The command-line shell ‘bash’ evaluates environment variables, which
allows the injection of characters and might be used to access files on
the system in some circumstances (CVE-2014-7169).
Please note that this issue is different from a previously fixed
vulnerability tracked under CVE-2014-6271 and is less serious due to the
special, non-default system configuration that is needed to create an
exploitable situation.
To remove further exploitation potential we now limit the
function-in-environment variable to variables prefixed with BASH_FUNC_.
This hardening feature is work in progress and might be improved in later
updates.
Additionally, two other security issues have been fixed:
* CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
* CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
Security Issues:
* CVE-2014-7169
<<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169</a>>
* CVE-2014-7186
<<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186</a>>
* CVE-2014-7187
<<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187</a>>
download.suse.com/patch/finder/?keywords=01d7685e480d31be1641e84591918b9e
download.suse.com/patch/finder/?keywords=1143502d673561f6e5895393ba93df6f
download.suse.com/patch/finder/?keywords=7c3a2e9a2aa61a2702de17e1ed7a7f43
download.suse.com/patch/finder/?keywords=b6868a6fc575e34338a7d5fd7491f09f
download.suse.com/patch/finder/?keywords=d6f3fbe6b7cd7f9bd580be31dd2ada90
bugzilla.suse.com/show_bug.cgi?id=898346
bugzilla.suse.com/show_bug.cgi?id=898603
bugzilla.suse.com/show_bug.cgi?id=898604