ShellShock with SLES10/SLES11

you certainly have heard about http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271, probably also the successor http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

I wonder if Novell will publish a free version of a SLES10 SP4 fix: the relevant patches in http://support.novell.com/security/cve/CVE-2014-6271.html are all locked and restricted to LTSS customers.

Furthermore I wonder when a patch for CVE-2014-7169 will be made available.

FreeBSD and Debian 7 are already done, but https://bugzilla.novell.com/show_bug.cgi?id=898346 sounds not so promising:
“Please submit fixed packages until 2014-10-03”

Cheers, Thomas

[QUOTE=swadm;23847]you certainly have heard about http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271, probably also the successor http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

I wonder if Novell will publish a free version of a SLES10 SP4 fix: the relevant patches in http://support.novell.com/security/cve/CVE-2014-6271.html are all locked and restricted to LTSS customers.

Furthermore I wonder when a patch for CVE-2014-7169 will be made available.
[/QUOTE]
Hi
I would assume, out of support and self support come into play, you should have a look on the Open Build Service…
http://software.opensuse.org/search?utf8=%E2%9C%93&q=bash&search_devel=false&search_devel=true&search_unsupported=false&baseproject=ALL

This is normal auto generated text by the package update mechanism, packages are generally in the works when you see this…

AFAIK from Mailing List traffic, this is not as critical http://lists.opensuse.org/opensuse/2014-09/msg00615.html

Patch appears to be available now:

https://bugzilla.novell.com/show_bug.cgi?id=898346
SUSE-SU-2014:1247-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 898346,898603,898604
CVE References: CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src): bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src): bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP3 (src): bash-3.2-147.22.1
SUSE Linux Enterprise Server 11 SP2 LTSS (src): bash-3.2-147.14.22.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src): bash-3.2-147.14.22.1
SUSE Linux Enterprise Server 10 SP4 LTSS (src): bash-3.1-24.34.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src): bash-3.1-24.34.1
SUSE Linux Enterprise Desktop 11 SP3 (src): bash-3.2-147.22.1

interestingly, on https://www.suse.com/support/kb/doc.php?id=7015702 we read

[QUOTE] “Due to the nature of this issue, it was decided that patches would
be made available to customers who don’t have an LTSS agreement or
not for SLES10SPx and SLES11SPx. For further information about
this, please contact Customer Support.”
[/QUOTE]

Thus, the patch is also available to non-LTTS customers, but they need to contact support.

Also, https://www.suse.com/support/shellshock/ has additional information.

HTH, Thomas