—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

APPLE-SA-2014-09-29-1 OS X bash Update 1.0

OS X bash Update 1.0 is now available and addresses the following:

Bash
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,
OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute arbitrary
shell commands
Description: An issue existed in Bash’s parsing of environment variables. This issue was
addressed through improved environment variable parsing by better detecting the end of
the function statement.
This update also incorporated the suggested CVE-2014-7169 change, which resets the
parser state.
In addition, this update added a new namespace for exported functions by creating a
function decorator to prevent unintended header passthrough to Bash. The names of all
environment variables that introduce function definitions are required to have a
prefix “__BASH_FUNC<” and suffix “>()” to prevent unintended function passing via
HTTP headers.
CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks

To check that bash has been updated:

* Open Terminal
* Execute this command:
bash –version
* The version after applying this update will be:
OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

—–BEGIN PGP SIGNATURE—–
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQIcBAEBAgAGBQJUKdToAAoJEBcWfLTuOo7t4QEP/jrigiLB9GYO5JIdVHSFPUtx
MBr4hAe90LnyAIuhxny1PgAC8BZCPv4otm6DQBQSlX1PxLv8TWm8yp5IKCKJP6ZN
Smm+OqJLLWwcTOVv345bi5W9dp2nyZVLjWxx9MUfn4YLxKrBJ3fKyHWIycD0WpbD
4kfXW1G1JGTtyUX6Ge2lnhbOiYBPxJN2TSX4qEmix3KLmEwCwsZVgbjzW2ijNO0O
3AaUkFIICAECMCE+VZj/fGFQaEmYaPzpt3Tjy+X2NdXL8E0hnui4ymfU0DyR39Oz
8DQpP499hISeXucdAEH6b2mMO2pOmuDs6FWTSS6talT8ftLUpTmWqv2Rghto5ZXN
b8RZpOp9RUwurZPMq66BjbHfidEaLjMPCVcfAnjO6HwBaKGQ5kM5+ThPA5/DLSL6
gGPa4t3qM/JdQAzm8da9m62vjWZ1BXzIlLSmxpIq/5bDMpBNiA783f+uuDUjpQ/N
3SkKNn2U47VsCLYaoSSmL6FUBLsInnNvwkVyNsnMiEjMVn/BtV5ogAYAc8SSvGM7
Mlx9OBKYork0bNuViPK09j/8te74tt6t38B+0lb4mG5m1r2CyI96f2uVBpKkqDlj
K6INwsDZKqtg1Y+6xtnJb9F3ZNZarzSxZa2C8qKaVCH11vLaXVPJJCrYspWnV8yI
DrlKtF9VhcfUGTKJiRNX
=ZVVk
—–END PGP SIGNATURE——

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)