(RHSA-2017:0725) Moderate: bash security and bug fix update

2017-03-21T10:17:48
ID RHSA-2017:0725
Type redhat
Reporter RedHat
Modified 2018-06-07T18:22:53

Description

The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux.

Security Fix(es):

  • An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634)

  • An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543)

  • A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401)

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.