UbuntuUpdates.org

Package "bash"

Name: bash

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Bash loadable builtins - headers & examples
  • GNU Bourne Again SHell (static version)

Latest version: 4.3-14ubuntu1.4
Release: xenial (16.04)
Level: security
Repository: universe

Links



Other versions of "bash" in Xenial

Repository Area Version
base universe 4.3-14ubuntu1
base main 4.3-14ubuntu1
security main 4.3-14ubuntu1.4
updates main 4.3-14ubuntu1.4
updates universe 4.3-14ubuntu1.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 4.3-14ubuntu1.4 2019-07-15 16:06:27 UTC

  bash (4.3-14ubuntu1.4) xenial-security; urgency=medium

  * SECURITY UPDATE: rbash restriction bypass (LP: #1803441)
    - debian/patches/CVE-2019-9924.patch: if the shell is restricted,
      reject attempts to add pathnames containing slashes to the hash table
      in variables.c.
    - CVE-2019-9924

 -- Marc Deslauriers <email address hidden> Fri, 12 Jul 2019 14:25:28 -0400

Source diff to previous version
1803441 BASH_CMDS is writable in restricted bash shells (fixed upstream, need to backport patch)
CVE-2019-9924 rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permis

Version: 4.3-14ubuntu1.2 2017-05-17 18:06:48 UTC

  bash (4.3-14ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
    - CVE-2016-0634
  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
    (LP: #1689304)
    - debian/patches/bash43-048.diff: check for root in variables.c.
    - CVE-2016-7543
  * SECURITY UPDATE: restricted shell bypass via use-after-free
    - debian/patches/bash44-006.diff: check for negative offsets in
      builtins/pushd.def.
    - CVE-2016-9401

 -- Marc Deslauriers <email address hidden> Tue, 16 May 2017 07:51:45 -0400

1507025 Shell Command Injection with the hostname
1689304 Unfixed Code Execution Vulnerability CVE-2016-7543
CVE-2016-0634 bash prompt expanding return value from gethostname()
CVE-2016-7543 Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.
CVE-2016-9401 popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.



About   -   Send Feedback to @ubuntu_updates