Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Gerard Howells
Thanks Marcy and Mike! Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Michael O'Reilly Sent: Thursday,

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Alan Ackerman
> On Sep 25, 2014, at 10:44 AM, Veencamp, Jonathon D. > wrote: > > Just a word of warning that Red Hat considers their current patch potentially > incomplete. It solves the test that everyone is using to test vulnerability, > but isn't necessarily comprehensive. So there may be more than one

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Veencamp, Jonathon D.
Just a word of warning that Red Hat considers their current patch potentially incomplete. It solves the test that everyone is using to test vulnerability, but isn't necessarily comprehensive. So there may be more than one round of patches on this, perhaps from all vendors https://bugzilla.red

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Mark Post
>>> On 9/25/2014 at 01:16 PM, Gerard Howells wrote: > Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a > similar patch for SLES 10 SP4? As Marcy noted, only for customers that are paying for LTSS. Perhaps this vulnerability might help people make the case to their own

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Veencamp, Jonathon D.
Just a word of warning to everyone, that Red Hat considers their current patch potentially incomplete. It solves the test that everyone is using to test vulnerability, but isn't necessarily comprehensive. So there may be more than one round of patches on this, perhaps from all vendors https:/

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Michael O'Reilly
Gerard, CVE-2014-0475 Common Vulnerabilities and Exposures http://support.novell.com/security/cve/CVE-2014-0475.html Mike O'Reilly IBM Linux Change Team

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Marcy Cortes
You'd have to have LTSS for that since it is out of support. I was told it is available for all of these SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Server 10 SP3 LTSS for AMD64 and Intel EM64T SUSE Linux Enterprise Server 10 SP3 LTSS for IBM zSeries 64bit SUSE Linux Enterprise Serv

Re: Bash specially-crafted environment variables code injection attack

2014-09-25 Thread Gerard Howells
Thanks for the pointer to the SLES 11 fix. Does anyone know if there's a similar patch for SLES 10 SP4? Gerard Howells zLinux and z/VM Systems Administrator Enterprise Systems America First Credit Union TEL: 801-827-8353 ghowe...@americafirst.com -Original Message- From: Linux on 390 Por