| Beschreibung: | Summary:
The remote host is missing an update for the 'bash'
package(s) announced via the referenced advisory.
Vulnerability Insight:
bash was updated to fix a critical security issue, a minor security issue
and bugs:
In some circumstances, the shell would evaluate shellcode in environment
variables passed at startup time. This allowed code execution by local or
remote attackers who could pass environment variables to bash scripts.
(CVE-2014-6271)
Fixed a temporary file misuse in _rl_tropen (bnc#868822) Even if used only
by developers to debug readline library do not
open temporary files from public location without O_EXCL (CVE-2014-2524)
Additional bugfixes:
- Backported corrected german error message for a failing getpwd
(bnc#895475)
- Add bash upstream patch 47 to fix a problem where the function that
shortens pathnames for $PS1 according to the value of $PROMPT_DIRTRIM
uses memcpy on potentially-overlapping regions
of memory, when it should use memmove. The result is garbled pathnames
in prompt strings.
- Add bash upstream patch 46 to fix a problem introduced by patch 32 a
problem with '$@' and arrays expanding empty positional parameters or
array elements when using substring expansion, pattern substitution, or
case modification. The empty parameters
or array elements are removed instead of expanding to empty strings ('').
- Add bash-4.2-strcpy.patch from upstream mailing list to patch collection
tar ball to avoid when using \w in the prompt and changing the directory
outside of HOME the a strcpy work on
overlapping memory areas.
Affected Software/OS:
bash on openSUSE 13.1, openSUSE 12.3
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
