CVE-2014-6271 and CVE-2014-7187

[mehmetmirac]

Hi,

These two vulnerabilities related to bash rpm have been detected. When I checked, both these vulnerabilities appear to be fixed in rhel7.

https://access.redhat.com/security/cve/cve-2014-6271
https://access.redhat.com/security/cve/cve-2014-7187

On my Centos7 server, I am using the latest bash package.

bashPackage.PNG (4.58 KiB) Viewed 1974 times

When I run the following commands on my Centos7 server, I can't get any results.

bashRpm.PNG (5.96 KiB) Viewed 1974 times

My question is why has Centos7 not closed this vulnerability yet? If so, why doesn't it show up in the changelogs? Why isn't Centos7 taking any action for this? This happens to me with many vulnerabilities. Thanks in advance for your answers

[jlehtone]

CVE-2014-6271 shows that RHEL 7 had errata RHSA-2014:1293 which released 2014-09-24 package bash-4.2.45-5.el7_0.2
CVE-2014-7187 shows that RHEL 7 had errata RHSA-2014:1306 which released 2014-09-26 package bash-4.2.45-5.el7_0.4

The changelog of bash in CentOS 7 does mention "4.2.45-5", but from January 2014.

Code: Select all

[CentOS7]$ rpm -q --changelog bash | grep -B4 -A5 4.2.45-5
* Wed Jun 18 2014 Ondrej Oprala <ooprala@redhat.com - 4.2.46-1
- Patchlevel 46
  Resolves: #1073683

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 4.2.45-5
- Mass rebuild 2014-01-24

* Fri Jan 24 2014 Ondrej Oprala <ooprala@redhat.com - 4.2.45-4
- Backport a patch from #964687 (resolves #1034915)

Overall, the changelog has hardly any mentions of CVE:

Code: Select all

$ rpm -q --changelog bash | grep -B1 CVE
* Tue Mar 07 2017 Kamil Dudka <kdudka@redhat.com - 4.2.46-28
- CVE-2016-9401 - Fix crash when '-' is passed as second sign to popd
--
* Fri Feb 24 2017 Kamil Dudka <kdudka@redhat.com - 4.2.46-27
- CVE-2016-7543: Fix for arbitrary code execution via SHELLOPTS+PS4 variables
--
* Thu Feb 09 2017 Siteshwar Vashisht <svashisht@redhat.com> - 4.2.46-26
- CVE-2016-0634: Fix for arbitrary code execution via malicious hostname
--
* Fri Sep 26 2014 Michal Hlavinka <mhlavink@redhat.com> - 4.2.46-10
- CVE-2014-7169

Of those 4.2.46-10 is on same date, and CVE-2014-7169 is listed with 6271 and 7187 in:
https://access.redhat.com/solutions/1207723
Therefore, most the patches are most likely in:

Code: Select all

* Fri Sep 26 2014 Michal Hlavinka <mhlavink@redhat.com> - 4.2.46-10
- CVE-2014-7169
  Resolves: #1146325
- amend #1146324 patch to match upstream's

Note the versions in errata's: 4.2.45-5.el7_0.2 and 4.2.45-5.el7_0.4.
They were updates for RHEL 7.0. RHEL 7.0 was released 2014-06-10. RHEL 7.1 was released 2015-03-05.

When RHEL 7.0 was released -- presumably with bash-4.2.45-5 -- development for RHEL 7.1 was branched.
The published erratas were for RHEL 7.0 -- for "maintenance branch" of 7.0.
Presumably the same fixes were inserted into the development branch too, perhaps as "4.2.46-10".
There is no errata about that, because this version of bash evolved into what was released with RHEL 7.1 later.

We have to assume that Red Hat did not release RHEL 7.1 without fixes that they already had in RHEL 7.0.

The only thing you can nag about is that Red Hat changelog for bash is terse. Even that is not CentOS' fault.