A minor security issue in bash has been announced today (September 16): http://www.openwall.com/lists/oss-security/2016/09/16/8 I have added the patches listed in that message in bash in Cauldron.
There were already some questions as to whether a privilege boundary is really crossed in such a way that an attacker can make use of this issue without having sufficient access to cause much larger problems, and the upstream Bash maintainer's response to the above message indicates the same opinion, so this might not be a *real* security issue. Perhaps we can update the Mageia 5 package to patchlevel 46 (from 33) to bring it in line with the bugfixes in the Cauldron package, and include the fixes for this, and issue it as a bug fix update.
Severity: normal => minor
CC: (none) => marja11Assignee: bugsquad => shlomif
Fedora has issued an advisory for this today (September 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5GRFMCTX4O7RTLZX5CI45KC7GGM6XIIY/
URL: (none) => http://lwn.net/Vulnerabilities/701923/
*** Bug 18734 has been marked as a duplicate of this bug. ***
CC: (none) => listas.apl
(In reply to Thomas Backlund from comment #3) > *** Bug 18734 has been marked as a duplicate of this bug. *** wrong bug dup, sorry
CC: (none) => tmb
Patches were added to the package but not actually applied (whoops). Replaced them with Fedora's more complete patch and actually applied it this time.
Blocks: (none) => 19462
bash 4.3 patchlevel 47 now includes the fix for this too: http://openwall.com/lists/oss-security/2016/10/07/6
available on updates_testing bash-4.3-48.2.mga5
CC: (none) => mageiaAssignee: shlomif => qa-bugs
Thanks. We can't assign two bugs to QA for the same package/update, so we'll use the newer bug for that.
Assignee: qa-bugs => mageia
Fixed: http://advisories.mageia.org/MGASA-2016-0393.html
Status: NEW => RESOLVEDBlocks: 19462 => (none)Depends on: (none) => 19462Resolution: (none) => FIXED