From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.15 Core Update 83 released Date: Sun, 28 Sep 2014 19:51:13 +0200 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3717172606991700005==" List-Id: --===============3717172606991700005== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable http://www.ipfire.org/news/ipfire-2-15-core-update-83-released This is the official release announcement for IPFire 2.15 Core Update 83. It mainly provides a fix for several security issues in the GNU bash package [1] also known as "ShellShock" and filed under CVE-2014-6271 and CVE-2014-7169. ShellShock It was possible to inject shell commands that were executed from the shell environment. IPFire uses CGI scripts for its web user interface. Therefore it was possible for authenticated users to execute shell commands with non-root privileges and of course users that had access to the shell on command line. Also other services that execute shell scripts like the DHCP client were vulnerable. We regard this as a serious security issue and recommend to update as soon as possible. Please do not forget to reboot your machine afterwards and check for updates for your other *nix distribution as well because they are probably vulnerable, too. It appears that there might be more problems in GNU bash for which there is no working fix available right now. So please stay tuned for more updates. Further information about this error can be found on: [2] and [3] Misc * squid - the Web Proxy - has been updated to version 3.4.7 due to various security and stability fixes * Several security and stability fixes have been added to glibc * The URL to detailed descriptions of the snort alerts has been updated * Various minor bug fixes. ---- Thanks to all who provided us with feedback about their testing results. Please support future security fixes by sending us a donation [4]. [1] http://planet.ipfire.org/post/fixing-the-gnu-bash-vulnerability-cve-2014-= 6271 [2] http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-sec= urity-hole-on-anything-with-nix-in-it/ [3] http://www.heise.de/newsticker/meldung/ShellShock-Standard-Unix-Shell-Bas= h-erlaubt-das-Ausfuehren-von-Schadcode-2403305.html [4] http://www.ipfire.org/donate --===============3717172606991700005== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlVLRXFSQUFvSkVJQjU4UDl2a0FrSE9Kb1FBS2lIU25sQjdVUElieUdVbzBZT3dpcVkK R0ZCOXNtWEJmRTV3MlNBUG5WOEM0SVVKK3pWbzdJdFVBeWpXYmZLcTV0c1dXQ2hNdFpjbDhaRkZi TS80Wk1EVQpHMHBweEpMM1pRaURBZ1VtdW1FTmR0WWwrQUtzZzdXWGRKUCtTbVl2TFZCUHJRaGJo QmVPQkI1aWJBSGVKZmlBCmgvK3BuM0tMaTU0OEpHRGs1aUZONnN3Vy9IZnRGK1cvR0VVQ2dTS3JJ Vk8zZUhBUlJlVk5tYW9nQ0J5b3dBakQKb3cvSFU2SkM4QmtPeUZpVUttb2UyNkZRemM2b2JDejk3 WWRmMW5vNElLeG5oaXhlWVorOXVrcGJWSVJiWGFjRgpLWFJrQ1JkaDlnQTNrLy9VaERyck0zV0dl Ty9qSGx5RTVRQnk0VDF6Y1I2UnhZS1VwRU1VTkI1d1A2bGhyTEZJCmsyaWhhYlVZdmRwMnA0YVI0 cDFrK2YwQ1BabmRycnE1TlVWakJQL2M1Z2t3enA2VXYxczcwMEhjVFdJdDNmTEUKSWR5KytkQXhX MU9ramlDd0loQmRqUmRkQWZyYXZwWVN1YjNWL2s2dHczTGx6RUErcEx5MHNvT2J6TW5yWm93Ugp0 a0gzSFJWOUVPMkx0R2NVbW0ySnRIK2k5a2lFejlYSWowRmk0TkpUZmxLUzhrYUxEaWlnaE9FTlox T01ha2FiCkROSVNyOUJ5dWo1M25HZHFuc1ZpN3lFNGhOdzQyK3NmbHVUcER0OVNRb1pzRTUrSXBC cFdaM3ZHQnJQWi9vS2IKRzdKZjRtc2lobjNCaTU5aUxsb0RzYU0vTXkrNXBYN1A2bVRGSzMzUjZn UWtmMUZZZW1TUXBFeXZuUnZESlg0TQp3NmljNWZSaTVtU29jajhleXFMeAo9SXFYbwotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============3717172606991700005==--