[IS&T Security-FYI] Patch for bash vulnerability released for Mac OS X

Monique Buchanan myeaton at mit.edu
Wed Oct 1 10:04:33 EDT 2014 

I hit “send” too soon. One correction for the information below:

The patch will be automatically pushed out to Mac users that have the IS&T Casper client<http://kb.mit.edu/confluence/display/istcontrib/Casper+Suite> installed.

Thanks,

Monique

==========================
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715



On Oct 1, 2014, at 9:56 AM, Monique Buchanan <myeaton at mit.edu<mailto:myeaton at mit.edu>> wrote:

Good Morning,

Apple has released OS X bash Update 1.0<http://support.apple.com/kb/HT6495> to patch Mac users for the bash vulnerability that was announced last week.

The patch is not available via the Apple App Store. It can be downloaded from the Apple Support website: http://support.apple.com/downloads/.

For MIT users on a domain, the patch will be deployed via Casper.



Details of the patch:


Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands

Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.

In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.

If you have any problems or questions about the patch, please contact the IS&T Help Desk.

Thanks,

Monique

==========================
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20141001/a0cf2d04/attachment.htm

More information about the ist-security-fyi mailing list