34c33160bac67c7c9ac958f 1492 bash_4.1-3+deb6u2.dsc
97bc09677759cc4009a129cf574301f54a30dfc8 85777 bash_4.1-3+deb6u2.diff.gz
11d84b8c6c44b22856a886f18f6e4aea84da37fb 678314 bash-doc_4.1-3+deb6u2_all.deb
f7d3cf7d97e2416d965f9f11685af1b589586a38 1328258 bash_4.1-3+deb6u2_amd64.deb
a61de3da62f6abbfeb10f779f9e82ddaaccc8443 106852 bash-builtins_4.1-3+deb6u2_amd64.deb
ee5da1eb1d39f6542749550810ee8ce9bf4f5f13 884112 bash-static_4.1-3+deb6u2_amd64.deb
Checksums-Sha256:
dcf440868e901733ce02389a5a357eb3eb4794de48ad45d813946168e900f524 1492 bash_4.1-3+deb6u2.dsc
e64ee3179d581b8274ca245661fb713d532f861b369e9a1f1319df1c34c46012 85777 bash_4.1-3+deb6u2.diff.gz
8c9e6467f24c3837d4d03801f9abbbb03f7447fabb85ad68e15690c500a77f4d 678314 bash-doc_4.1-3+deb6u2_all.deb
7400f04d074f1699a1993fb79e16d77531fae5739122d87db80ea128cbd62275 1328258 bash_4.1-3+deb6u2_amd64.deb
15d75c3fcfe3b7d0b9196fed15ca951101ffd82845bfc66224bf8dd151fcd4de 106852 bash-builtins_4.1-3+deb6u2_amd64.deb
eec0ef7041c9ed999958ad1aa389da3c33a1bf1f9265eb2d7e9fb6728c198e95 884112 bash-static_4.1-3+deb6u2_amd64.deb
Files:
b01b6c1fa57365c86af7674f286f086b 1492 base required bash_4.1-3+deb6u2.dsc
565e6ccf144d817df95f956a6b6a49d1 85777 base required bash_4.1-3+deb6u2.diff.gz
31f749233b5dff0b2c3d7ba878f3c769 678314 doc optional bash-doc_4.1-3+deb6u2_all.deb
ecac954e1879785164537809c6d0d053 1328258 shells required bash_4.1-3+deb6u2_amd64.deb
2ef90833c809470c1a79960b817c4a2e 106852 utils optional bash-builtins_4.1-3+deb6u2_amd64.deb
bdc1a77978d90544b792751982423ce4 884112 shells optional bash-static_4.1-3+deb6u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUJJfBAAoJEFb2GnlAHawElcIH/RH9oZhc7JVAPUcYQ9PpRsHn
tZdMbFrR4tHTUkvi9x8af8V4jpeoEzLaxW2aZkFsdvn4kAje9ghnX0BzDFl9qb8r
KoWvEsGuwEELyVNOCHWMteg2kTUhVZduWVu0DwzlbG53lUn7N/HWQ8haSTSX1/TH
+QVhmwQ8DXlNChA6fQ5NLP36jHO7lbRRYeLG7pEzlbFzve4WCK/yb/hci5AiSHQ9
ZH7xAiZlQAnzx1CWUNnT8QgdUxPhXg1MEGJ7rtl4soDB6dngxCP0Uen9NYAb8PY6
l7AeGYecobZ3Em78d66Kola/IGnaVq3kcHHDRspeiUzsUunxb3v5pmszcthKsgg=
=SmT0
-----END PGP SIGNATURE-----
Reply sent
to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(Thu, 25 Sep 2014 22:51:09 GMT) (full text, mbox, link).
Notification sent
to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer.
(Thu, 25 Sep 2014 22:51:09 GMT) (full text, mbox, link).
Message #56 received at 762761-close@bugs.debian.org (full text, mbox, reply):
Source: bash
Source-Version: 4.1-3+deb6u2
We believe that the bug you reported is fixed in the latest version of
bash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 762761@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated bash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 26 Sep 2014 00:10:13 +0200
Source: bash
Binary: bash bash-static bash-builtins bash-doc bashdb
Architecture: source all amd64
Version: 4.1-3+deb6u2
Distribution: squeeze-lts
Urgency: high
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
bash - The GNU Bourne Again SHell
bash-builtins - Bash loadable builtins - headers & examples
bash-doc - Documentation and examples for the The GNU Bourne Again SHell
bash-static - The GNU Bourne Again SHell (static version)
bashdb - The GNU Bourne Again SHell Debugger
Closes: 762760 762761
Changes:
bash (4.1-3+deb6u2) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add variables-affix.patch patch.
