Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0038
MDVSA-2010:004 ] bash
14 January 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: bash
Publisher: Mandriva
Operating System: Mandriva Linux
Linux variants
Impact/Access: Provide Misleading Information -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2010-0002 CVE-2008-5374
Comment: This advisory references vulnerabilities in products which run on
platforms other than Mandriva. It is recommended that administrators
running bash check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:004
http://www.mandriva.com/security/
_______________________________________________________________________
Package : bash
Date : January 13, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A vulnerability have been discovered in Mandriva bash package, which
could allow a malicious user to hide files from the ls command,
or garble its output by crafting files or directories which contain
special characters or escape sequences (CVE-2010-0002). This update
fixes the issue by disabling the display of control characters
by default.
Additionally, this update fixes the unsafe file creation in bash-doc
sample scripts (CVE-2008-5374).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0002
https://qa.mandriva.com/56882
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
f2e4b9971f76eb8c6a32f980f8891b64 2008.0/i586/bash-3.2-5.1mdv2008.0.i586.rpm
613aa4f62598754748fc09da5c695b13 2008.0/i586/bash-doc-3.2-5.1mdv2008.0.i586.rpm
85a72f0f23e359a0e05604f774c287b4 2008.0/SRPMS/bash-3.2-5.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
6bfad3cb4f655787250007cd74bdfd16 2008.0/x86_64/bash-3.2-5.1mdv2008.0.x86_64.rpm
48288451f5a9112dfd35c38e91dcb774 2008.0/x86_64/bash-doc-3.2-5.1mdv2008.0.x86_64.rpm
85a72f0f23e359a0e05604f774c287b4 2008.0/SRPMS/bash-3.2-5.1mdv2008.0.src.rpm
Mandriva Linux 2009.0:
d27affe22ad63522d2b7542f94f986bb 2009.0/i586/bash-3.2-10.2mdv2009.0.i586.rpm
e1da0b1b4c43833fa4912b839a355d84 2009.0/i586/bash-doc-3.2-10.2mdv2009.0.i586.rpm
50864f104fdbc0304a918c832080532a 2009.0/SRPMS/bash-3.2-10.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
722257da6630ef64d3cc1b5d2937b5d9 2009.0/x86_64/bash-3.2-10.2mdv2009.0.x86_64.rpm
cf190a45a8464b8d4a889ea1cbdd4f58 2009.0/x86_64/bash-doc-3.2-10.2mdv2009.0.x86_64.rpm
50864f104fdbc0304a918c832080532a 2009.0/SRPMS/bash-3.2-10.2mdv2009.0.src.rpm
Mandriva Linux 2009.1:
6c3fbcb61646e15d2080c3b0c25d9554 2009.1/i586/bash-3.2.48-3.1mdv2009.1.i586.rpm
0dea3f4c28cf56e5b89c148de06ea9a2 2009.1/i586/bash-doc-3.2.48-3.1mdv2009.1.i586.rpm
28f87d961cd64e32788fb6456c1825d4 2009.1/SRPMS/bash-3.2.48-3.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
95defbb4b2f16d98555416db6ce07d11 2009.1/x86_64/bash-3.2.48-3.1mdv2009.1.x86_64.rpm
8753cfb24ec034cf7210093accfd24ba 2009.1/x86_64/bash-doc-3.2.48-3.1mdv2009.1.x86_64.rpm
28f87d961cd64e32788fb6456c1825d4 2009.1/SRPMS/bash-3.2.48-3.1mdv2009.1.src.rpm
Mandriva Linux 2010.0:
d64d774979139e95507fac57f5fee411 2010.0/i586/bash-4.0-7.1mdv2010.0.i586.rpm
da8fe2f7aebc606b995ca95b61296955 2010.0/i586/bash-doc-4.0-7.1mdv2010.0.i586.rpm
3040686a1ac714a39e387d309a7dbcf8 2010.0/SRPMS/bash-4.0-7.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
fc60a281e86eca4b3a127f195ed7f4e4 2010.0/x86_64/bash-4.0-7.1mdv2010.0.x86_64.rpm
2e5d9c83494a78bbd08c37fb654f877e 2010.0/x86_64/bash-doc-4.0-7.1mdv2010.0.x86_64.rpm
3040686a1ac714a39e387d309a7dbcf8 2010.0/SRPMS/bash-4.0-7.1mdv2010.0.src.rpm
Corporate 4.0:
10520a3ac742b3ea75f8f266a67109fc corporate/4.0/i586/bash-3.0-6.1.20060mlcs4.i586.rpm
e67c99653e24cca3dfc14a5db52f28ea corporate/4.0/i586/bash-doc-3.0-6.1.20060mlcs4.i586.rpm
836d9e055da30f19c3a940b4c2c6b7bf corporate/4.0/SRPMS/bash-3.0-6.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
f0bdaa60c3201841e2e3372e62ece170 corporate/4.0/x86_64/bash-3.0-6.1.20060mlcs4.x86_64.rpm
3def0fcac2c23da7a5e1312c73e35de2 corporate/4.0/x86_64/bash-doc-3.0-6.1.20060mlcs4.x86_64.rpm
836d9e055da30f19c3a940b4c2c6b7bf corporate/4.0/SRPMS/bash-3.0-6.1.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
5c62e881405cedd243385a783895bc14 mes5/i586/bash-3.2-10.2mdvmes5.i586.rpm
84513f4df54a12c861e44d36bb0f700e mes5/i586/bash-doc-3.2-10.2mdvmes5.i586.rpm
902376b0b61041449cf06be37ba40d63 mes5/SRPMS/bash-3.2-10.2mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
dab84af7d1b08e98ffaf5a0a08f4c97f mes5/x86_64/bash-3.2-10.2mdvmes5.x86_64.rpm
bee4dcbfa1d5e22b8d94d69bca227153 mes5/x86_64/bash-doc-3.2-10.2mdvmes5.x86_64.rpm
902376b0b61041449cf06be37ba40d63 mes5/SRPMS/bash-3.2-10.2mdvmes5.src.rpm
Multi Network Firewall 2.0:
5af56b5d52e8ba4ef591403098294ff1 mnf/2.0/i586/bash-2.05b-16.1.C30mdk.i586.rpm
5ac71243bc151d3b0123f21d62f89449 mnf/2.0/i586/bash-doc-2.05b-16.1.C30mdk.i586.rpm
562bebc49856992e16d6add6c31bc4d8 mnf/2.0/SRPMS/bash-2.05b-16.1.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLTePJmqjQ0CJFipgRAk6kAKDCfdxFcPz4+qqiOZpdaUVMZYRoHACgpmzy
vXqabokF2ffkBdYBBSMdYsw=
=2wQJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLTnEqNVH5XJJInbgRAiA7AJ41ElQBRO0Rgr+Ijjh6SgmwOxqe2wCfV2NJ
ubjA9sXILTAc13YGwjSv8Qg=
=kqY2
-----END PGP SIGNATURE-----