Date: Tue, 8 Sep 1998 20:26:54 -0400 (EDT) From: Cristian Gafton <gafton@redhat.com> To: redhat-watch-list@redhat.com Subject: SECURITY: new bash packages available -----BEGIN PGP SIGNED MESSAGE----- A security vulnerability has been identified in all versions of bash shipped with Red Hat Linux. Details on the nature of the bug have been posted recently to the BUGTRAQ security list. The bug is not immediately exploitable - it will require that a user with shell account on one machine create a carefully constructed directory structure and then wait for somebody else with a root account to cd into that directory. Red Hat would like to thank Joao Manuel Carolino <root@EINSTEIN.DHIS.EU.ORG> for identifying this bug and Wichert Akkerman <wichert@WIGGY.ML.ORG> for providing an idea of a fix. Users of Red Hat Linux are recommended to upgrade to the new packages available under updates directory on our ftp site: * Red Hat Linux 5.1 and 5.0: ============================ alpha: - ------ rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/alpha/bash-1.14.7-11.alpha.rpm i386: - ----- rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/i386/bash-1.14.7-11.i386.rpm sparc: - ------ rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/sparc/bash-1.14.7-11.sparc.rpm Source RPM: - ----------- rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.1/SRPMS/bash-1.14.7-11.src.rpm * Red Hat Linux 4.2: ==================== alpha: - ------ rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/bash-1.14.7-1.1.alpha.rpm i386: - ----- rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/bash-1.14.7-1.1.i386.rpm sparc: - ------ rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/bash-1.14.7-1.1.sparc.rpm Source RPM: - ----------- rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/bash-1.14.7-1.1.src.rpm -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNfXB1fGvxKXU9NkBAQE65AP8C9P8it0cXLv0dDGRfKfOtulv2WRO78FT DIBHe26NPjGCSsT6Hub/EYF8HqiABaurrQk/y8d6DRz0sreDHoWweTbwZ/Sb8seE lxpSLyiVdOudVXhuLRg9T0VhGDIwqplPg+9gtsMDgFry1soo/u8JaQemE6xzSYyw Yw8udi8PlDU= =9E+H -----END PGP SIGNATURE----- Cristian -- ---------------------------------------------------------------------- Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UNIX is user friendly. It's just selective about who its friends are. -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject.