No, it's not only for bash cgi scripts - it's for anything that results in
Bash being called.
For example, a Perl CGI script that calls system(). Or another binary that
executes anything via bash.
Or an SSH server configured to use the "ForceCommand" option (eg, to put
the user into a captive menu rather than a shell). Or a dhcp client
running dhclient-script.
There's dozens of potential vectors to abuse this one - many of which
haven't even been thought of yet. Patch *now*, on all machines -
regardless of whether they have a webserver or not.
Scott
On Sat, Sep 27, 2014 at 10:45 AM, Eliezer Croitoru
Isn't this issue only for bash cgi-scripts? And how exactly httpd and others set the environmental variables? aren't they escaping the strings into literal ones? which.. will just disable any bash related issues?
Eliezer
On 09/25/2014 01:57 AM, Dean Pemberton wrote:
Hi all, This isn't normally a security vuln release list but this one looks pretty bad
A newly discovered vulnerability (CVE-2014-6271) in the Bash command-line interpreter poses a critical security risk to Unix and Linux systems. It allows remote code execution.
NZITF is responding to this remote execution exploit, with a News page that we will be keeping up to date - http://www.nzitf.org.nz/news.html .
We are also reaching out to technical and security community points of contact to raise awareness to the issue and ensure necessary action is taken (hence this email to you). Please note, no patch is yet available for Mac OSX. However, many other patches are available.
So Patch, Patch, Patch.
Regards, Dea _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog