CVE-2014-6271: remote code execution through bash, time to patch!
“Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.”
In many common configurations, this vulnerability is exploitable over the network.
This vulnerability is actually really bad and you want to patch any Internet-facing systems ASAP! It allows remote, unauthenticated attackers to run code on vulnerable systems. It scores a 10 on the NVD severity scale: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
The good news is that it’s an easy fix:
Debian (Ubuntu, etc.):
sudo apt-get update sudo apt-get upgrade bash
RHEL (Fedora, CentOS, etc.):
sudo yum update bash
Please refer to your operating system vendor’s instructions, for example:
- Ubuntu Linux: http://www.ubuntu.com/usn/usn-2362-1/
- Debian Linux: https://www.debian.org/security/2014/dsa-3032
- RedHat Linux: https://access.redhat.com/articles/1200223
- Amazon Linux: https://alas.aws.amazon.com/ALAS-2014-418.html
via: http://seclists.org/oss-sec/2014/q3/649