Apply patch from Florian Weimer to add prefix and suffix for environment
variable names which contain shell functions.
* Add parser-oob.patch patch.
Fixes two out-of-bound array accesses in the bash parser.
* Add CVE-2014-7169.diff diff.
CVE-2014-7169: Incomplete fix for CVE-2014-6271. (Closes: #762760, #762761)
Checksums-Sha1:
184bc50031cb14c7c34c33160bac67c7c9ac958f 1492 bash_4.1-3+deb6u2.dsc
97bc09677759cc4009a129cf574301f54a30dfc8 85777 bash_4.1-3+deb6u2.diff.gz
11d84b8c6c44b22856a886f18f6e4aea84da37fb 678314 bash-doc_4.1-3+deb6u2_all.deb
f7d3cf7d97e2416d965f9f11685af1b589586a38 1328258 bash_4.1-3+deb6u2_amd64.deb
a61de3da62f6abbfeb10f779f9e82ddaaccc8443 106852 bash-builtins_4.1-3+deb6u2_amd64.deb
ee5da1eb1d39f6542749550810ee8ce9bf4f5f13 884112 bash-static_4.1-3+deb6u2_amd64.deb
Checksums-Sha256:
dcf440868e901733ce02389a5a357eb3eb4794de48ad45d813946168e900f524 1492 bash_4.1-3+deb6u2.dsc
e64ee3179d581b8274ca245661fb713d532f861b369e9a1f1319df1c34c46012 85777 bash_4.1-3+deb6u2.diff.gz
8c9e6467f24c3837d4d03801f9abbbb03f7447fabb85ad68e15690c500a77f4d 678314 bash-doc_4.1-3+deb6u2_all.deb
7400f04d074f1699a1993fb79e16d77531fae5739122d87db80ea128cbd62275 1328258 bash_4.1-3+deb6u2_amd64.deb
15d75c3fcfe3b7d0b9196fed15ca951101ffd82845bfc66224bf8dd151fcd4de 106852 bash-builtins_4.1-3+deb6u2_amd64.deb
eec0ef7041c9ed999958ad1aa389da3c33a1bf1f9265eb2d7e9fb6728c198e95 884112 bash-static_4.1-3+deb6u2_amd64.deb
Files:
b01b6c1fa57365c86af7674f286f086b 1492 base required bash_4.1-3+deb6u2.dsc
565e6ccf144d817df95f956a6b6a49d1 85777 base required bash_4.1-3+deb6u2.diff.gz
31f749233b5dff0b2c3d7ba878f3c769 678314 doc optional bash-doc_4.1-3+deb6u2_all.deb
ecac954e1879785164537809c6d0d053 1328258 shells required bash_4.1-3+deb6u2_amd64.deb
2ef90833c809470c1a79960b817c4a2e 106852 utils optional bash-builtins_4.1-3+deb6u2_amd64.deb
bdc1a77978d90544b792751982423ce4 884112 shells optional bash-static_4.1-3+deb6u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUJJfBAAoJEFb2GnlAHawElcIH/RH9oZhc7JVAPUcYQ9PpRsHn
tZdMbFrR4tHTUkvi9x8af8V4jpeoEzLaxW2aZkFsdvn4kAje9ghnX0BzDFl9qb8r
KoWvEsGuwEELyVNOCHWMteg2kTUhVZduWVu0DwzlbG53lUn7N/HWQ8haSTSX1/TH
+QVhmwQ8DXlNChA6fQ5NLP36jHO7lbRRYeLG7pEzlbFzve4WCK/yb/hci5AiSHQ9
ZH7xAiZlQAnzx1CWUNnT8QgdUxPhXg1MEGJ7rtl4soDB6dngxCP0Uen9NYAb8PY6
l7AeGYecobZ3Em78d66Kola/IGnaVq3kcHHDRspeiUzsUunxb3v5pmszcthKsgg=
=SmT0
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#762760; Package bash.
(Thu, 25 Sep 2014 23:36:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Kaz Kylheku <kaz@kylheku.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Thu, 25 Sep 2014 23:36:08 GMT) (full text, mbox, link).
Message #61 received at 762760@bugs.debian.org (full text, mbox, reply):
Can someone provide a patch which removes the whole stupid misfeature
from bash?
