Security update for bash SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2715-1 Final 1 1 2016-11-03T11:04:07Z current 2016-11-03T11:04:07Z 2016-11-03T11:04:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bash This update for bash fixes the following security issues: - CVE-2016-7543: Local attackers could have executed arbitrary commands via specially crafted SHELLOPTS+PS4 variables (bsc#1001299) - CVE-2016-0634: Malicious hostnames could have allowed arbitrary command execution when $HOSTNAME was expanded in the prompt (bsc#1000396) This update also fixes the following bugs: - fix a crash found during debugging boo#971410 - boo#976776: crash if ~/.bash_history is empty (boo#976776) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-11/msg00007.html E-Mail link for openSUSE-SU-2016:2715-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 bash-4.2-75.5.1 bash-debuginfo-4.2-75.5.1 bash-debuginfo-32bit-4.2-75.5.1 bash-debugsource-4.2-75.5.1 bash-devel-4.2-75.5.1 bash-doc-4.2-75.5.1 bash-lang-4.2-75.5.1 bash-loadables-4.2-75.5.1 bash-loadables-debuginfo-4.2-75.5.1 libreadline6-6.2-75.5.1 libreadline6-32bit-6.2-75.5.1 libreadline6-debuginfo-6.2-75.5.1 libreadline6-debuginfo-32bit-6.2-75.5.1 readline-devel-6.2-75.5.1 readline-devel-32bit-6.2-75.5.1 readline-doc-6.2-75.5.1 bash-4.2-75.5.1 as a component of openSUSE 13.2 bash-debuginfo-4.2-75.5.1 as a component of openSUSE 13.2 bash-debuginfo-32bit-4.2-75.5.1 as a component of openSUSE 13.2 bash-debugsource-4.2-75.5.1 as a component of openSUSE 13.2 bash-devel-4.2-75.5.1 as a component of openSUSE 13.2 bash-doc-4.2-75.5.1 as a component of openSUSE 13.2 bash-lang-4.2-75.5.1 as a component of openSUSE 13.2 bash-loadables-4.2-75.5.1 as a component of openSUSE 13.2 bash-loadables-debuginfo-4.2-75.5.1 as a component of openSUSE 13.2 libreadline6-6.2-75.5.1 as a component of openSUSE 13.2 libreadline6-32bit-6.2-75.5.1 as a component of openSUSE 13.2 libreadline6-debuginfo-6.2-75.5.1 as a component of openSUSE 13.2 libreadline6-debuginfo-32bit-6.2-75.5.1 as a component of openSUSE 13.2 readline-devel-6.2-75.5.1 as a component of openSUSE 13.2 readline-devel-32bit-6.2-75.5.1 as a component of openSUSE 13.2 readline-doc-6.2-75.5.1 as a component of openSUSE 13.2 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2016-0634 openSUSE 13.2:bash-4.2-75.5.1 openSUSE 13.2:bash-debuginfo-32bit-4.2-75.5.1 openSUSE 13.2:bash-debuginfo-4.2-75.5.1 openSUSE 13.2:bash-debugsource-4.2-75.5.1 openSUSE 13.2:bash-devel-4.2-75.5.1 openSUSE 13.2:bash-doc-4.2-75.5.1 openSUSE 13.2:bash-lang-4.2-75.5.1 openSUSE 13.2:bash-loadables-4.2-75.5.1 openSUSE 13.2:bash-loadables-debuginfo-4.2-75.5.1 openSUSE 13.2:libreadline6-32bit-6.2-75.5.1 openSUSE 13.2:libreadline6-6.2-75.5.1 openSUSE 13.2:libreadline6-debuginfo-32bit-6.2-75.5.1 openSUSE 13.2:libreadline6-debuginfo-6.2-75.5.1 openSUSE 13.2:readline-devel-32bit-6.2-75.5.1 openSUSE 13.2:readline-devel-6.2-75.5.1 openSUSE 13.2:readline-doc-6.2-75.5.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-11/msg00007.html https://www.suse.com/security/cve/CVE-2016-0634.html CVE-2016-0634 https://bugzilla.suse.com/1000396 SUSE Bug 1000396 https://bugzilla.suse.com/1001299 SUSE Bug 1001299 Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables. CVE-2016-7543 openSUSE 13.2:bash-4.2-75.5.1 openSUSE 13.2:bash-debuginfo-32bit-4.2-75.5.1 openSUSE 13.2:bash-debuginfo-4.2-75.5.1 openSUSE 13.2:bash-debugsource-4.2-75.5.1 openSUSE 13.2:bash-devel-4.2-75.5.1 openSUSE 13.2:bash-doc-4.2-75.5.1 openSUSE 13.2:bash-lang-4.2-75.5.1 openSUSE 13.2:bash-loadables-4.2-75.5.1 openSUSE 13.2:bash-loadables-debuginfo-4.2-75.5.1 openSUSE 13.2:libreadline6-32bit-6.2-75.5.1 openSUSE 13.2:libreadline6-6.2-75.5.1 openSUSE 13.2:libreadline6-debuginfo-32bit-6.2-75.5.1 openSUSE 13.2:libreadline6-debuginfo-6.2-75.5.1 openSUSE 13.2:readline-devel-32bit-6.2-75.5.1 openSUSE 13.2:readline-devel-6.2-75.5.1 openSUSE 13.2:readline-doc-6.2-75.5.1 moderate 6.8 AV:L/AC:M/Au:N/C:C/I:C/A:C Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-11/msg00007.html https://www.suse.com/security/cve/CVE-2016-7543.html CVE-2016-7543 https://bugzilla.suse.com/1001299 SUSE Bug 1001299