Fedora has issued an advisory today (September 30): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/74PP54LG2K7UGPIE2CEEQU7MJD4HBMS7/ I'm guessing bash 5.2 isn't affected (Cauldron) but that should be checked.
Status comment: (none) => Patch available from Fedora
Stig has done several version updates to bash, so assigning this to you.
Assignee: bugsquad => smelror
https://bugzilla.redhat.com/show_bug.cgi?id=2122331 is restricted. Any idea how to test this change? Also, as bash is in the initrd shouldn't any bash update trigger "dracut -f" and suggest a reboot?
CC: (none) => davidwhodgins
Not if it doesn't already do that. Going to guess the issue isn't exploitable in any meaningful way in the initrd. Maybe look at the patch we/Fedora added and see if it has any info about the vulnerability.
The patch (bash-5.2-check-xform.patch) doesn't help to understand how it's triggered. At least not for me. Once this is assigned to qa, I'll validated it based on no regressions.
Advisory ======== Bash has been updated to version 5.1.16 and a patch from Fedora to fix a security issue. References ========== https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/74PP54LG2K7UGPIE2CEEQU7MJD4HBMS7/ Files ===== Uploaded to core/updates_testing bash-5.1-16.1.mga8 bash-doc-5.1-16.1.mga8 from bash-5.1-16.1.mga8.src.rpm
Assignee: smelror => qa-bugs
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0358.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
RedHat has issued an advisory for this today (January 23): https://access.redhat.com/errata/RHSA-2023:0340 It is CVE-2022-3715 and was fixed upstream in 5.1.8.
Summary: bash new security issue rhbz#2122331 => bash new security issue rhbz#2122331 (CVE-2022-3715)Status comment: Patch available from Fedora => (none)