ELA-96-1 bash security update

denial of service and restricted shell bypass

2019-03-25
Packagebash
Version4.2+dfsg-0.1+deb7u5
Related CVE CVE-2016-9401 CVE-2019-9924

Two issues have been fixed in bash, the GNU Bourne-Again Shell:

CVE-2016-9401

The popd builtin segfaulted when called with negative out of range
offsets.

CVE-2019-9924

Sylvain Beucler discovered that it was possible to call commands
that contained a slash when in restricted mode (rbash) by adding
them to the BASH_CMDS array.

For Debian 7 Wheezy, these problems have been fixed in version 4.2+dfsg-0.1+deb7u5.

We recommend that you upgrade your bash packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/