[Security] Update bash NOW

Thu Sep 25 17:26:41 UTC 2014

‎This is interesting. Only one person maintain bash, really?

‎Similarly, the responsibility for Bash lies with just one person - Chet Ramey, a developer based at Case Western Reserve University in Ohio.

http://m.bbc.com/news/technology-29361794

William 

‎
Slashdot article http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash

Story at http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650

Summary... bash scripts, CGI, perl via "system()", and various other
"commands" invoke a bash shell at times, passing environmental variables
in the process. Problem is that an "environmental variable" ***CAN
CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST SPAWNING A NEW
SHELL***. E.g. execute the command...

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

...and you get the following...

vulnerable
this is a test

Replace...

x='() { :;}; echo vulnerable'

...with malicious stuff, and it could get ugly. bash-4.2_p48 seems
to fix this security hole. The same "env" command results in...

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

-- 
Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org>
I don't run "desktop environments"; I run useful applications
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

[Security] Update bash *NOW*

[Security] Update bash NOW