[yocto] [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)
Mark Hatle
mark.hatle at windriver.com
Thu Sep 25 15:48:56 PDT 2014
On 9/25/14, 5:40 PM, Burton, Ross wrote:
> Hu Francesco,
>
> On 25 September 2014 11:35, Francesco Del Degan <f.deldegan at endian.com> wrote:
>> Updated to reflect the latest patchset in bash 4.3.
>> Fixes the CVE-2014-6271.
>
> I'm hearing that this isn't a complete fix, so lets wait for more patches.
>
> Is it possible to cherry-pick just the security fixes, instead of
> every patch they've released?
>
> Finally, patches for oe-core should go to openembedded-core@, not yocto at .
>
> Ross
>
Patch 025 fixes CVE-2014-6271, but does NOT fix CVE-2014-7169 or possibly two
other issues people are currently looking into. (None of this is confidential
BTW.. you can all follow along on the oss-security mailing list.)
So I would recommend that someone get the 025 patch (don't forget to patch bash
3.2 as well) in.. and we should wait until their is an official one for 7169.
--Mark
More information about the yocto
mailing list