Isn't this issue only for bash cgi-scripts? And how exactly httpd and others set the environmental variables? aren't they escaping the strings into literal ones? which.. will just disable any bash related issues? Eliezer On 09/25/2014 01:57 AM, Dean Pemberton wrote:
Hi all, This isn't normally a security vuln release list but this one looks pretty bad
A newly discovered vulnerability (CVE-2014-6271) in the Bash command-line interpreter poses a critical security risk to Unix and Linux systems. It allows remote code execution.
NZITF is responding to this remote execution exploit, with a News page that we will be keeping up to date - http://www.nzitf.org.nz/news.html .
We are also reaching out to technical and security community points of contact to raise awareness to the issue and ensure necessary action is taken (hence this email to you). Please note, no patch is yet available for Mac OSX. However, many other patches are available.
So Patch, Patch, Patch.
Regards, Dea _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog