No, it's not only for bash cgi scripts - it's for anything that results in Bash being called. For example, a Perl CGI script that calls system(). Or another binary that executes anything via bash. Or an SSH server configured to use the "ForceCommand" option (eg, to put the user into a captive menu rather than a shell). Or a dhcp client running dhclient-script. There's dozens of potential vectors to abuse this one - many of which haven't even been thought of yet. Patch *now*, on all machines - regardless of whether they have a webserver or not. Scott On Sat, Sep 27, 2014 at 10:45 AM, Eliezer Croitoru <eliezer(a)ngtech.co.il> wrote:
Isn't this issue only for bash cgi-scripts? And how exactly httpd and others set the environmental variables? aren't they escaping the strings into literal ones? which.. will just disable any bash related issues?
Eliezer
On 09/25/2014 01:57 AM, Dean Pemberton wrote:
Hi all, This isn't normally a security vuln release list but this one looks pretty bad
A newly discovered vulnerability (CVE-2014-6271) in the Bash command-line interpreter poses a critical security risk to Unix and Linux systems. It allows remote code execution.
NZITF is responding to this remote execution exploit, with a News page that we will be keeping up to date - http://www.nzitf.org.nz/news.html .
We are also reaching out to technical and security community points of contact to raise awareness to the issue and ensure necessary action is taken (hence this email to you). Please note, no patch is yet available for Mac OSX. However, many other patches are available.
So Patch, Patch, Patch.
Regards, Dea _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog