Univention Bugzilla – Bug 36040
bash: Missing sanitising (4.0)
Last modified: 2014-11-26 06:54:49 CET
Please merge the current bash patches to UCS 4. +++ This bug was initially created as a clone of Bug #35992 +++ CVE-2014-6271 Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell. Additional writeup: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
OK: CVE-2014-6271 CVE-2014-7169 OK: zless /usr/share/doc/bash/changelog.Debian.gz OK: dpkg-query -W bash # 4.2+dfsg-0.1.46.201410021458 OK: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" OK: cd /tmp;rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date";cat /tmp/echo OK: amd64/bash_4.2+dfsg-0.1.46.201410021458_amd64.deb OK: i386/bash_4.2+dfsg-0.1.46.201410021458_i386.deb
OK: isoinfo -f -R -i isotests/ucs_4.0-0-latest-amd64.iso | grep bash_ /amd64/bash_4.2+dfsg-0.1.46.201410021458_amd64.deb TODO: isoinfo -f -R -i isotests/ucs_4.0-0-latest-i386.iso | grep bash_ /i386/bash_4.2+dfsg-0.1.29.201403141200_i386.deb
FIXED: isoinfo -f -R -i isotests/ucs_4.0-0-20141006-095844-dvd-i386.iso |grep bash_ /i386/bash_4.2+dfsg-0.1.46.201410021458_i386.deb
UCS 4.0-0 has been released: http://docs.univention.de/release-notes-4.0-0-en.html http://docs.univention.de/release-notes-4.0-0-de.html If this error occurs again, please use "Clone This Bug".