Date: Mon, 19 Sep 2016 11:32:01 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: John Haxby <john.haxby@...cle.com> Cc: oss-security@...ts.openwall.com, Jan Schaumann <jschauma@...meister.org>, "chet.ramey" <chet.ramey@...e.edu> Subject: Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME On Sun, Sep 18, 2016 at 08:06:57PM +0100, John Haxby wrote: > >>> A little while ago, one of our users discovered that by setting the > >>> hostname to $(something unpleasant), bash would run "something > >>> unpleasant" when it expanded \h in the prompt string. > > > > This issue has been public since October, 2015 in Ubuntu's bug tracking > > system. > > > > Yes, the message was more to let people know that CVE-2016-0634 had > been assigned for this issue. Do you have a link to the Ubuntu issue > and a different CVE number? Hello John; we did not assign a CVE number for this issue. Bernd Dietzel reported it at: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.