[Security] Update bash *NOW*

[Lennart Sorensen]

On Fri, Sep 26, 2014 at 11:04:58AM -0400, Steve Harvey wrote:
>   The executable, whether a script or binary file, does not need to be bash. 
> It only needs to cause a bash script to be invoked from *somewhere*, as
> long as that bash script inherits the environment set up by CGI.
> 
>   From what I've read, some DHCP clients may be vulnerable.  Unfortunately,
> those clients tend to be run as root.

Took me about 5 minutes to create a dhcp config that created a file in
/tmp as root on a client.  So yes it is.

To work around that (other than installing a fixed bash), make sure none
of the scripts your dhcp client runs use '#!/bin/bash', which at least
in debian they do by default.  Also make sure /bin/sh is not bash (which
at least on Debian it hasn't been by default for years).

>   This is a really scary bug, considering how easy it is to exploit.

-- 
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists