Disclosure - http://www.openwall.com/lists/oss-security/2014/09/24/10
Behaviour prior to patch:
$ env x='() { :;}; echo OOPS' bash -c /usr/sbin/nologin OOPS This account is currently not available.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2014-11295
Please login to add feedback.
This update has been submitted for testing by ooprala. This critical path update has not yet been approved for pushing to the stable repository. It must first reach a karma of 2, consisting of 0 positive karma from proventesters, along with 2 additional karma from the community. Or, it must spend 14 days in testing without any negative feedback
Tested on my primary machine, patch seems to be working fine. Testing reveals no issues.
Critical path update approved
AutoQA: depcheck test PASSED on i386. Result log: http://autoqa.fedoraproject.org/report/1habl (results are informative only)
AutoQA: depcheck test PASSED on x86_64. Result log: http://autoqa.fedoraproject.org/report/1habq (results are informative only)
Tested on Fedora 21 cloud image. Works for me, and behavior test now gives an error instead of outputting "OOPS"
I tested on Fedora 21 Workstation. Test now gives the error: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' This account is currently not available.
This update has reached the stable karma threshold and will be pushed to the stable updates repository
AutoQA: upgradepath test PASSED on noarch. Result log: http://autoqa.fedoraproject.org/report/1hafi (results are informative only)
This update has been submitted for testing by ausil.
pushing to testing to get into users hands faster
AutoQA: depcheck test PASSED on i386. Result log: http://autoqa.fedoraproject.org/report/1hahj (results are informative only)
AutoQA: upgradepath test PASSED on noarch. Result log: http://autoqa.fedoraproject.org/report/1haho (results are informative only)
AutoQA: depcheck test PASSED on x86_64. Result log: http://autoqa.fedoraproject.org/report/1hahs (results are informative only)
The code fragment gives me the expected error.
This update is currently being pushed to the Fedora 21 testing updates repository.
This update has been pushed to testing
works fine
looks good to me
This update has reached the stable karma threshold and will be pushed to the stable updates repository
I see this is fixed. After updating I see error instead of OOPS
Working fine here.
AutoQA: depcheck test PASSED on i386. Result log: http://autoqa.fedoraproject.org/report/1hbb4 (results are informative only)
AutoQA: upgradepath test PASSED on noarch. Result log: http://autoqa.fedoraproject.org/report/1hbb5 (results are informative only)
AutoQA: depcheck test PASSED on x86_64. Result log: http://autoqa.fedoraproject.org/report/1hbbb (results are informative only)
The fix in this package is incomplete, and so CVE 2014-7169 has been opened to make sure the fix is fully complete.
incomplete fix for CVE-2014-6271 - New CVE opened CVE-2014-7169
WFM
This update is currently being pushed to the Fedora 21 stable updates repository.
This update has been pushed to stable