On 9/25/14, 10:00 PM, Francesco Del Degan wrote:
Yes, patch 026 that fixes CVE-2014-7169 is underway, should be pushed out today:
http://www.openwall.com/lists/oss-security/2014/09/26/1
bash-4.2 (as in dora) got patch048 for CVE-2014-6179 and should receive patch049
as well.
I'm going to send bash 3.2 and 4.2 patches in oe core ml.
There are two additional issues as well.
CVE-2014-7186 - bash: parser can allow out-of-bounds memory access while
handling redir_stack
CVE-2014-7187 - bash: off-by-one error in deeply nested flow control constructs
(The above two are so new they are not yet published on the CVE web sites.)
A patch for these has been posted to the oss-security list, but has not yet been
validated by the bash maintainer.
We'll need to watch for this as well.
--Mark
On Fri, Sep 26, 2014 at 1:15 AM, Burton, Ross <ross.bur...@intel.com
<mailto:ross.bur...@intel.com>> wrote:
On 25 September 2014 23:48, Mark Hatle <mark.ha...@windriver.com
<mailto:mark.ha...@windriver.com>> wrote:
> So I would recommend that someone get the 025 patch (don't forget to patch
> bash 3.2 as well) in.. and we should wait until their is an official one
for
> 7169.
Agreed, and patches sent.
Ross
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org <mailto:yocto@yoctoproject.org>
https://lists.yoctoproject.org/listinfo/yocto
--
--
:: e n d i a n
:: security with passion
:: Francesco Del Degan
:: software engineer
:: http://www.endian.com <http://www.endian.com/> :: f.deldegan (AT) endian.com
<http://endian.com/>
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
