[Secure-testing-commits] r29140 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Mon Sep 29 15:22:09 UTC 2014
Author: carnil
Date: 2014-09-29 15:22:09 +0000 (Mon, 29 Sep 2014)
New Revision: 29140
Modified:
data/CVE/list
Log:
Make clear that underlying bug is not fixed, but issue is mitigated by florian's patch
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-09-29 13:27:38 UTC (rev 29139)
+++ data/CVE/list 2014-09-29 15:22:09 UTC (rev 29140)
@@ -1983,13 +1983,15 @@
RESERVED
CVE-2014-6278
RESERVED
-CVE-2014-6277 [Incomplete fix for CVE-2014-7169]
+CVE-2014-6277 [untrusted pointer use issue leading to code execution]
RESERVED
- - bash <not-affected> (we apply variables-affix.patch which prevents both CVE-2014-7169 and CVE-2014-6277)
- NOTE: although unfixed as we also add upstream patch for CVE-2014-7169,
- NOTE: this does not affect Debian as we apply the variables-affix.patch
- NOTE: (hardening patch). The hardening patch prevents both exploitation of
- NOTE: CVE-2014-7169 and CVE-2014-6277 related issues.
+ - bash <unfixed>
+ NOTE: The underlying parser flaw has not yet been disclosed and might
+ NOTE: still exist in latest released bash packages. However Florian
+ NOTE: Weimer's variables-affix.patch patch applied in Debian prevents
+ NOTE: exploitation of this issue by making bash only use environment
+ NOTE: variables with specific names (BASH_FUNC_*()) to define functions
+ NOTE: from its environment.
CVE-2014-6276
RESERVED
CVE-2014-6275
More information about the Secure-testing-commits
mailing list