<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px;">Good Morning,</div>
<div style="margin: 0px; min-height: 19px;"><br>
</div>
<div style="margin: 0px;">Apple has released <a href="http://support.apple.com/kb/HT6495">OS X bash Update 1.0</a> to patch Mac users for the bash vulnerability that was announced last week.</div>
<div style="margin: 0px; min-height: 19px;"><br>
</div>
<div style="margin: 0px;">The patch is not available via the Apple App Store. It can be downloaded from the Apple Support website: <a href="http://support.apple.com/downloads/">http://support.apple.com/downloads/</a>.</div>
<div style="margin: 0px; min-height: 19px;"><br>
</div>
<div style="margin: 0px;">For MIT users on a domain, the patch will be deployed via Casper.</div>
<div style="margin: 0px;"><br>
</div>
<div style="margin: 0px;"><br>
</div>
<div style="margin: 0px; min-height: 19px;"><br>
</div>
<div style="margin: 0px;">Details of the patch:</div>
<div style="margin: 0px; min-height: 19px;"><br>
</div>
<p style="margin: 0px 0px 18px; color: rgb(50, 51, 51);">Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5</p>
<p style="margin: 0px 0px 18px; color: rgb(50, 51, 51);">Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands</p>
<p style="margin: 0px 0px 18px; color: rgb(50, 51, 51);">Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.</p>
<p style="margin: 0px 0px 18px; color: rgb(50, 51, 51);">This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state.</p>
<p style="margin: 0px 0px 18px; color: rgb(50, 51, 51);">In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce
function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.</p>
<div><br>
</div>
<div>If you have any problems or questions about the patch, please contact the IS&T Help Desk.</div>
</div>
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<br>
</div>
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
Thanks,<br>
<br>
Monique<br>
<br>
==========================<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</body>
</html>