OpenSuSE has issued an advisory today (July 23): http://lists.opensuse.org/opensuse-updates/2012-07/msg00038.html Mageia 1 and Mageia 2 are also affected. The reproducer is very easy: test -e /dev/fd/111111111111111111111111111111111111 The patch to fix it is bash42-033 upstream. We have all of the patches through 028, so you might want to add the intervening patches as well. More info here: https://bugzilla.novell.com/show_bug.cgi?id=770795
CC: (none) => mageiaWhiteboard: (none) => MGA2TOO, MGA1TOO
I have updated bash to 4.2 patchlevel 37 in cauldron. Thanks!
Status: NEW => RESOLVEDResolution: (none) => FIXED
see witheboard (valid for stable too)
Hardware: i586 => AllVersion: Cauldron => 2Summary: bash new security issue CVE-2012-3410 => bash new security issue CVE-2012-3410 [mga1 & 2]Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
so reopening sorry
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
Please clone the bug for stable releases, the bug has been opened on cauldron, and fixed in cauldron. If we use the same bug for multiple versions, we can not properly track the resolution progress. I don't have stable systems to make sure that the fix is ok.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
we have never to that but if you want..
Version: 2 => Cauldron
Well, that's a flawed workflow IMHO, we need distinct per-version bug status and validation results, this can not be mixed in the same bug id.
I don't see the problem with it. We need to make sure the bug is fixed in *all* affected releases. Multiple bugs makes it *harder* to do that. The normal workflow we use is to do as I did here, so the first step is to make sure it gets fixed in Cauldron (so that it doesn't get forgotten and carry into the next release). Then the version is changed to 2 and the fix can be assigned to QA to release as stable updates. This workflow with the whiteboard is what the bug squad, security, and QA teams have been using since Mageia 2 came out, and it has worked well for all of us so far.
This bug is now for Mageia 1 and Mageia 2. A security update is needed. If you (blino) can't test updates on Mageia 1 and Mageia 2, we can. Luckily, this vulnerability is extraordinarily easy to test for.
Status: RESOLVED => REOPENEDVersion: Cauldron => 2Resolution: FIXED => (none)
Most projects using bugzilla make use of bug "clones" for this purpose (handling a bug on different versions). Doing everything on the same bug means that you cannot have a clear status for different versions (Cauldron, Mageia 1, Mageia 2), and that your validation reports will be mixed, that's messy. Anyway, you're free to take over the bug.
I will clone it for Mga 2, it is really a bad practice to change the affected version during a bug lifetime.
Status: REOPENED => RESOLVEDVersion: 2 => CauldronResolution: (none) => FIXED
Blocks: (none) => 6859
Whiteboard: MGA1TOO => (none)
(In reply to comment #9) > Anyway, you're free to take over the bug. Should I just add patch 033 in Mageia 1 and 2, or should any of the other patches be added?
It seems safe to pull all the others patches, they only contain bugfixes and most of them are pretty small. I don't remember having seen any regression in the upstream bash patches up to now.
Olivier, is this fixed for you in Cauldron? I rebuilt this on Mageia 1 and the reproducer still works.
Hi, The test command from initial comment is not crashing with the cauldron package.