OES11 SP2, OES11SP1, OES2 SP3 vulnerability with GNU Bash Remote Code Execution (aka ShellShock) and Mozilla NSS vulnerabilities

  • 7015701
  • 26-Sep-2014
  • 02-Oct-2014

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2

Situation

This document is to provide details on:
  • CVE-2014-6271 & CVE-2014-7169;  the Bash vulnerability - aka Shellshock,
  • CVE-2014-1568 Mozilla NSS vulnerability
and Novell Open Enterprise Server products below that currently are in Extended Support :
  • Novell Open Enterprise Server 2 Support Pack 3 (OES2 SP3) is in extended support till Jan 1st 2015.
  • Novell Open Enterprise Server 11 Support Pack 1 (OES11 SP1) is in extended support till 29 Jan 2015
  • Novell Open Enterprise Server 11 Support Pack 2

Resolution

Due to the severity of the issue, the SUSE team has decided to make the Bash fix available to all SUSE / Novell OES customers as written in TID 7015702 - CVE-2014-6271 & CVE-2014-7169 - Shellshock.

OES11sp2 customers can install the patch via the SLES patch channel:
There are several options that may be used to fix this issue:
1.  Updating your entire system with the latest system updates:

To make sure that you have the patches relative to these issues, update the complete system to the latest patch level (preferred option) by running the following commands from a terminal, after verifying that you have your patch channels configured:
  • zypper ref -s
  • zypper up

SUSE recommends that you always apply updates and consider running the latest version.  For more information on how to upgrade can be found in TID 7012368.

2.  Apply only the latest bash patches

If you prefer to update only the bash patches, use the following commands:

  • zypper ref -s
  • zypper up bash
  • zypper up mozilla-nss

OES11sp1 customers can install the patch via the OES patch channel:
There are several options that may be used to fix this issue:
1.  Updating your entire system with the latest system updates:

To make sure that you have the patches relative to these issues, update the complete system to the latest patch level (preferred option) by running the following commands from a terminal, after verifying that you have your patch channels configured:
  • zypper ref -s
  • zypper up

SUSE recommends that you always apply updates and consider running the latest version.  For more information on how to upgrade can be found in TID 7012368.

2.  Apply only the latest bash patches

If you prefer to update only the bash patches, use the following commands:

  • zypper ref -s
  • zypper up bash
  • zypper up mozilla-nss

OES2sp3 customers can install the patch via the OES patch channel:
There are several options that may be used to fix this issue:
  • Updating your entire system with the latest system updates:
To make sure that you have the patches relative to these issues, update the complete system to the latest patch level (preferred option) by running the following commands from a terminal, after verifying that you have your patch channels configured:
  •   "rug ref" to refresh channel data
  •  "rug up -t patch" to update the system.

For eDir, iMon, iManager & NMAS See KB 7015720 for additional information.

Additional Information

Please note :

Due to the current support status for the SUSE Linux Enterprise Server versions on which the mentioned OES2 SP3 and OES11 SP1 products (respectively SLES10 SP4, and SLES11 SP2) run, and aligned with our commitment to provide security fixes for currently support Open Enterprise Environments, the security related SLES fixes will be released through the OES (!) update repositories.

Further information regarding these security issues can be found here:

Bash:

Mozilla NSS: