Three critical vulnerabilities were discovered that have been confirmed and fixed in AlienVault v4.11.1 patch release. Due to the severity of these vulnerabilities, AlienVault encourages customers to upgrade immediately to v4.11.1.
Debian Security Update (DSA-3032-1) AlienVault ID: ENG-97400 Description: Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell. Debian Package: bash CVE ID: CVE-2014-6271 CVSS v2 Base Score: 10.0 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
See the Debian Security Advisory DSA-3032-1 for more information.
Debian Security Update (DSA-3035-1) AlienVault ID: ENG-97427 Description: Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure. Debian Package: bash CVE ID: CVE-2014-7169 CVSS v2 Base Score: 10.0 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
See the Debian Security Advisory DSA-3035-1 for more information.
Debian Security Update (DSA-3031-1) AlienVault ID: ENG-97391 Description:The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the 'http' apt method binary, or potentially to arbitrary code execution. Debian Package: apt CVE ID: CVE-2014-6273 CVSS v2 Base Score: Waiting on NVD CVSS v2 Vector: Waiting on NVD
See the Debian Security Advisory DSA-3031-1for more information.