[guardian-dev] Update your servers for real
Dev Random
c1.devrandom at niftybox.net
Thu Sep 25 13:36:34 EDT 2014
This seems mitigated by the fact that /bin/sh is -> dash on debian. So
unless something does explicitly #!/bin/bash, things should be okay.
BTW, there's a related vuln that's not fixed yet - CVE-2014-7169
https://news.ycombinator.com/item?id=8365158
On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
> A remote code execution bug was found in the GNU Bash shell.
>
> http://seclists.org/oss-sec/2014/q3/650
>
> I tested it on Debian stable from two days ago and indeed, I could
> execute code after a function definition in an environment variable. A
> server I updated yesterday evening was not vulnerable, as the Debian
> team got a patch released quite fast.
>
> This effects any server you run any code on, though the remote code
> execution attack vector is unlikely for many contemporary application
> servers. Read the write up for details about a proof of concept.
>
> Good Morning!
>
> -lee
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>
> You are subscribed as: c1.android at niftybox.net
--
Miron / devrandom
More information about the Guardian-dev
mailing list