On Thu, Sep 25 at 10:58, Andy Random wrote:
>
> Since I've not seen it mentioned on the lists...
>
> See below for the full details.
>
> The idiots guide is run the command:
>
> $ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
>
> If it comes back:
>
> busted
> completed
>
> You are vulnerable and need to update.
>
> I've patched my CentOS server today, I understand Debian and Ubuntu both
> have fixes, I'll try updating my LUbuntu laptop when I get home, but my
> MacBook Pro is currently still vulnerable.
Ah but have you applied the correct patch ?
There has been a followup to the initial patch which was incomplete.
Patches applied this morning may pass your test but still leave you
vulnerable.
You need fixes for CVE-2014-6271 (the original) and CVE-2014-7169.
From Red Hat[1]:
Red Hat has become aware that the patches shipped for this issue are
incomplete. An attacker can provide specially-crafted environment variables
containing arbitrary commands that will be executed on vulnerable systems
under certain conditions. The new issue has been assigned CVE-2014-7169.
For details on a workaround, see: [2]
Gentoo GLSA 201409-10 [3]
[1]
https://access.redhat.com/security/cve/CVE-2014-6271
[2]
https://access.redhat.com/articles/1200223
[3]
http://security.gentoo.org/glsa/glsa-201409-10.xml
--
Bob Dunlop
--
Please post to: Hampshire@???
Web Interface:
https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL:
http://www.hantslug.org.uk
--------------------------------------------------------------
