First, let me be very clear: This is not a security update. See my last comments in the previous bug for more about that, such as: https://bugs.mageia.org/show_bug.cgi?id=14193#c19 So, the purpose of this update is to fix the remaining known bugs in the parser used when importing functions. These bugs were assigned CVE-2014-6277 and CVE-2014-6278. They are only security flaws if you do not have the 4.2-50 or 4.3-27 patch I added in the previous update. Now, they are simply bugs that should be fixed, but otherwise don't have much of an impact. Advisory: ---------------------------------------- Bash has been updated to version 4.2 patch level 53, which fixes the last remaining known bugs in the parser that bash uses when importing functions. These bugs are known as CVE-2014-6277 and CVE-2014-6278, but they are not actually exploitable security issues since 4.2 patch level 50, which was provided as an update in MGASA-2014-0394. References: ftp://ftp.cwru.edu/pub/bash/bash-4.2-patches/ http://advisories.mageia.org/MGASA-2014-0394.html ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- bash-4.2-53.1.mga3 bash-doc-4.2-53.1.mga3 bash-4.2-53.1.mga4 bash-doc-4.2-53.1.mga4 from SRPMS: bash-4.2-53.1.mga3.src.rpm bash-4.2-53.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
I guess this can still be tested with bashcheck: https://github.com/hannob/bashcheck See bug 14193 for details on how the latest update was tested.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Testing on Mageia 4 64bit: == With bash 4.2-50.2 from Core Updates == $ ./bashcheck Testing /usr/bin/bash ... GNU bash, Version 4.2.50(1)-release (x86_64-mageia-linux-gnu) Variable function parser pre/suffixed [%%, upstream], bugs not exploitable Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Found non-exploitable CVE-2014-6277 (lcamtuf bug #1) Found non-exploitable CVE-2014-6278 (lcamtuf bug #2) == With bash 4.2-53.1 from Core Updates Testing == $ ./bashcheck Testing /usr/bin/bash ... GNU bash, Version 4.2.53(2)-release (x86_64-mageia-linux-gnu) Variable function parser pre/suffixed [%%, upstream], bugs not exploitable Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Not vulnerable to CVE-2014-6277 (lcamtuf bug #1) Not vulnerable to CVE-2014-6278 (lcamtuf bug #2) This seems to confirm what Luigi reported in comment 0: this is a bugfix updates for the bugs related to CVE-2014-6277 and 6278, but the actual security vulnerabilities are already prevented by the patches of the current package in Core Updates.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Testing complete on Mageia 3 64bit.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK
Did the same for Mga4 32 bit, same output.
CC: (none) => cmrisolde
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK
Going to look at Mga 32 bit now.
For Mga3 32 bit I can't get the 4.2.53.1 package to show up on my list. I added another mirror, the one suggested at the QA meeting, but still nothing.
I guess you made sure all mirrors were up-to-date with: # urpmi.update ""
Yes, I had done it via the graphical menus, but I just tried again from the CLI to be sure, still nothing.
This is either a mirror or media issue Carolyn. I would imagine you haven't configured your Core Updates Testing media as an update media. Please come to IRC if you'd like help. installing bash-doc-4.2-53.1.mga3.i586.rpm bash-4.2-53.1.mga3.i586.rpm from /var/cache/urpmi/rpms Preparing... ####### 1/2: bash ####### 2/2: bash-doc ####### 1/2: removing bash-doc-4.2-50.2.mga3.i586 ####### 2/2: removing bash-4.2-50.2.mga3.i586 ####### Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK MGA4-32-OK
Oh I see what's happened. I scrolled too far (as I thought) down the list in MCC and now I can see it's listed all the media again at the bottom of the main list after I added the other mirror, so there was another Core Updates Testing that had to be ticked. Didn't realise it did that.
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure advisory mga3-32-ok MGA3-64-OK MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGAA-2014-0180.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Also pushed on Mga infra
CC: (none) => tmb