[yocto] [OE-core] [PATCH] bash: update to latest (025) patchset (fixes CVE-2014-6271)
Mark Hatle
mark.hatle at windriver.com
Fri Sep 26 07:03:08 PDT 2014
On 9/25/14, 10:00 PM, Francesco Del Degan wrote:
> Yes, patch 026 that fixes CVE-2014-7169 is underway, should be pushed out today:
>
> http://www.openwall.com/lists/oss-security/2014/09/26/1
>
> bash-4.2 (as in dora) got patch048 for CVE-2014-6179 and should receive patch049
> as well.
>
> I'm going to send bash 3.2 and 4.2 patches in oe core ml.
There are two additional issues as well.
CVE-2014-7186 - bash: parser can allow out-of-bounds memory access while
handling redir_stack
CVE-2014-7187 - bash: off-by-one error in deeply nested flow control constructs
(The above two are so new they are not yet published on the CVE web sites.)
A patch for these has been posted to the oss-security list, but has not yet been
validated by the bash maintainer.
We'll need to watch for this as well.
--Mark
>
> On Fri, Sep 26, 2014 at 1:15 AM, Burton, Ross <ross.burton at intel.com
> <mailto:ross.burton at intel.com>> wrote:
>
> On 25 September 2014 23:48, Mark Hatle <mark.hatle at windriver.com
> <mailto:mark.hatle at windriver.com>> wrote:
> > So I would recommend that someone get the 025 patch (don't forget to patch
> > bash 3.2 as well) in.. and we should wait until their is an official one for
> > 7169.
>
> Agreed, and patches sent.
>
> Ross
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org <mailto:yocto at yoctoproject.org>
> https://lists.yoctoproject.org/listinfo/yocto
>
>
>
>
> --
> --
> :: e n d i a n
> :: security with passion
>
> :: Francesco Del Degan
> :: software engineer
> :: http://www.endian.com <http://www.endian.com/> :: f.deldegan (AT) endian.com
> <http://endian.com/>
>
>
More information about the yocto
mailing list