[10240] in Security FYI
[IS&T Security-FYI] Patch for bash vulnerability released for Mac
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Wed Oct 1 09:57:57 2014
Resent-From: ist-security-fyi@mit.edu
From: Monique Buchanan <myeaton@mit.edu>
To: itpartners <itpartners@mit.edu>,
"IT Security Special Interest Group
[Security SIG]" <security_sig@mit.edu>,
ist-security-fyi
<ist-security-fyi@mit.edu>
Date: Wed, 1 Oct 2014 13:56:23 +0000
Message-ID: <19FADD57-BF9A-44C4-AEB8-D728EFCA6EF6@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0360613183=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============0360613183==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_19FADD57BF9A44C4AEB8D728EFCA6EF6mitedu_"
--_000_19FADD57BF9A44C4AEB8D728EFCA6EF6mitedu_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Good Morning,
Apple has released OS X bash Update 1.0<http://support.apple.com/kb/HT6495>=
to patch Mac users for the bash vulnerability that was announced last week=
.
The patch is not available via the Apple App Store. It can be downloaded fr=
om the Apple Support website: http://support.apple.com/downloads/.
For MIT users on a domain, the patch will be deployed via Casper.
Details of the patch:
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain L=
ion v10.8.5, OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute=
arbitrary shell commands
Description: An issue existed in Bash's parsing of environment variables. T=
his issue was addressed through improved environment variable parsing by be=
tter detecting the end of the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which res=
ets the parser state.
In addition, this update added a new namespace for exported functions by cr=
eating a function decorator to prevent unintended header passthrough to Bas=
h. The names of all environment variables that introduce function definitio=
ns are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent=
unintended function passing via HTTP headers.
If you have any problems or questions about the patch, please contact the I=
S&T Help Desk.
Thanks,
Monique
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_19FADD57BF9A44C4AEB8D728EFCA6EF6mitedu_
Content-Type: text/html; charset="us-ascii"
Content-ID: <3AEB8DD705B1D746A631785CC9472E4C@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"margin: 0px;">Good Morning,</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<div style=3D"margin: 0px;">Apple has released <a href=3D"http://suppo=
rt.apple.com/kb/HT6495">OS X bash Update 1.0</a> to patch Mac users fo=
r the bash vulnerability that was announced last week.</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<div style=3D"margin: 0px;">The patch is not available via the Apple App St=
ore. It can be downloaded from the Apple Support website: <a href=3D"h=
ttp://support.apple.com/downloads/">http://support.apple.com/downloads/</a>=
.</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<div style=3D"margin: 0px;">For MIT users on a domain, the patch will be de=
ployed via Casper.</div>
<div style=3D"margin: 0px;"><br>
</div>
<div style=3D"margin: 0px;"><br>
</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<div style=3D"margin: 0px;">Details of the patch:</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">Available for: O=
S X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS =
X Mavericks v10.9.5</p>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">Impact: In certa=
in configurations, a remote attacker may be able to execute arbitrary shell=
commands</p>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">Description: An =
issue existed in Bash's parsing of environment variables. This issue was ad=
dressed through improved environment variable parsing by better detecting t=
he end of the function statement.</p>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">This update also=
incorporated the suggested CVE-2014-7169 change, which resets the parser s=
tate.</p>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">In addition, thi=
s update added a new namespace for exported functions by creating a functio=
n decorator to prevent unintended header passthrough to Bash. The names of =
all environment variables that introduce
function definitions are required to have a prefix "__BASH_FUNC<&q=
uot; and suffix ">()" to prevent unintended function passing v=
ia HTTP headers.</p>
<div><br>
</div>
<div>If you have any problems or questions about the patch, please contact =
the IS&T Help Desk.</div>
</div>
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<br>
</div>
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
Thanks,<br>
<br>
Monique<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_19FADD57BF9A44C4AEB8D728EFCA6EF6mitedu_--
--===============0360613183==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0360613183==--
