[CentOS] Bash still vulnerable
Johnny Hughes
johnny at centos.org
Thu Oct 9 12:04:34 UTC 2014
On 10/09/2014 07:00 AM, Johnny Hughes wrote:
> On 10/09/2014 06:48 AM, Kai Schaetzl wrote:
>> I noticed this as well but did some homework ;-)
>> https://bugzilla.redhat.com/show_bug.cgi?id=1147189
>> https://access.redhat.com/security/cve/CVE-2014-6277
>>
>> If I understand it correctly they think it's not exploitable anymore.
>> Still think it should get patched immediately as there is an upstream
>> patch available and it avoids any more questions and confusion about this
>> problem.
>
> Well, the upstream patch, at least as it is written now, would require
> them to back out their patches to apply.
>
> But regardless if whether or not they fix the segfault issue, that is
> NOT a security issue or exploitable.
>
> It might possibly be a Denial of Service mechanism, I guess.
>
> The place to address this is on the bugzilla entry though. We will
> publish the changes Red Hat rolls into the source and the upstream
> bugzilla is how to make that happen.
>
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1147189
Although, this is already in there:
"We can reproduce this parser bug. But we treat this as a regular bug,
not a security bug, because of the fixes mentioned in comment #1."
So, I would imagine that statement means that they are going to fix the
segfault issue as a RHBA, not an RHSA. This likely means it will
happen, but the QA and regression testing will be longer and more
thorough as it is not a time critical security issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20141009/e62dce3a/attachment.sig>
More information about the CentOS
mailing list