UbuntuUpdates.org

Package "bash-static"

Name: bash-static

Description:

GNU Bourne Again SHell (static version)

Latest version: 4.3-7ubuntu1.7
Release: trusty (14.04)
Level: security
Repository: universe
Head package: bash
Homepage: http://tiswww.case.edu/php/chet/bash/bashtop.html

Links


Download "bash-static"


Other versions of "bash-static" in Trusty

Repository Area Version
base universe 4.3-6ubuntu1
updates universe 4.3-7ubuntu1.7

Changelog

Version: 4.3-7ubuntu1.7 2017-05-17 18:06:42 UTC

  bash (4.3-7ubuntu1.7) trusty-security; urgency=medium

  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
    - CVE-2016-0634
  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
    (LP: #1689304)
    - debian/patches/bash43-048.diff: check for root in variables.c.
    - CVE-2016-7543
  * SECURITY UPDATE: restricted shell bypass via use-after-free
    - debian/patches/bash44-006.diff: check for negative offsets in
      builtins/pushd.def.
    - CVE-2016-9401

 -- Marc Deslauriers <email address hidden> Tue, 16 May 2017 07:52:48 -0400

Source diff to previous version
1507025 Shell Command Injection with the hostname
1689304 Unfixed Code Execution Vulnerability CVE-2016-7543
CVE-2016-0634 bash prompt expanding return value from gethostname()
CVE-2016-7543 Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.
CVE-2016-9401 popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.

Version: 4.3-7ubuntu1.5 2014-10-09 13:06:42 UTC

  bash (4.3-7ubuntu1.5) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect function definition parsing with
    here-document delimited by end-of-file
    - debian/patches/CVE-2014-6277.diff: properly handle closing delimiter
      in copy_cmd.c, make_cmd.c.
    - CVE-2014-6277
  * SECURITY UPDATE: incorrect function definition parsing via nested
    command substitutions
    - debian/patches/CVE-2014-6278.diff: properly handle certain parsing
      attempts in builtins/evalstring.c, parse.y, shell.h, y.tab.c.
    - CVE-2014-6278
  * Updated patches with official upstream versions:
    - debian/patches/CVE-2014-6271.diff
    - debian/patches/CVE-2014-7169.diff
    - debian/patches/variables-affix.diff
    - debian/patches/CVE-2014-718x.diff
 -- Marc Deslauriers <email address hidden> Tue, 07 Oct 2014 10:50:12 -0400

Source diff to previous version
CVE-2014-6277 GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to
CVE-2014-6278 GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to
CVE-2014-6271 GNU Bash through 4.3 processes trailing strings after function ...
CVE-2014-7169 GNU Bash through 4.3 bash43-025 processes trailing strings after ...

Version: 4.3-7ubuntu1.4 2014-09-27 10:06:45 UTC

  bash (4.3-7ubuntu1.4) trusty-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds memory access
    - debian/patches/CVE-2014-718x.diff: guard against overflow and fix
      off-by-one in parse.y and y.tab.c.
    - CVE-2014-7186
    - CVE-2014-7187
  * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
    - debian/patches/variables-affix.diff: add prefixes and suffixes in
      variables.c.
 -- Marc Deslauriers <email address hidden> Fri, 26 Sep 2014 12:57:19 -0400

Source diff to previous version

Version: 4.3-7ubuntu1.3 2014-09-26 03:06:58 UTC

  bash (4.3-7ubuntu1.3) trusty-security; urgency=medium

  * Updated debian/patches/CVE-2014-7169.diff to also patch y.tab.c in
    case it doesn't get regenerated when built (LP: #1374207)
 -- Marc Deslauriers <email address hidden> Thu, 25 Sep 2014 21:20:03 -0400

Source diff to previous version
1374207 CVE-2014-7169 fix not effective on trusty
CVE-2014-7169 GNU Bash through 4.3 bash43-025 processes trailing strings after ...

Version: 4.3-7ubuntu1.2 2014-09-25 23:07:01 UTC

  bash (4.3-7ubuntu1.2) trusty-security; urgency=medium

  * SECURITY UPDATE: incomplete fix for CVE-2014-6271
    - debian/patches/CVE-2014-7169.diff: fix logic in parse.y.
    - CVE-2014-7169
 -- Marc Deslauriers <email address hidden> Thu, 25 Sep 2014 02:06:49 -0400

CVE-2014-6271 GNU Bash through 4.3 processes trailing strings after function ...
CVE-2014-7169 GNU Bash through 4.3 bash43-025 processes trailing strings after ...



About   -   Send Feedback to @ubuntu_updates