Updated bash Shift_JIS packages that fix one security issue are nowavailable for Red Hat Enterprise Linux 5.9 Extended Update Support.Red Hat Product Security has rated this update as having Important securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.

The GNU Bourne Again shell (Bash) is a shell and command languageinterpreter compatible with the Bourne shell (sh). Bash is the defaultshell for Red Hat Enterprise Linux.Shift_JIS, also known as “SJIS”, is a character encoding for the Japaneselanguage. This package provides bash support for the Shift_JIS encoding.It was found that the fix for CVE-2014-6271 was incomplete, and Bash stillallowed certain characters to be injected into other environments viaspecially crafted environment variables. An attacker could potentially usethis flaw to override or bypass environment restrictions to execute shellcommands. Certain services and applications allow remote unauthenticatedattackers to provide environment variables, allowing them to exploit thisissue. (CVE-2014-7169)Applications which directly create bash functions as environment variablesneed to be made aware of changes to the way names are handled by thisupdate. Note that certain services, screen sessions, and tmux sessions mayneed to be restarted, and affected interactive users may need to re-login.Installing these updated packages without restarting services will addressthe vulnerability, but functionality may be impacted until affectedservices are restarted. For more information see the Knowledgebase articleat https://access.redhat.com/articles/1200223Note: Docker users are advised to use “yum update” within their containers,and to commit the resulting changes.For additional information on CVE-2014-6271 and CVE-2014-7169, refer to theaforementioned Knowledgebase article.All users who require Shift_JIS encoding support with Bash built-infunctions are advised to upgrade to these updated packages, which contain abackported patch to correct this issue.
Before applying this update, make sure all previously released errata relevant to your system have been applied.This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258Red Hat Enterprise S-JIS Service

SRPMS:
bash-3.2-32.el5_9.3.sjis.1.src.rpm
    MD5: 2b5608b1497b519fb2e75d8813f14467SHA-256: c150bedfacbf95f896ba41da7075d8bee28957fbebd7d0cf5e03b44f7da407cd
 
IA-32:
bash-3.2-32.el5_9.3.sjis.1.i386.rpm
    MD5: 0ab5b8f576054f7895c8ba1492020ca4SHA-256: 0b61a39b24e789125459be9914eedca7bd51d1f36ec20bc83c801709fda3a8a1
bash-debuginfo-3.2-32.el5_9.3.sjis.1.i386.rpm
    MD5: 380bc049d9f6ac71edbc52f972c5547fSHA-256: 585260c3c3077f7d0e67a0b493e66e0b1e98ad60704ea140cd63aaf191255433
 
IA-64:
bash-3.2-32.el5_9.3.sjis.1.i386.rpm
    MD5: 0ab5b8f576054f7895c8ba1492020ca4SHA-256: 0b61a39b24e789125459be9914eedca7bd51d1f36ec20bc83c801709fda3a8a1
bash-3.2-32.el5_9.3.sjis.1.ia64.rpm
    MD5: f87598c1638908e32610af546a5b48f3SHA-256: 5b50de612353d47f2654305487af079b41dad00dfc0943b8be92116df9746853
bash-debuginfo-3.2-32.el5_9.3.sjis.1.i386.rpm
    MD5: 380bc049d9f6ac71edbc52f972c5547fSHA-256: 585260c3c3077f7d0e67a0b493e66e0b1e98ad60704ea140cd63aaf191255433
bash-debuginfo-3.2-32.el5_9.3.sjis.1.ia64.rpm
    MD5: 6b57cacd056eb5cb4907d1139ad737f5SHA-256: 397818a8c7c2fd7ae7b1f89518bca98ab5f6d722c2531a85a089920fbd2b3483
 
x86_64:
bash-3.2-32.el5_9.3.sjis.1.x86_64.rpm
    MD5: 363d114e441bb7eb3382660b4e5ae0f5SHA-256: bf63affcf47e78b65cacfb039280a408ee83c08a9ed0a082e903265a64babcdb
bash-debuginfo-3.2-32.el5_9.3.sjis.1.x86_64.rpm
    MD5: a3288a561956f44b829512c5f6fedb53SHA-256: 0bfe42409529333c9f1e3528fe1a17adba035bf7c5e5f5ce4291ac4567ce9f7c
 
(The unlinked packages above are only available from the Red Hat Network)
1146319 – CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply