Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Apple releases security patch for the Bash ShellShock vulnerability


  • Please log in to reply
1 reply to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:51 PM

Posted 30 September 2014 - 09:44 AM

Apple released a security patch APPLE-SA-2014-09-29-1 for the Bash ShellShock vulnerability. Under certain circumstances this vulnerability allows remote attackers to execute commands on your Mac. Therefore, it is imperative that all users install this patch immediately.

Note, this is not currently available via Software Update. Instead you must install the patch via one of the links below. Information and download links for this security update can be found in the following text from the Apple security bulletin:
 

APPLE-SA-2014-09-29-1 OS X bash Update 1.0

OS X bash Update 1.0 is now available and addresses the following:

Bash
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 OS X Lion
http://support.apple.com/kb/DL1768 OS X Mountain Lion
http://support.apple.com/kb/DL1769 OS X Mavericks

To check that bash has been updated:

* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222



BC AdBot (Login to Remove)

 


m

#2 Antonifi

Antonifi

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 28 October 2014 - 09:21 PM

Don't want to update the OS version..






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users