No new CVE. This looks to be a proper fix for CVE-2014-6278, where the assessment is that the parser bugs that make this exploitable were already addressed either by the Red Hat patches or upstream patch 027. That's what I gather between these sources:
https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00032.html http://lcamtuf.blogspot.co.uk/2014/09/bash-bug-apply-unofficial-patch-now.html http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html Note that patch 030 for bash 4.3 is attributed to lcamtuf. I've not found any security responders who shipped previously available fixes telling people that they need to ship these further changes as an urgent response or even that they have to have them. Red Hat explicitly references lcamtuf's blog post as independent confirmation of their analysis and fixes. Cheers, Bayard On 7 October 2014 04:19, Richard L. Hamilton <rlha...@smart.net> wrote: > Which CVE is that, or is it something else? > > On Oct 6, 2014, at 9:35 PM, Bob Friesenhahn <bfrie...@simple.dallas.tx.us> > wrote: > > > The gift keeps on giving. There is yet another related security patch > for bash. Here is the one for bash 4.3: > > > > http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html > > > > Bob > > -- > > Bob Friesenhahn > > bfrie...@simple.dallas.tx.us, > http://www.simplesystems.org/users/bfriesen/ > > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > > > > _______________________________________________ > > openindiana-discuss mailing list > > openindiana-discuss@openindiana.org > > http://openindiana.org/mailman/listinfo/openindiana-discuss > > > > > _______________________________________________ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
