Re: Serious Bash security vulnerabilities

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Serious Bash security vulnerabilities

From:	Ludovic Courtès
Subject:	Re: Serious Bash security vulnerabilities
Date:	Fri, 26 Sep 2014 09:55:02 +0200
User-agent:	Gnus/5.130011 (Ma Gnus v0.11) Emacs/24.3 (gnu/linux)

We’ve decided to merge the ‘bash-cve-2014-6271’ branch: it’s an
incomplete fix, but it’s already an improvement, and it’s completely
built on Hydra for x86.

As for what’s next, quoting Mark on IRC:

<mark_weaver> the other three patches I'm aware of are:
              http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch
              (from Chet),
              http://seclists.org/oss-sec/2014/q3/att-712/parse-oob-4_2.patch
              (seems non-controversial), and
              
http://seclists.org/oss-sec/2014/q3/att-712/variables-affix-4_2.patch
              (more radical hardening, not fully compatible, but maybe still a
              good idea)  [09:40]

[...]

<mark_weaver> FYI, this following message assigns two CVEs (CVE-2014-7186 and
              CVE-2014-7187) to the two flaws fixed by the parse-oob patch:
              http://seclists.org/oss-sec/2014/q3/735  [09:45]
<mark_weaver> my feeling is that we should create another branch with at least
              the eol-pushback and parse-oob patches applied, and start hydra
              building it

Ludo’.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Serious Bash security vulnerabilities, Ludovic Courtès, 2014/09/25
- Re: Serious Bash security vulnerabilities, Ludovic Courtès <=
  - Re: Serious Bash security vulnerabilities, Ludovic Courtès, 2014/09/26

Prev by Date: Re: [PATCH] gnu packages maxima: Update to 5.34.1 and fix dependencies
Next by Date: Guix gc removing important packages?
Previous by thread: Serious Bash security vulnerabilities
Next by thread: Re: Serious Bash security vulnerabilities
Index(es):
- Date
- Thread