[CentOS] Bash still vulnerable

Thu Oct 9 12:04:34 UTC 2014
Johnny Hughes <johnny at centos.org>

On 10/09/2014 07:00 AM, Johnny Hughes wrote:
> On 10/09/2014 06:48 AM, Kai Schaetzl wrote:
>> I noticed this as well but did some homework ;-)
>> https://bugzilla.redhat.com/show_bug.cgi?id=1147189
>> https://access.redhat.com/security/cve/CVE-2014-6277
>>
>> If I understand it correctly they think it's not exploitable anymore. 
>> Still think it should get patched immediately as there is an upstream 
>> patch available and it avoids any more questions and confusion about this 
>> problem.
> 
> Well, the upstream patch, at least as it is written now, would require
> them to back out their patches to apply.
> 
> But regardless if whether or not they fix the segfault issue, that is
> NOT a security issue or exploitable.
> 
> It might possibly be a Denial of Service mechanism, I guess.
> 
> The place to address this is on the bugzilla entry though.  We will
> publish the changes Red Hat rolls into the source and the upstream
> bugzilla is how to make that happen.
> 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1147189

Although, this is already in there:

"We can reproduce this parser bug.  But we treat this as a regular bug,
not a security bug, because of the fixes mentioned in comment #1."

So, I would imagine that statement means that they are going to fix the
segfault  issue as a RHBA, not an RHSA.  This likely means it will
happen, but the QA and regression testing will be longer and more
thorough as it is not a time critical security issue.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20141009/e62dce3a/attachment-0005.sig>