Red Hat Security Blog: September 2014 archives

  • Frequently Asked Questions about the Shellshock Bash flaws

    The recent few days have been hectic for everyone who works in the Linux/Unix world. Bash security flaws have rocked the globe leaving people confused, worried, or just frustrated. Now that the storm is over and patches are available for most operating systems, here are the answers to some of the common questions we've been asked: Why are there four CVE assignments? The original flaw in Bash was assigned CVE-2014-6271. Shortly after that issue went public a researcher found a similar flaw that...
    Posted 2014-09-26T11:50:33+00:00 - 0
  • Bash specially-crafted environment variables code injection attack

    Update 2014-09-30 19:30 UTC Questions have arisen around whether Red Hat products are vulnerable to CVE-2014-6277 and CVE-2014-6278.  We have determined that RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 successfully mitigate the vulnerability and no additional actions need to be taken.   Update 2014-09-26 12:00 UTC We have written a FAQ to address some of the more common questions seen regarding the recent bash issues. Frequently Asked Questions about the Shellshock Bash flaws...
    Posted 2014-09-24T14:00:08+00:00 - 0
  • Enterprise Linux 5.10 to 5.11 risk report

    Red Hat Enterprise Linux 5.11 was released this month (September 2014), eleven months since the release of 5.10 in October 2013. So, as usual, let's use this opportunity to take a look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Red Hat Enterprise Linux 5 is in Production 3 phase, being over seven years since general availability in March 2007, and will receive security updates until March 31st 2017. Errata count The...
    Posted 2014-09-18T13:30:49+00:00 - 0
  • TLS landscape

    Transport Layer Security (TLS) or, as it was known in the beginnings of the Internet, Secure Sockets Layer (SSL) is the technology responsible for securing communications between different devices. It is used everyday by nearly everyone using the globe-spanning network. Let's take a closer look at how TLS is used by servers that underpin the World Wide Web and how the promise of security is actually executed. Adoption Hyper Text Transfer Protocol (HTTP) in versions 1.1 and older make encryption...
    Posted 2014-09-10T13:30:54+00:00 - 0
  • Is your software fixed?

    A common query seen at Red Hat is “our auditor says our Red Hat machines are vulnerable to CVE-2015-1234, is this true?” or “Why hasn’t Red Hat updated software package foo to version 1.2.3?” In other words, our customers (and their auditors) are not sure whether or not we have fixed a security vulnerability, or if a given package is up to date with respect to security issues. In an effort to help our security-conscious customers, Red Hat make this information available in an easy to consume...
    Posted 2014-09-03T13:30:04+00:00 - 0