-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A remote code execution bug was found in the GNU Bash shell.
http://seclists.org/oss-sec/2014/q3/650 I tested it on Debian stable from two days ago and indeed, I could execute code after a function definition in an environment variable. A server I updated yesterday evening was not vulnerable, as the Debian team got a patch released quite fast. This effects any server you run any code on, though the remote code execution attack vector is unlikely for many contemporary application servers. Read the write up for details about a proof of concept. Good Morning! - -lee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUJA8zAAoJEKhL9IoSyjdlrfsP/R7pngBZMl5xeEkdFPEJbwIA 3H0sW78ziLK6bBe3SPMOqIBiO0jyyr5NlMdXBQU0bI7jVWXqV/216jJGWC7tn9cz k9oXFKjMJAShjkNw9SIyI4ruf1tpMDtE3WTE6+Ck1bfQGnospHZfS33moP2dGmtG Wa5WnESeRiQR6yctPgxxil3cwtkDnBGbKNsiXMvqjriAK9YvsdNVJWpxgd8F9d6w F8c74gMW8sZB4KAvnfl1O/hrDGxoPbQIJf30ZS2IREg9c6Q1gTMDgqYHJs1KGsUP nR1o698dp8Wx5BpCQEdPc52+TWZwPpm6bXkoSGBM9jf7OA+j3lHQL8VIGCbPwDJx /XqCqAQI96/WjkyXkaOeS8H2YZVmF0n8xT//73joCI24UYMWap2z0mNmjG54fLty zo4LbmjiWlA+B1xpa5F5UQZHnbAHg3C5TcXajX7XgwDjR/9g3PebqatR48koQekU qePTgxsAlLSc9c9SM15O8XwXSnr/7o7wWs/Cr2urjZKdi2Veh4WKBpNSP/2xBMYK x5JZmcqWgxxH1HA4roikGA6bizsBSUjljG+otR6iKZyfKvzgkknhEaA+kZ1JbQ8m DXuz9wEYnz3xkY6nPDacIY2Eex+LKOJAdvg9L4PQ7417o6NbBshh8FX1YhNbuznO c1N2PzPSPCXnVgukJPT2 =qKeV -----END PGP SIGNATURE----- _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
