bash-Updates für 10.7 bis 10.9
» OS X bash Update 1.0 is now available and addresses the following:
»
» Bash
» Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,
» OS X Mavericks v10.9.5
» Impact: In certain configurations, a remote attacker may be able to execute arbitrary
» shell commands
» Description: An issue existed in Bash's parsing of environment variables. This issue was
» addressed through improved environment variable parsing by better detecting the end of
» the function statement.
» This update also incorporated the suggested CVE-2014-7169 change, which resets the
» parser state.
» In addition, this update added a new namespace for exported functions by creating a
» function decorator to prevent unintended header passthrough to Bash. The names of all
» environment variables that introduce function definitions are required to have a
» prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via
» HTTP headers.
» CVE-ID
» CVE-2014-6271 : Stephane Chazelas
» CVE-2014-7169 : Tavis Ormandy
»
»
» OS X bash Update 1.0 may be obtained from the following webpages:
» http://support.apple.com/kb/DL1767 [apple.com] – OS X Lion
» http://support.apple.com/kb/DL1768 [apple.com] – OS X Mountain Lion
» http://support.apple.com/kb/DL1769 [apple.com] – OS X Mavericks
»
» To check that bash has been updated:
»
» * Open Terminal
» * Execute this command:
» bash --version
» * The version after applying this update will be:
» OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
» OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
» OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)
»
» Bash
» Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,
» OS X Mavericks v10.9.5
» Impact: In certain configurations, a remote attacker may be able to execute arbitrary
» shell commands
» Description: An issue existed in Bash's parsing of environment variables. This issue was
» addressed through improved environment variable parsing by better detecting the end of
» the function statement.
» This update also incorporated the suggested CVE-2014-7169 change, which resets the
» parser state.
» In addition, this update added a new namespace for exported functions by creating a
» function decorator to prevent unintended header passthrough to Bash. The names of all
» environment variables that introduce function definitions are required to have a
» prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via
» HTTP headers.
» CVE-ID
» CVE-2014-6271 : Stephane Chazelas
» CVE-2014-7169 : Tavis Ormandy
»
»
» OS X bash Update 1.0 may be obtained from the following webpages:
» http://support.apple.com/kb/DL1767 [apple.com] – OS X Lion
» http://support.apple.com/kb/DL1768 [apple.com] – OS X Mountain Lion
» http://support.apple.com/kb/DL1769 [apple.com] – OS X Mavericks
»
» To check that bash has been updated:
»
» * Open Terminal
» * Execute this command:
» bash --version
» * The version after applying this update will be:
» OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
» OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
» OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)