Recently there was a critical vulnerability exposed in the GNU* Bourne-Again Shell (Bash), the common command-line shell used in many Linux*/UNIX operating system. This vulnerability also affects the operating system used for the Intel(R) Xeon Phi(tm) Coprocessor.
Several Intel(R) MPSS Hotfixes will be released that address all six of the known CVEs related to the newly-discovered Bash vulnerabilities (CVE-2014-6721, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6728) and corresponds to patch level 052 of the Bash ver. 4.2 as published by GNU.org
Intel(R) MPSS 3.1-x, 3.2-x, 3.3-x and 3.4-x are all affected, as well as previous MPSS 2.x releases.
No patches will be released for obsolete releases (MPSS 2.x). As a workaround, it is possible to re/cross-compile a bash from patched sources.
Patches for MPSS 3.3 (Linux) were recently released (see https://software.intel.com/en-us/articles/intel-manycore-platform-softwa... )
Patches for MPSS 3.3 (Windows), 3.4, 3.1 and 3.2 will follow soon. We will update this forum thread when they are available.
Customers can verify the vulnerability mitigation by running checkers on the Xeon Phi Coprocessor OS, such as Bashcheck, https://github.com/hannob/bashcheck, or another relevant shell-script-based checker of their choice.
Please let us know if you have any questions!