Issue #1041
closedBASH (aka shellshock) vulnerability - CVE-2014-[6271/6277/6278/7169/7186/7187]
0%
Description
I hope it's a good idea to open a bug ticket about the forum topic: http://redmine.replicant.us/boards/9/topics/6729
Summary
Replicant is (at the moment) vulnerable to the shellshock vulnerabilities.
Two patches "CVE-2014-6271 and CVE-2014-7169" are merged to Replicant in the meanwhile:
https://gitorious.org/replicant/external_bash/commits/64368c6fd95e4f749e6133398ad4d5fce3c9b940
But there are some more issues:
https://access.redhat.com/security/cve/CVE-2014-7186
https://access.redhat.com/security/cve/CVE-2014-7187
https://access.redhat.com/security/cve/CVE-2014-6277
https://access.redhat.com/security/cve/CVE-2014-6278
with available patches:
https://github.com/CyanogenMod/android_external_bash/commit/027626f9f273edf1c435c223f93768ec6dcc5301
https://github.com/CyanogenMod/android_external_bash/commit/bd2cb35e07e5cef774220e8b57bace207f162e50
https://github.com/CyanogenMod/android_external_bash/commit/369692c969182053c3a8f81775fa022934e3bd95
https://github.com/CyanogenMod/android_external_bash/commit/658bb3b21b2923f5e37dfe1ae2262fac5297d1af
Alternativly I would really appreciate it if the whole BASH version could be updated.
Here is the version "4.3.30" as a open source and shellshock fixed version, which I've successfully tested with Replicant 4.2:
https://github.com/3lo0sh/bash-arm