Security update for bash SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1419-1 Final 1 1 2018-05-25T05:45:35Z current 2018-05-25T05:45:35Z 2018-05-25T05:45:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bash This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00100.html E-Mail link for openSUSE-SU-2018:1419-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 bash-4.3-83.6.1 bash-devel-4.3-83.6.1 bash-doc-4.3-83.6.1 bash-lang-4.3-83.6.1 bash-loadables-4.3-83.6.1 libreadline6-6.3-83.6.1 libreadline6-32bit-6.3-83.6.1 readline-devel-6.3-83.6.1 readline-devel-32bit-6.3-83.6.1 readline-doc-6.3-83.6.1 bash-4.3-83.6.1 as a component of openSUSE Leap 42.3 bash-devel-4.3-83.6.1 as a component of openSUSE Leap 42.3 bash-doc-4.3-83.6.1 as a component of openSUSE Leap 42.3 bash-lang-4.3-83.6.1 as a component of openSUSE Leap 42.3 bash-loadables-4.3-83.6.1 as a component of openSUSE Leap 42.3 libreadline6-6.3-83.6.1 as a component of openSUSE Leap 42.3 libreadline6-32bit-6.3-83.6.1 as a component of openSUSE Leap 42.3 readline-devel-6.3-83.6.1 as a component of openSUSE Leap 42.3 readline-devel-32bit-6.3-83.6.1 as a component of openSUSE Leap 42.3 readline-doc-6.3-83.6.1 as a component of openSUSE Leap 42.3 The expansion of '\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine. CVE-2016-0634 openSUSE Leap 42.3:bash-4.3-83.6.1 openSUSE Leap 42.3:bash-devel-4.3-83.6.1 openSUSE Leap 42.3:bash-doc-4.3-83.6.1 openSUSE Leap 42.3:bash-lang-4.3-83.6.1 openSUSE Leap 42.3:bash-loadables-4.3-83.6.1 openSUSE Leap 42.3:libreadline6-32bit-6.3-83.6.1 openSUSE Leap 42.3:libreadline6-6.3-83.6.1 openSUSE Leap 42.3:readline-devel-32bit-6.3-83.6.1 openSUSE Leap 42.3:readline-devel-6.3-83.6.1 openSUSE Leap 42.3:readline-doc-6.3-83.6.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00100.html https://www.suse.com/security/cve/CVE-2016-0634.html CVE-2016-0634 https://bugzilla.suse.com/1000396 SUSE Bug 1000396 https://bugzilla.suse.com/1001299 SUSE Bug 1001299 https://bugzilla.suse.com/1159416 SUSE Bug 1159416 Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables. CVE-2016-7543 openSUSE Leap 42.3:bash-4.3-83.6.1 openSUSE Leap 42.3:bash-devel-4.3-83.6.1 openSUSE Leap 42.3:bash-doc-4.3-83.6.1 openSUSE Leap 42.3:bash-lang-4.3-83.6.1 openSUSE Leap 42.3:bash-loadables-4.3-83.6.1 openSUSE Leap 42.3:libreadline6-32bit-6.3-83.6.1 openSUSE Leap 42.3:libreadline6-6.3-83.6.1 openSUSE Leap 42.3:readline-devel-32bit-6.3-83.6.1 openSUSE Leap 42.3:readline-devel-6.3-83.6.1 openSUSE Leap 42.3:readline-doc-6.3-83.6.1 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00100.html https://www.suse.com/security/cve/CVE-2016-7543.html CVE-2016-7543 https://bugzilla.suse.com/1001299 SUSE Bug 1001299 https://bugzilla.suse.com/1159416 SUSE Bug 1159416