[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-bash] Shellshock bug
|
From: |
Chet Ramey |
|
Subject: |
Re: [Help-bash] Shellshock bug |
|
Date: |
Tue, 14 Oct 2014 10:18:00 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 |
On 10/14/14, 9:57 AM, Biswas, Amit wrote:
> Hi,
>
> As we know of the vulnerability of systems with bash shell, I would like to
> know if the bash patches given by GNU cover all the bugs found (CVE Numbers
> mentioned below).
>
> CVE-2014-6271<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>,
> CVE-2014-7169
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169> ,
> CVE-2014-6277<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277>,
>
> CVE-2014-6278<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278>,
> , CVE-2014-7186<https://access.redhat.com/security/cve/CVE-2014-7186>,
> CVE-2014-7187<https://access.redhat.com/security/cve/CVE-2014-7187>
>
> The 2.05b patches are available at below path however it's not clear what all
> CVE numbers are covered by the patches wrt Shellshock bug.
> http://ftp.gnu.org/gnu/bash/bash-2.05b-patches/
Here's something I've sent out a couple of times. Substitute the
bash-2.05b patch numbers for the bash-4.3 ones:
bash43-025 CVE-2014-6271 9/24/2014
bash43-026 CVE-2014-7169 9/26/2014
bash43-027 exported function namespace change 9/27/2014
bash43-028 CVE-2014-7186/CVE-2014-7187 10/1/2014
bash43-029 CVE-2014-6277 10/2/2014
bash43-030 CVE-2014-6278 10/5/2014
Patch 27 blocked the remote attack vector, so all the other reports
were just bugs.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU address@hidden http://cnswww.cns.cwru.edu/~chet/