Programs do not need to inject executable code into their children via
environment variables, even if it is parsed properly. Shell scripted
applications should properly source all of the functions which they
need. Personal scripts can obtain functions from the user's .bashrc
file.
If an attacker somehow gains control over being able to define an
arbitrary environment variable, the attacker can replace a command like
"echo" with a harmful function. (That this is possible is easily
verified by a simple test at your system prompt; it's just a matter of
the attacker being able to somehow define an environment variable called
"echo").
Being able to define arbitrary environment variable names with untrusted
content is a hole in itself, but this feature instantly amplifies the
hole into an exploit.
At the very least, there should be a loud option to turn on this
inheritance behavior in the child bash, like "bash
--parse-functions-from-environment". If this optionn is not supplied,
then this behavior doesn't occur; variables with contents like "() {
.... }" are left alone.
No longer marked as found in versions bash/4.1-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Sep 2014 06:15:04 GMT) (full text, mbox, link).
No longer marked as found in versions bash/4.2+dfsg-0.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Sep 2014 06:15:06 GMT) (full text, mbox, link).
No longer marked as found in versions bash/4.3-9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Sep 2014 06:15:07 GMT) (full text, mbox, link).
Changed Bug title to 'bash: CVE-2014-7169: Incomplete fix for CVE-2014-6271' from 'Re: Bug#762760: bash: CVE-2014-7169 due to incomplete fix'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Sep 2014 06:15:09 GMT) (full text, mbox, link).
Marked as found in versions bash/4.1-3+deb6u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Sep 2014 06:15:11 GMT) (full text, mbox, link).
Marked as fixed in versions bash/4.1-3+deb6u2; no longer marked as fixed in versions 4.1-3+deb6u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 26 Sep 2014 06:15:14 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 26 Sep 2014 16:21:13 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.net>:
Bug acknowledged by developer.
(Fri, 26 Sep 2014 16:21:13 GMT) (full text, mbox, link).
Message #78 received at 762760-close@bugs.debian.org (full text, mbox, reply):
Source: bash
Source-Version: 4.2+dfsg-0.1+deb7u2
We believe that the bug you reported is fixed in the latest version of
bash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 762760@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Sep 2014 07:23:43 +0200
Source: bash
Binary: bash bash-static bash-builtins bash-doc
Architecture: source all amd64
Version: 4.2+dfsg-0.1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
bash - GNU Bourne Again SHell
bash-builtins - Bash loadable builtins - headers & examples
bash-doc - Documentation and examples for the The GNU Bourne Again SHell
bash-static - GNU Bourne Again SHell (static version)
Closes: 762760 762761
Changes:
bash (4.2+dfsg-0.1+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-7169.diff diff.
CVE-2014-7169: Incomplete fix for CVE-2014-6271. (Closes: #762760, #762761)
Checksums-Sha1:
3b3f1bb29cd47318290b811ef44d969f0f53942b 2169 bash_4.2+dfsg-0.1+deb7u2.dsc
bcaee2379421890e7afa1b15a3ffe12aa809f801 89830 bash_4.2+dfsg-0.1+deb7u2.diff.gz
