Information regarding BASH 'Shellshock' and Mozilla Vulnerabilities for Novell Products

Novell has been made aware of vulnerabilities affecting Linux, UNIX and Mac OSX operating systems.

As many of Novell's solutions either include virtual appliances based on SUSE Linux or entitlements to SUSE Linux Enterprise Server (SLES), Novell's customers are at risk of being affected by the following vulnerabilities:

● The GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169) may allow attackers to gain control over targeted computers through the Bash shell by attaching malicious code in environment variables used by the operating system.
● The Mozilla Network Security Service (NSS) (CVE-2014-1568) makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka ”signature malleability" issue.
● In conjunction with this incident, two other security issues (CVE-2014-7186, CVE-2014-7187) were also identified. Neither of these issues pose an immediate threat, but have been addressed in the patches referenced below.


The following Novell products may be affected by these vulnerabilities:

ZENworks – the virtual appliance deployment option only. This affects versions 10.3, 11.0, 11.1, 11.2, and 11.3
     - See KB 7015721 for status/patching information

Novell Service Desk 6, 7 – the virtual appliance deployment option only.
     - See KB 7015718 for status/patching information 

Filr versions 1.0 and 1.0.1
     - See  KB 7015715 for status/patching information

Vibe
     - See  KB 7015717 for status/patching information

iPrint Appliance  versions 1.01 & 1.1
     -  See KB 7015713 for status/patching information

Open Enterprise Server – OES 2 and OES 11
     - See KB 7015701 for patching information

Novell GroupWise - versions 6.5, 7, 8, 2012 & 2014 (all versions that run on Linux)

     - See KB 7015719 for patching information