From ${URL} : A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string. References: http://seclists.org/oss-sec/2016/q3/528 Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
IMHO bash-4.4 is way too new to start stabilization process anytime soon. bash-4.4/readline-7.0 are even masked for testing right now.
commit 7722e02ff41d7e30b1e2226d0cabd4458cd6567c Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Sep 20 16:59:44 2016 app-shells/bash: Revbump to fix CVE-2016-0634 (bug #594496). Package-Manager: portage-2.3.1 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> This should be fixed with =app-shells/bash-4.3_p46-r1 I gonna call stabilization tomorrow.
Arches please test and mark stable =app-shells/bash-4.3_p46-r1 with target KEYWORDS: alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Stable on alpha.
amd64 stable
Stable for HPPA PPC64.
New GLSA Request filed.
x86 stable
sparc stable
ppc stable
arm stable
ia64 stable
Removing unstable arches. @maintainer(s), please cleanup.
@ Maintainer(s): Please tell us how you want to proceed with previous versions. At least our CI project found no issues when I tried to remove previous versions, see https://github.com/gentoo/gentoo/pull/3100
This issue was resolved and addressed in GLSA 201612-39 at https://security.gentoo.org/glsa/201612-39 by GLSA coordinator Aaron Bauman (b-man).
Reopened for cleanup...
Cleanup request moved to bug 600174.