39489825c44e6e9cc2e243c3853bd95b789475b0 695726 bash-doc_4.2+dfsg-0.1+deb7u2_all.deb
04d7cf33fb9b601fca129151b8e31ff5c596f99c 1500310 bash_4.2+dfsg-0.1+deb7u2_amd64.deb
21c76ff6e420994be1a35a31efa1a1a1ab77a81f 112640 bash-builtins_4.2+dfsg-0.1+deb7u2_amd64.deb
9f8255147a14f6897396fe080c21f9e08e317e68 939248 bash-static_4.2+dfsg-0.1+deb7u2_amd64.deb
Checksums-Sha256:
01691a144b510cae4d9d09fe308397bcde8f54002787999234418a3d62273dd6 2169 bash_4.2+dfsg-0.1+deb7u2.dsc
6c087121e3dc1dde98e1c53590cbb538fe063481e3eab396b958b89cb05030d5 89830 bash_4.2+dfsg-0.1+deb7u2.diff.gz
f41624735cd53036c3ae7b0b680b56b3649e8355995922105b669a2c55c5fce5 695726 bash-doc_4.2+dfsg-0.1+deb7u2_all.deb
3a40fae085f1eade16e75e5b0aacf0a47217538c2551d3f6b924e389dc50b64d 1500310 bash_4.2+dfsg-0.1+deb7u2_amd64.deb
e64c4ea1826f845c0ddef711391d2b0afb3d7d2d32ce2da6f6000a62d6464609 112640 bash-builtins_4.2+dfsg-0.1+deb7u2_amd64.deb
c51cf749db53f8531f0f58c284f12779c727a11cb82a4276f880f7ede66e1395 939248 bash-static_4.2+dfsg-0.1+deb7u2_amd64.deb
Files:
0075ec8d94c11fa9a9269fd3526f4f4e 2169 base required bash_4.2+dfsg-0.1+deb7u2.dsc
ab2a2f8d3eab8a42cf53e3e28b99ff96 89830 base required bash_4.2+dfsg-0.1+deb7u2.diff.gz
4e2b46b31fc5bdfaed3c4a634dcc25db 695726 doc optional bash-doc_4.2+dfsg-0.1+deb7u2_all.deb
d17ae7ad0c8175c25ecb1cd07546709d 1500310 shells required bash_4.2+dfsg-0.1+deb7u2_amd64.deb
15d0e6837813b7efe56bbfdcddc097d3 112640 utils optional bash-builtins_4.2+dfsg-0.1+deb7u2_amd64.deb
8ed30126a4dda6e824b84d04adfbf6e2 939248 shells optional bash-static_4.2+dfsg-0.1+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUI8L8AAoJEAVMuPMTQ89EJRUP/0oXcwhyIJs7DRceFF6zUiA/
sqpn3q+6MFS4+drLGZY1H9B9v0Bfypcg8MWvkxPTCjdc7zoEiGkbxPgoF6XdAMFr
UMgYf0XO7cBjcT1BSF00tunIHbS3McRZat5gEnb53G5GpuDQ9uk/0OhzBUsqtbrf
E50j1LSDFSH2xrRC2URMeWQCGdok33buuKAI0n2W5stp/ks0g4XQoHQcKWChvTal
FixE2R85efBRdspvZj7npkLxBi/cuVZK/2kJ4PG6LHTiN749dkNUPUwhR/BPQTZa
5MYBdsz2X5vGC8CUpqTSjgxLnM0wH6HzxozSY9+R6rynRrHjHzaEyA1iIMjOeBqK
F3GxbZaRBn+UxRSLFHIgweIs+XQpmqTjmPYG6rTGz6Uphrzib3pkU2iW6q7LdRfg
4nFAm/3vPQFjhW1zf4C/438KU5NyWAJbLJSw6NXsc6Gr2OVql/gyXUf9MoGhOp2W
MNA402QXJa1mz4yxQOThKbjpbfT4+wFVgaOL9OAL96t9DvaEysUdBRAuloskqQSi
RrRvSYAyTB9i9V1hIY9zi6u7XG6lyynPz+CQ0rtGfl3YDgxiJXFgxGo1vf4A9ITA
BZDc2n6i3ULfP1bBByc/hZIMQQAz1LBtug8W/LYSip9I2m4RCKKoouXOH08ADYJ0
P6zyoEo6zdAudQ82H2+H
=polO
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 26 Sep 2014 16:21:15 GMT) (full text, mbox, link).
Notification sent
to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer.
(Fri, 26 Sep 2014 16:21:15 GMT) (full text, mbox, link).
Message #83 received at 762761-close@bugs.debian.org (full text, mbox, reply):
Source: bash
Source-Version: 4.2+dfsg-0.1+deb7u2
We believe that the bug you reported is fixed in the latest version of
bash, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 762761@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Sep 2014 07:23:43 +0200
Source: bash
Binary: bash bash-static bash-builtins bash-doc
Architecture: source all amd64
Version: 4.2+dfsg-0.1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
bash - GNU Bourne Again SHell
bash-builtins - Bash loadable builtins - headers & examples
bash-doc - Documentation and examples for the The GNU Bourne Again SHell
bash-static - GNU Bourne Again SHell (static version)
Closes: 762760 762761
Changes:
bash (4.2+dfsg-0.1+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-7169.diff diff.
