Voltem das colinas! Mas não por muito tempo
https://twitter.com/lcamtuf/status/516297412579581952 [image: tumblr_mml9mp9wCx1s9x8i6o1_400.gif (280×300)] ---------- Forwarded message ---------- From: Slackware Security Team <[email protected]> Date: Mon, Sep 29, 2014 at 4:33 PM Subject: [slackware-security] bash (SSA:2014-272-01) To: [email protected] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] bash (SSA:2014-272-01) New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bash-4.2.050-i486-1_slack14.1.txz: Upgraded. Another bash update. Here's some information included with the patch: "This patch changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable's contents to determine whether or not to interpret it as a shell function." After this update, an environment variable will not go through the parser unless it follows this naming structure: BASH_FUNC_*%% Most scripts never expected to import functions from environment variables, so this change (although not backwards compatible) is not likely to break many existing scripts. It will, however, close off access to the parser as an attack surface in the vast majority of cases. There's already another vulnerability similar to CVE-2014-6271 for which there is not yet a fix, but this hardening patch prevents it (and likely many more similar ones). Thanks to Florian Weimer and Chet Ramey. (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.020-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.020-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.014-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.014-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.014-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.014-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.050-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.050-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.050-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.050-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.027-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.027-x86_64-1.txz MD5 signatures: +-------------+ Slackware 13.0 package: 8b5f50012f3c7b18474d7cf19f2be2bb bash-3.1.020-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 3cbe8607bf2209e694320f6416f1cd04 bash-3.1.020-x86_64-1_slack13.0.txz Slackware 13.1 package: c674f9b681c144c32aba0923303d789b bash-4.1.014-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 223fc7505cd2dedd99b79d7f510e749c bash-4.1.014-x86_64-1_slack13.1.txz Slackware 13.37 package: 4b4e4df9e4e949637a641a94aab35765 bash-4.1.014-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 35f35367efd279d2001de989f366b972 bash-4.1.014-x86_64-1_slack13.37.txz Slackware 14.0 package: 19cb9e04683c9020417490047f20b40d bash-4.2.050-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 10bc930d1dd85cf3446f454b129e2bc7 bash-4.2.050-x86_64-1_slack14.0.txz Slackware 14.1 package: 1d1f8137b674813bf7f070b66ad713b1 bash-4.2.050-i486-1_slack14.1.txz Slackware x86_64 14.1 package: e80cc985c6112aea20d0ba0eb2821d03 bash-4.2.050-x86_64-1_slack14.1.txz Slackware -current package: 175685f32cfa87da1c9d7cdfb42786c5 a/bash-4.3.027-i486-1.txz Slackware x86_64 -current package: 34a83642b058fa40e6f441c6161e2208 a/bash-4.3.027-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg bash-4.2.050-i486-1_slack14.1.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key [email protected] +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to [email protected] with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQpqCoACgkQakRjwEAQIjPD0QCfSmNXkeHavRJjRtENMC13Rtx6 DsYAn1fsM+SOgqVuB7URSJtSKrmtPvr8 =Xi8W -----END PGP SIGNATURE----- -- Grato, Tozo -- GUS-BR - Grupo de Usuários de Slackware Brasil http://www.slackwarebrasil.org/ http://groups.google.com/group/slack-users-br Antes de perguntar: http://www.vivaolinux.com.br/artigo/Como-elaborar-perguntas-para-listas-de-discussao Para sair da lista envie um e-mail para: [email protected] --- Você está recebendo esta mensagem porque se inscreveu no grupo "Slackware Users Group - Brazil" dos Grupos do Google. Para cancelar inscrição nesse grupo e parar de receber e-mails dele, envie um e-mail para [email protected]. Para obter mais opções, acesse https://groups.google.com/d/optout.
