New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix a security issue.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/bash-4.2.050-
Another bash update. Here's some information included with the patch:
"This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function."
After this update, an environment variable will not go through the parser
unless it follows this naming structure: BASH_FUNC_*%%
Most scripts never expected to import functions from environment variables,
so this change (although not backwards compatible) is not likely to break
many existing scripts. It will, however, close off access to the parser as
an attack surface in the vast majority of cases. There's already another
vulnerability similar to CVE-2014-6271 for which there is not yet a fix,
but this hardening patch prevents it (and likely many more similar ones).
Thanks to Florian Weimer and Chet Ramey.
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/
MD5 signatures:
+-------------+
Slackware 13.0 package:
8b5f50012f3c7b18474d7cf19f2be2
Slackware x86_64 13.0 package:
3cbe8607bf2209e694320f6416f1cd
Slackware 13.1 package:
c674f9b681c144c32aba0923303d78
Slackware x86_64 13.1 package:
223fc7505cd2dedd99b79d7f510e74
Slackware 13.37 package:
4b4e4df9e4e949637a641a94aab357
Slackware x86_64 13.37 package:
35f35367efd279d2001de989f366b9
Slackware 14.0 package:
19cb9e04683c9020417490047f20b4
Slackware x86_64 14.0 package:
10bc930d1dd85cf3446f454b129e2b
Slackware 14.1 package:
1d1f8137b674813bf7f070b66ad713
Slackware x86_64 14.1 package:
e80cc985c6112aea20d0ba0eb2821d
Slackware -current package:
175685f32cfa87da1c9d7cdfb42786
Slackware x86_64 -current package:
34a83642b058fa40e6f441c6161e22
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg bash-4.2.050-i486-1_slack14.1.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+-----------------------------
| To leave the slackware-security mailing list: |
+-----------------------------
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+-----------------------------
Komentarų nėra:
Rašyti komentarą