We’ve decided to merge the ‘bash-cve-2014-6271’ branch: it’s an incomplete fix, but it’s already an improvement, and it’s completely built on Hydra for x86.
As for what’s next, quoting Mark on IRC:
<mark_weaver> the other three patches I'm aware of are:
http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch
(from Chet),
http://seclists.org/oss-sec/2014/q3/att-712/parse-oob-4_2.patch
(seems non-controversial), and
http://seclists.org/oss-sec/2014/q3/att-712/variables-affix-4_2.patch
(more radical hardening, not fully compatible, but maybe still a
good idea) [09:40]
[...]
<mark_weaver> FYI, this following message assigns two CVEs (CVE-2014-7186 and
CVE-2014-7187) to the two flaws fixed by the parse-oob patch:
http://seclists.org/oss-sec/2014/q3/735 [09:45]
<mark_weaver> my feeling is that we should create another branch with at least
the eol-pushback and parse-oob patches applied, and start hydra
building it
Ludo’.
signature.asc
Description: PGP signature
