[10241] in Security FYI
Re: [IS&T Security-FYI] Patch for bash vulnerability released for
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Wed Oct 1 10:05:43 2014
Resent-From: ist-security-fyi@mit.edu
From: Monique Buchanan <myeaton@mit.edu>
To: itpartners <itpartners@mit.edu>,
"IT Security Special Interest Group
[Security SIG]" <security_sig@mit.edu>,
ist-security-fyi
<ist-security-fyi@mit.edu>
Date: Wed, 1 Oct 2014 14:04:33 +0000
Message-ID: <C3EE9EA7-7329-4731-9635-47205E755D5A@mit.edu>
In-Reply-To: <19FADD57-BF9A-44C4-AEB8-D728EFCA6EF6@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0150691802=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============0150691802==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_C3EE9EA773294731963547205E755D5Amitedu_"
--_000_C3EE9EA773294731963547205E755D5Amitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
I hit =93send=94 too soon. One correction for the information below:
The patch will be automatically pushed out to Mac users that have the IS&T =
Casper client<http://kb.mit.edu/confluence/display/istcontrib/Casper+Suite>=
installed.
Thanks,
Monique
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
On Oct 1, 2014, at 9:56 AM, Monique Buchanan <myeaton@mit.edu<mailto:myeato=
n@mit.edu>> wrote:
Good Morning,
Apple has released OS X bash Update 1.0<http://support.apple.com/kb/HT6495>=
to patch Mac users for the bash vulnerability that was announced last week=
.
The patch is not available via the Apple App Store. It can be downloaded fr=
om the Apple Support website: http://support.apple.com/downloads/.
For MIT users on a domain, the patch will be deployed via Casper.
Details of the patch:
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain L=
ion v10.8.5, OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute=
arbitrary shell commands
Description: An issue existed in Bash's parsing of environment variables. T=
his issue was addressed through improved environment variable parsing by be=
tter detecting the end of the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which res=
ets the parser state.
In addition, this update added a new namespace for exported functions by cr=
eating a function decorator to prevent unintended header passthrough to Bas=
h. The names of all environment variables that introduce function definitio=
ns are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent=
unintended function passing via HTTP headers.
If you have any problems or questions about the patch, please contact the I=
S&T Help Desk.
Thanks,
Monique
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_C3EE9EA773294731963547205E755D5Amitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <39170080F6BB364FA35F6D03D5F945A4@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
I hit =93send=94 too soon. One correction for the information below:
<div><br>
</div>
<div>The patch will be automatically pushed out to Mac users that have the&=
nbsp;<a href=3D"http://kb.mit.edu/confluence/display/istcontrib/Casper+=
Suite">IS&T Casper client</a> installed. </div>
<div><br>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
Thanks,<br>
<br>
Monique<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
<div>
<div>On Oct 1, 2014, at 9:56 AM, Monique Buchanan <<a href=3D"mailto:mye=
aton@mit.edu">myeaton@mit.edu</a>> wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space;">
<div apple-content-edited=3D"true">
<div style=3D"letter-spacing: normal; orphans: auto; text-align: start; tex=
t-indent: 0px; text-transform: none; white-space: normal; widows: auto; wor=
d-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -web=
kit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style=3D"letter-spacing: normal; orphans: auto; text-align: start; tex=
t-indent: 0px; text-transform: none; white-space: normal; widows: auto; wor=
d-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -web=
kit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style=3D"letter-spacing: normal; orphans: auto; text-align: start; tex=
t-indent: 0px; text-transform: none; white-space: normal; widows: auto; wor=
d-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -web=
kit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style=3D"margin: 0px;">Good Morning,</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<div style=3D"margin: 0px;">Apple has released <a href=3D"http://suppo=
rt.apple.com/kb/HT6495">OS X bash Update 1.0</a> to patch Mac users fo=
r the bash vulnerability that was announced last week.</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<div style=3D"margin: 0px;">The patch is not available via the Apple App St=
ore. It can be downloaded from the Apple Support website: <a href=3D"h=
ttp://support.apple.com/downloads/">http://support.apple.com/downloads/</a>=
.</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<div style=3D"margin: 0px;">For MIT users on a domain, the patch will be de=
ployed via Casper.</div>
<div style=3D"margin: 0px;"><br>
</div>
<div style=3D"margin: 0px;"><br>
</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<div style=3D"margin: 0px;">Details of the patch:</div>
<div style=3D"margin: 0px; min-height: 19px;"><br>
</div>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">Available for: O=
S X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS =
X Mavericks v10.9.5</p>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">Impact: In certa=
in configurations, a remote attacker may be able to execute arbitrary shell=
commands</p>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">Description: An =
issue existed in Bash's parsing of environment variables. This issue was ad=
dressed through improved environment variable parsing by better detecting t=
he end of the function statement.</p>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">This update also=
incorporated the suggested CVE-2014-7169 change, which resets the parser s=
tate.</p>
<p style=3D"margin: 0px 0px 18px; color: rgb(50, 51, 51);">In addition, thi=
s update added a new namespace for exported functions by creating a functio=
n decorator to prevent unintended header passthrough to Bash. The names of =
all environment variables that introduce
function definitions are required to have a prefix "__BASH_FUNC<&q=
uot; and suffix ">()" to prevent unintended function passing v=
ia HTTP headers.</p>
<div><br>
</div>
<div>If you have any problems or questions about the patch, please contact =
the IS&T Help Desk.</div>
</div>
<div style=3D"letter-spacing: normal; orphans: auto; text-align: start; tex=
t-indent: 0px; text-transform: none; white-space: normal; widows: auto; wor=
d-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -web=
kit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<br>
</div>
<div style=3D"letter-spacing: normal; orphans: auto; text-align: start; tex=
t-indent: 0px; text-transform: none; white-space: normal; widows: auto; wor=
d-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -web=
kit-nbsp-mode: space; -webkit-line-break: after-white-space;">
Thanks,<br>
<br>
Monique<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</body>
</html>
--_000_C3EE9EA773294731963547205E755D5Amitedu_--
--===============0150691802==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0150691802==--
