Hi Florian Weimer,
is there a chance to get the bash-update for squeeze (6.0)?
Bye,
Jens
-Ursprüngliche Nachricht-
Von: Florian Weimer f...@deneb.enyo.de
Gesendet: Mit 24 September 2014 16:07
An: debian-security-annou...@lists.debian.org
Betreff: [SECURITY] [DSA 3032-1] bash
On Thu, Sep 25, 2014 at 4:05 PM, Jens Rabe wrote:
is there a chance to get the bash-update for squeeze (6.0)?
Debian squeeze is no longer supported by the Debian security team.
However, the Debian LTS team is supporting squeeze and has released an
update for bash in squeeze-lts.
Hi Jens,
On Thu, Sep 25, 2014 at 10:05:28AM +0200, Rabe, Jens wrote:
is there a chance to get the bash-update for squeeze (6.0)?
Note that regular security support for squeeze has endet. You will
need to use squeeze-lts for recieving still updates, more details are
in [1].
[1]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi there,
Am 24.09.2014 um 16:06 schrieb Florian Weimer:
Stephane Chazelas discovered a vulnerability in bash, the GNU
Bourne-Again Shell, related to how environment variables are
processed. In many common configurations, this vulnerability
On Thu, 25 Sep 2014, Jan Wagner wrote:
is there still work on CVE-2014-7169, as the fix for CVE-2014-6271
seems incomplete?
Work on that is ongoing, AFAIK.
AFAIK, exploits for CVE-2014-7169 are already public (one certainly worked
here, with the CVE-2014-6271 patch applied), and there are
On Thu, Sep 25, 2014 at 10:54:38AM -0300, Henrique de Moraes Holschuh wrote:
I suggest everyone to do a spring cleanup in the login shells for system
accounts, and to deploy mitigation.
In general it's a good idea to have /bin/sh point to something other
than bash. That's the default on
On Thursday, 2014-09-25 at 10:13:31 -0400, Michael Stone wrote:
On Thu, Sep 25, 2014 at 10:54:38AM -0300, Henrique de Moraes Holschuh wrote:
In general it's a good idea to have /bin/sh point to something other
than bash. That's the default on current debian systems, but might
not be the case
On Thu, 25 Sep 2014, Henrique de Moraes Holschuh wrote:
BTW: sudo is a viable local attack vector for this vulnerability.
Sort of... turns out it has defenses, which are not immediately obvious to
me how to bypass.
--
One disk to rule them all, One disk to find them. One disk to bring
them
Hey guys,
according to a twitter post
(https://twitter.com/taviso/status/514887394294652929) , the patch which came
out last night is still vulnerable:
this part was fixed by 4.2+dfsg-0.1+deb7u1:
de...@bortfeldt.net:~$ env x='() { :;}; echo vulnerable' bash -c echo this is
a test
bash:
Hi Denny,
On Thu, September 25, 2014 19:35, Denny Bortfeldt wrote:
Is it possible to fix also the 2nd part so that bash is really not
vulnerable at all? I saw that Gentoo patched the bash also twice.
It's indeed known that the bash fixes are incomplete.
I would like to stress that the current
CVE-2014-0170: RESERVED
CVE-2014-6603: RESERVED
--
The output might be a bit terse, but the above ids are known elsewhere,
check the references in the tracker. The second part indicates the status
of that id in the tracker at the moment the script was run.
--
To UNSUBSCRIBE, email to
Package: security-tracker
Severity: wishlist
It would be nice if the security tracker could provide by release a list
of packages with open vulnerabilities (i.e. neither unimportant nor tagged
as no-dsa) that are not yet listed in dsa-needed.txt/dla-needed.txt
depending on the case.
It would
Your message dated Thu, 25 Sep 2014 09:43:20 +0200
with message-id 201409250943.22087.hol...@layer-acht.org
and subject line end-of-life now visible in security tracker
has caused the Debian Bug report #642987,
regarding Entries marked as end-of-life should not be displayed as fixed in
the web
13 matches
Mail list logo