On Thu, 25 Sep 2014, Bob Dunlop wrote:
> Ah but have you applied the correct patch ?
Thanks for pointing that out Bob.
At the time I wrote my last email there was no Centos/RHEL update for
CVE-2014-7169 only a work around.
> There has been a followup to the initial patch which was incomplete.
> Patches applied this morning may pass your test but still leave you
> vulnerable.
>
> You need fixes for CVE-2014-6271 (the original) and CVE-2014-7169.
While that is true, as I understand it CVE-2014-7169 is far harder to
exploit than CVE-2014-6271 so the risk is much lower.
If you are RHEL based (and even if you are not it provides some useful
background) there is an interesting article here:
https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash-flaws/
I see there is also a further update to bash today, I've now updated to
bash.i686 0:4.1.2-15.el6_5.2
Andy
--
Please post to: Hampshire@???
Web Interface:
https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL:
http://www.hantslug.org.uk
--------------------------------------------------------------
