Ubuntu
bash package

Unfixed Code Execution Vulnerability CVE-2016-7543?

Asked by Luminousbit

I think I must be missing something:

CVE-2016-7543 is a high-impact code execution vulnerability for bash.

https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7543.html Is listed as needed for Precise/Trusty/Xenial.

The patch has been released for a few months, and is available as an upstream package in debian: https://security-tracker.debian.org/tracker/CVE-2016-7543

But I can't find any tracking of whether Canonical maintainers will or intend to release an updated package for the supported operating systems. I thought maybe it was fixed in a later release or is otherwise deemed to be not-applicable. But as far as I can tell, the issue is still open.

An open high danger (CVSS 3 Score: 8.4) CVE shows up on all our security scans. Is there any sanctioned way to address this? Is an updated package planned?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu bash Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

I suggest you report a bug. Mark it as a security bug.

Can you help with this problem?

Provide an answer of your own, or ask Luminousbit for more information if necessary.

To post a message you must log in.