CVE-2014-7169: Incomplete fix for CVE-2014-6271. (Closes: #762760, #762761)
Checksums-Sha1:
3b3f1bb29cd47318290b811ef44d969f0f53942b 2169 bash_4.2+dfsg-0.1+deb7u2.dsc
bcaee2379421890e7afa1b15a3ffe12aa809f801 89830 bash_4.2+dfsg-0.1+deb7u2.diff.gz
39489825c44e6e9cc2e243c3853bd95b789475b0 695726 bash-doc_4.2+dfsg-0.1+deb7u2_all.deb
04d7cf33fb9b601fca129151b8e31ff5c596f99c 1500310 bash_4.2+dfsg-0.1+deb7u2_amd64.deb
21c76ff6e420994be1a35a31efa1a1a1ab77a81f 112640 bash-builtins_4.2+dfsg-0.1+deb7u2_amd64.deb
9f8255147a14f6897396fe080c21f9e08e317e68 939248 bash-static_4.2+dfsg-0.1+deb7u2_amd64.deb
Checksums-Sha256:
01691a144b510cae4d9d09fe308397bcde8f54002787999234418a3d62273dd6 2169 bash_4.2+dfsg-0.1+deb7u2.dsc
6c087121e3dc1dde98e1c53590cbb538fe063481e3eab396b958b89cb05030d5 89830 bash_4.2+dfsg-0.1+deb7u2.diff.gz
f41624735cd53036c3ae7b0b680b56b3649e8355995922105b669a2c55c5fce5 695726 bash-doc_4.2+dfsg-0.1+deb7u2_all.deb
3a40fae085f1eade16e75e5b0aacf0a47217538c2551d3f6b924e389dc50b64d 1500310 bash_4.2+dfsg-0.1+deb7u2_amd64.deb
e64c4ea1826f845c0ddef711391d2b0afb3d7d2d32ce2da6f6000a62d6464609 112640 bash-builtins_4.2+dfsg-0.1+deb7u2_amd64.deb
c51cf749db53f8531f0f58c284f12779c727a11cb82a4276f880f7ede66e1395 939248 bash-static_4.2+dfsg-0.1+deb7u2_amd64.deb
Files:
0075ec8d94c11fa9a9269fd3526f4f4e 2169 base required bash_4.2+dfsg-0.1+deb7u2.dsc
ab2a2f8d3eab8a42cf53e3e28b99ff96 89830 base required bash_4.2+dfsg-0.1+deb7u2.diff.gz
4e2b46b31fc5bdfaed3c4a634dcc25db 695726 doc optional bash-doc_4.2+dfsg-0.1+deb7u2_all.deb
d17ae7ad0c8175c25ecb1cd07546709d 1500310 shells required bash_4.2+dfsg-0.1+deb7u2_amd64.deb
15d0e6837813b7efe56bbfdcddc097d3 112640 utils optional bash-builtins_4.2+dfsg-0.1+deb7u2_amd64.deb
8ed30126a4dda6e824b84d04adfbf6e2 939248 shells optional bash-static_4.2+dfsg-0.1+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUI8L8AAoJEAVMuPMTQ89EJRUP/0oXcwhyIJs7DRceFF6zUiA/
sqpn3q+6MFS4+drLGZY1H9B9v0Bfypcg8MWvkxPTCjdc7zoEiGkbxPgoF6XdAMFr
UMgYf0XO7cBjcT1BSF00tunIHbS3McRZat5gEnb53G5GpuDQ9uk/0OhzBUsqtbrf
E50j1LSDFSH2xrRC2URMeWQCGdok33buuKAI0n2W5stp/ks0g4XQoHQcKWChvTal
FixE2R85efBRdspvZj7npkLxBi/cuVZK/2kJ4PG6LHTiN749dkNUPUwhR/BPQTZa
5MYBdsz2X5vGC8CUpqTSjgxLnM0wH6HzxozSY9+R6rynRrHjHzaEyA1iIMjOeBqK
F3GxbZaRBn+UxRSLFHIgweIs+XQpmqTjmPYG6rTGz6Uphrzib3pkU2iW6q7LdRfg
4nFAm/3vPQFjhW1zf4C/438KU5NyWAJbLJSw6NXsc6Gr2OVql/gyXUf9MoGhOp2W
MNA402QXJa1mz4yxQOThKbjpbfT4+wFVgaOL9OAL96t9DvaEysUdBRAuloskqQSi
RrRvSYAyTB9i9V1hIY9zi6u7XG6lyynPz+CQ0rtGfl3YDgxiJXFgxGo1vf4A9ITA
BZDc2n6i3ULfP1bBByc/hZIMQQAz1LBtug8W/LYSip9I2m4RCKKoouXOH08ADYJ0
P6zyoEo6zdAudQ82H2+H
=polO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Oct 2014 07:35:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:38:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon