Debian 10260 Published by

Updated nss and another bash update has been released for Debian:

[DLA 62-1] nss security update
[DLA 63-1] bash security update
[DSA 3035-1] bash security update



[DLA 62-1] nss security update

Package : nss
Version : 3.12.8-1+squeeze9
CVE ID : CVE-2014-1568

Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS
(the Mozilla Network Security Service library) was parsing ASN.1 data
used in signatures, making it vulnerable to a signature forgery attack.

An attacker could craft ASN.1 data to forge RSA certificates with a
valid certification chain to a trusted CA.

This update fixes this issue for the NSS libraries.

Note that iceweasel, which is also affected by CVE-2014-1568, however
has reached end-of-life in Squeeze(-LTS) and thus has not been fixed.


[DLA 63-1] bash security update

Package : bash
Version : 4.1-3+deb6u2
CVE ID : CVE-2014-7169
Debian Bug : 762760 762761

Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271
released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was
incomplete and could still allow some characters to be injected into
another environment (CVE-2014-7169). With this update prefix and suffix
for environment variable names which contain shell functions are added
as hardening measure.

Additionally two out-of-bounds array accesses in the bash parser are
fixed which were revealed in Red Hat's internal analysis for these
issues and also independently reported by Todd Sabin.

[DSA 3035-1] bash security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3035-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
September 25, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bash
CVE ID : CVE-2014-7169
Debian Bug : 762760 762761

Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271
released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was
incomplete and could still allow some characters to be injected into
another environment (CVE-2014-7169). With this update prefix and suffix
for environment variable names which contain shell functions are added
as hardening measure.

Additionally two out-of-bounds array accesses in the bash parser are
fixed which were revealed in Red Hat's internal analysis for these
issues and also independently reported by Todd Sabin.

For the stable distribution (wheezy), these problems have been fixed in
version 4.2+dfsg-0.1+deb7u3.

We recommend that you upgrade your bash packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/